geomind_code/my_init
0
0
Fork 0
Code Issues 23 Pull requests Projects Releases Packages Wiki Activity Actions

[CRITICAL] curl | bash install script -- supply chain attack surface #20

New issue
Open
opened 2026-05-11 10:52:01 +00:00 by thabeta · 1 comment
thabeta commented 2026-05-11 10:52:01 +00:00
Owner
Copy link

Problem

The README promotes curl -fsSL https://forge.ourworld.tf/.../install.sh | bash as the primary installation method.

  1. The -s flag suppresses errors, -f makes curl fail silently on HTTP errors
  2. If the Forgejo instance is compromised or a MitM attack occurs, this is instant code execution
  3. No checksum verification of downloaded binaries
  4. The script uses pkill -f "my_init_server" which uses fuzzy matching and could kill unrelated processes

Impact

Supply chain attack vector. An attacker who can intercept or modify the download gains arbitrary code execution on the target machine.

Files

  • scripts/install.sh
  • README.md -- installation section

Suggested Fix

  • Require manual download + checksum verification
  • Publish SHA256 checksums alongside binaries
  • Use pkill -x or PID files instead of fuzzy pkill -f
  • Consider a proper package (deb, rpm, homebrew tap)
## Problem The README promotes `curl -fsSL https://forge.ourworld.tf/.../install.sh | bash` as the primary installation method. 1. The `-s` flag suppresses errors, `-f` makes curl fail silently on HTTP errors 2. If the Forgejo instance is compromised or a MitM attack occurs, this is instant code execution 3. No checksum verification of downloaded binaries 4. The script uses `pkill -f "my_init_server"` which uses fuzzy matching and could kill unrelated processes ## Impact Supply chain attack vector. An attacker who can intercept or modify the download gains arbitrary code execution on the target machine. ## Files - `scripts/install.sh` - `README.md` -- installation section ## Suggested Fix - Require manual download + checksum verification - Publish SHA256 checksums alongside binaries - Use `pkill -x` or PID files instead of fuzzy `pkill -f` - Consider a proper package (deb, rpm, homebrew tap)
salmaelsoly commented 2026-05-11 13:31:09 +00:00
Member
Copy link

Classification: valid-bug — curl | bash install pattern creates supply chain attack vector; pkill -f fuzzy matching risks killing unrelated processes.

The README's primary installation method (curl -fsSL https://...install.sh | bash) provides no way to verify binary integrity. If the Forgejo instance is compromised or a MitM attack occurs, this is instant code execution. Additionally, the install.sh script uses pkill -f "my_init_server" for fuzzy matching, which can kill processes with unrelated names containing that substring. Validated against scripts/install.sh.

> Classification: valid-bug — curl | bash install pattern creates supply chain attack vector; pkill -f fuzzy matching risks killing unrelated processes. The README's primary installation method (curl -fsSL https://...install.sh | bash) provides no way to verify binary integrity. If the Forgejo instance is compromised or a MitM attack occurs, this is instant code execution. Additionally, the install.sh script uses pkill -f "my_init_server" for fuzzy matching, which can kill processes with unrelated names containing that substring. Validated against scripts/install.sh.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
development
feature/health-pending-state
feature/remove-web-handlers
feature/fire-and-forget-mutations
main
feat/shim-and-cgroups
No results found.
Labels
Clear labels   
bug

   
critical

   
enhancement

   
security
No labels
bug
critical
enhancement
security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
geomind_code/my_init#20
No description provided.