https://github.com/zimbatm/curlsh
WIP: better than `curl <url> | sh`
https://github.com/zimbatm/curlsh
Last synced: about 1 year ago
JSON representation
WIP: better than `curl <url> | sh`
- Host: GitHub
- URL: https://github.com/zimbatm/curlsh
- Owner: zimbatm
- Created: 2018-09-15T19:08:01.000Z (almost 8 years ago)
- Default Branch: master
- Last Pushed: 2018-09-15T23:31:43.000Z (almost 8 years ago)
- Last Synced: 2025-02-07T15:16:10.225Z (over 1 year ago)
- Language: Go
- Homepage:
- Size: 3.91 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
Awesome Lists containing this project
README
# curlsh - better than `curl | sh`
There is a common installation method that is quite controversial. Run
`curl https://url | sh`.
This installation method is dangerous and insecure.
This installation method is not going away.
This project's aim is to make things a bit better.
## Usage
```
Usage of ./curlsh:
-hash value
SRI hash
-pager string
select pager (CURLSH_PAGER, PAGER) (default "less -R")
-sudo
run the script with sudo
-trusted
whenver the script is trusted
-url value
URL to fetch
```
## Example
```
$ ./curlsh -url https://zimbatm.github.io/curlsh/sri_test.js \
-hash "sha256-ySadHRVML1LfcwlPIxXx4CQpk64arq0Yv32cBpu9CFQ="
```
## Features
### No timing attachs
Because the script is fully fetched before being executed.
TODO: add reference
### Secure by default
Nudges the user towards the right things: read the script and check the hashes
## ChangeLog
* [CHANGELOG](CHANGELOG.md)
## Research