Skip to content

Commit 2a4cf91

Browse files
authored
fix(install): make checksum verification mandatory and validate redirect origin (#724)
1 parent fa3f798 commit 2a4cf91

File tree

1 file changed

+26
-15
lines changed

1 file changed

+26
-15
lines changed

install.sh

Lines changed: 26 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -92,9 +92,9 @@ download() {
9292
_output="$2"
9393

9494
if has_cmd curl; then
95-
curl -fLsS --retry 3 -o "$_output" "$_url"
95+
curl -fLsS --retry 3 --max-redirs 5 -o "$_output" "$_url"
9696
elif has_cmd wget; then
97-
wget -q --tries=3 -O "$_output" "$_url"
97+
wget -q --tries=3 --max-redirect=5 -O "$_output" "$_url"
9898
fi
9999
}
100100

@@ -161,6 +161,18 @@ resolve_version() {
161161
_latest_url="${GITHUB_URL}/releases/latest"
162162
_resolved="$(resolve_redirect "$_latest_url")" || error "failed to resolve latest release from ${_latest_url}"
163163

164+
# Validate that the redirect stayed on the expected GitHub origin.
165+
# A MITM or DNS hijack could redirect to an attacker-controlled domain,
166+
# which would also serve a matching checksums file (making checksum
167+
# verification useless). See: https://github.com/NVIDIA/OpenShell/issues/638
168+
case "$_resolved" in
169+
https://github.com/${REPO}/releases/*)
170+
;;
171+
*)
172+
error "unexpected redirect target: ${_resolved} (expected https://github.com/${REPO}/releases/...)"
173+
;;
174+
esac
175+
164176
# Extract the tag from the resolved URL: .../releases/tag/v0.0.4 -> v0.0.4
165177
_version="${_resolved##*/}"
166178

@@ -180,20 +192,20 @@ verify_checksum() {
180192
_vc_checksums="$2"
181193
_vc_filename="$3"
182194

183-
_vc_expected="$(grep "$_vc_filename" "$_vc_checksums" | awk '{print $1}')"
195+
if ! has_cmd shasum && ! has_cmd sha256sum; then
196+
error "neither 'shasum' nor 'sha256sum' found; cannot verify download integrity"
197+
fi
198+
199+
_vc_expected="$(grep -F "$_vc_filename" "$_vc_checksums" | awk '{print $1}')"
184200

185201
if [ -z "$_vc_expected" ]; then
186-
warn "no checksum found for $_vc_filename, skipping verification"
187-
return 0
202+
error "no checksum entry found for $_vc_filename in checksums file"
188203
fi
189204

190205
if has_cmd shasum; then
191206
echo "$_vc_expected $_vc_archive" | shasum -a 256 -c --quiet 2>/dev/null
192207
elif has_cmd sha256sum; then
193208
echo "$_vc_expected $_vc_archive" | sha256sum -c --quiet 2>/dev/null
194-
else
195-
warn "sha256sum/shasum not found, skipping checksum verification"
196-
return 0
197209
fi
198210
}
199211

@@ -254,14 +266,13 @@ main() {
254266
error "failed to download ${_download_url}"
255267
fi
256268

257-
# Verify checksum
269+
# Verify checksum (mandatory — never skip)
258270
info "verifying checksum..."
259-
if download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
260-
if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
261-
error "checksum verification failed for ${_filename}"
262-
fi
263-
else
264-
warn "could not download checksums file, skipping verification"
271+
if ! download "$_checksums_url" "${_tmpdir}/checksums.txt"; then
272+
error "failed to download checksums file from ${_checksums_url}"
273+
fi
274+
if ! verify_checksum "${_tmpdir}/${_filename}" "${_tmpdir}/checksums.txt" "$_filename"; then
275+
error "checksum verification failed for ${_filename}"
265276
fi
266277

267278
# Extract

0 commit comments

Comments
 (0)