search

lukaspustina / wpscan-analyze

Analyzes wpscan json output and checks for vulnerabilities
MIT License
21 stars 3 forks source link

Fixing install script #11

Closed tristanlatr closed 4 years ago

tristanlatr commented 4 years ago

Using sh -c "$(curl -sSL https://raw.githubusercontent.com/lukaspustina/wpscan-analyze/master/install.sh)" to call install script to avoid sh syntax error and trouble with read command

tristanlatr commented 4 years ago

There is some weird errors on the install script with Rasbian... sh: 30: read: arg count

tristanlatr commented 4 years ago

Hello,

I think the script is now stable on most unix systems.

You can try this version with sh -c "$(curl -sSL https://raw.githubusercontent.com/lukaspustina/wpscan-analyze/41b8647ee8cccd4e24a3b3b51aa35b960098e974/install.sh)"

tristanlatr commented 4 years ago

Now it's sh -c "$(curl -sSL https://raw.githubusercontent.com/lukaspustina/wpscan-analyze/fb8bff45d9dce67829c9cccd4f56511d4fc958f8/install.sh)"

tristanlatr commented 4 years ago

Hi, @lukaspustina The install script is currently not working. Could you review and merge this pr ?

lukaspustina commented 4 years ago

I'm not sure about the contracts of the install script, but if try to re-run the script, I get this: 

[lukas] /tmp →  sh ./install.sh
[INFO] wpscan-analyze install script for MacOS and Linux
[INFO] wpscan-analyze in already installed: /Users/lukas/.cargo/bin/wpscan-analyze (wpscan-analyze 1.0.4)
[INFO] The script will remove this installation
[ERROR] You already have the latest wpscan-analyze version. If you're looking for the dev version please install it manually.

This seems odd, as the script says it's going to remove the current installation, but then bails.

lukaspustina commented 4 years ago

I've just run shellcheck on the script and it points out some valid point: 

[11:15:44 vagrant@bionic64-vagrant-vm] ~  →  shellcheck -s dash install.sh

In install.sh line 22:
raw_version=`curl --silent "https://api.github.com/repos/lukaspustina/wpscan-analyze/releases/latest" | grep tag_name | sed -E 's/.*"v(.*)",/\1/'`
            ^-- SC2006: Use $(..) instead of legacy `..`.

In install.sh line 28:
    old_install=`which wpscan-analyze`
                ^-- SC2006: Use $(..) instead of legacy `..`.

In install.sh line 29:
    old_install_version=`wpscan-analyze --version`
                        ^-- SC2006: Use $(..) instead of legacy `..`.

In install.sh line 52:
    git checkout --quiet ${version}
                         ^-- SC2086: Double quote to prevent globbing and word splitting.

In install.sh line 59:
            source $HOME/.cargo/env
            ^-- SC1090: Can't follow non-constant source. Use a directive to specify location.
            ^-- SC2169: In dash, 'source' in place of '.' is not supported.
                   ^-- SC2086: Double quote to prevent globbing and word splitting.

In install.sh line 135:
        chmod +x ${binary_file}
                 ^-- SC2086: Double quote to prevent globbing and word splitting.

Can you please address these.

lukaspustina commented 4 years ago

Last thing: Could you reduce the questions "Change default path" and "Where" to just one question: Set installation path [default: /usr/local/bin]

tristanlatr commented 4 years ago

It steel doesn't work for me the curl -s | bash

Even cat install | bash doesn't work. It's like it says yes for me and build from source on my Mac... Does it work for you? It's not working on a Google cloud shell neither at https://ssh.cloud.google.com/cloudshell But the other format with sh -c "$()" works.

The issue seem to be about reading input from user. It seems that doing curl -s | bash will open a non-interactive shell and that's an issue to read user input.

https://stackoverflow.com/questions/911168/how-to-detect-if-my-shell-script-is-running-through-a-pipe

https://www.tldp.org/LDP/abs/html/intandnonint.html

I see a solution that would be to check wether it's a interactive shell, and if not, re-launch the install script in interactive mode

tristanlatr commented 4 years ago

I see a solution that would be to check wether it's a interactive shell, and if not, re-launch the install script in interactive mode

Not even sure... I've tried the following but not worked

# Test for a terminal!
#  As we recall, the -t test option checks whether the stdin, [ -t 0 ],
#+ or stdout, [ -t 1 ], in a given script is running in a terminal.
if [ -t 0 ] # stdin
then
  echo "Installing..."
else
    echo "Launching..."
    sh -c "$(curl -sSL https://raw.githubusercontent.com/tristanlatr/wpscan-analyze/patch-1/install.sh)"
    exit 0
fi

## REST of the install script
tristanlatr commented 4 years ago

Hello,

About this install script, do you still want changes to the script ? I'm not sure i can make it work with curl | sh...

Right now the script on master doesn't work...

lukaspustina commented 4 years ago

If you don't feel like driving the script forward, I'll probably remove it, because as you say, it doesn't work right now.

tristanlatr commented 4 years ago

Well...

I think this script help greatly the install process, that would be too bad to give up. Let me try to make it work once last time with curl | sh.

I'll report back

tristanlatr commented 4 years ago

Should work now !