search

zellij-org / zellij-org.github.io

The website for zellij
25 stars 57 forks source link

Recommended installation method is vulnerable to man in the middle attack #182

Open bddap opened 1 year ago

bddap commented 1 year ago

On https://zellij.dev there is instructions to "Try Zellij Without Installing"

This is the script:

bash <(curl -L zellij.dev/launch)

curl uses http by default so the initial request will not be protected. Since the -L flag is provided, curl eventually follows the redirect to the https version.

Its pretty easy in certain situations to intercept the initial http request and provide a potentially malicious script.

Users should use https instead:

bash <(curl -L https://zellij.dev/launch)

When using https, the -L flag is no longer needed:

bash <(curl https://zellij.dev/launch)

This applies to the bash and fish instructions in this repo, as well as the instructions in the main zellij repo

sh1boot commented 6 months ago

Harden curl against this with this in ~/.curlrc:

--proto-default https

One should probably also add something to the effect of:

--hsts $HOME/.cache/curl/hsts.txt