search

zellij-org / zellij

A terminal workspace with batteries included
https://zellij.dev
MIT License
20.14k stars 628 forks source link

Recommended installation method is vulnerable to man in the middle attack #2237

Open bddap opened 1 year ago

bddap commented 1 year ago

see https://github.com/zellij-org/zellij-org.github.io/issues/182

sh1boot commented 5 months ago

I was inspired to write up something about how curl isn't automatically safe.

It's too endemic to fix, but users can take a few steps to help protect themselves from accidentally pasting a bad command into their terminal.

bddap commented 5 months ago

It's cool that we can search github to find all those instances. I wonder how hard it would be to write a bot that submits prs fixing for those vulnerable parts.

sh1boot commented 5 months ago

That's just the results which don't specify any scheme. I tried to do a separate search for http:// and found another 5k results, but that's more noisy (many results might have good reasons for their choice).

I didn't search for wget, but I noticed wget uses HSTS by default so I guess that's a better starting point, and it'd only be worth searching with a filter to exclude preloaded sites.

I guess the thing to do, and I don't really know how, would be to filter out all the URLs and see how many of them do respond with the proper redirect and the same data on https. If they don't behave the same then the PR would just break stuff.

I think I would want to check in with GitHub staff before trying to create 16000 pull requests.