This is true of anything that ever renders to your terminal. I'm not sure this class of issue is worth worrying about, generally. Sure, these are neat and scary examples. Have you seen some of the recent GPU driver ACEs? Better not render any graphics!
A generalization of this is "receiving information from third parties can lead to security issues" which is of course true. Untrusted inputs are always untrusted.
Piping curl into bash is one thing, but this is on the level of "are you sure you want to open this file downloaded off the internet?" prompts of yore -- it's not productive.
Completely agree, but also I remember that 'piping curl into bash' was always one of the biggest no-no's. I held onto this for so long, but then realized every time I run 'npm i' arbitrary commands can also run, and now it seems wild that I ever cared about curl | bash on websites that I trust
Coming from a Windows world, I've never worried about the `curl | bash` thing. If I would trust an opaque Windows executable from a site, why would I not trust an equally opaque `curl | bash`?
I've even seen people concerned about installing Homebrew that way. It is probably one of the most confusing concerns regarding `curl | bash` given that the it's a package manager designed to run arbitrary Ruby code and is often pulling down precompiled applications.
Windows executables can be signed, and Homebrew formulae are theoretically reviewed and check a hash when they download binaries. With curl | bash, maybe the download fails partway through, or a hacker has replaced the executable on the server or the URL in the copy/paste instructions with a homograph spoof, or the site serves malware when it detects a curl agent.
Part of the reason is that your connection could be interrupted … and then now what? Hope you like sifting through the script’s entirety and manually checking how much it’s done so far.
No, that's exactly how it works. Why would you write such a thing when you're clearly just guessing?
A shell script is interpreted one line at the time.
Very simple proof:
$ while true; do printf 'date\n' && sleep 5; done | sh
Mon 16 May 2022 07:19:21 AM CEST
Mon 16 May 2022 07:19:26 AM CEST
Mon 16 May 2022 07:19:31 AM CEST
In either case, if the network connection is interrupted, the download is finished. How would sh know it's not the whole script as the author intended it? Remember that in a pipeline the receiving end only sees the pipe, and won't know about the exit status of the process upstream (which may for all we know be zero anyway).
Unironically a good idea. Graphics have always been a mistake - most engineers would agree that if we stuck with very basic output, our software would be in a much better place than today (and more usable, too!)
once you become an engineer you cant unsee it very easily, your user vision is now tainted by a higher understanding of problems, rather than feeling frustrated at {FOO = FAIL} bugs and submitting a complaint comment.
It may be worth evaluating why we need to explore this space through computing in the first place? Pen and paper have never failed us before, nor has actually traveling to the space in question.
generally speaking, computers are faster at performing calculations than humans. this can be beneficial for humans, as if they are able to convert a problem (for example, mapping the densities of functions over a 2D space) into a purely mathematical one, humans are able to save significant time and effort.
i both agree and disagree with this. on one hand, it’s true that having everything run in CLI mode would probably make programs truly cross platform. for example, recently I had to use namebenchmark to find the best DNS for my needs. on the M1 mac, the program cannot be run since it’s 32 bit. but i managed to simply run it in a terminal instead by calling its python script (used version 2.7). now i get to run this app on any platform since python is also cross platform. but the GUI version would not be easily ported to linux, windows, etc.
on the other hand, most users are not like me. they want something they can interact with using a mouse, and they often use keyboard only to enter words, not commands or shortcuts. so GUI has definitely a place in today’s world.
A generalization of this is "receiving information from third parties can lead to security issues" which is of course true. Untrusted inputs are always untrusted.
Piping curl into bash is one thing, but this is on the level of "are you sure you want to open this file downloaded off the internet?" prompts of yore -- it's not productive.