
Ask HN: What is the risk of output from a url getting run on a console? - etewiah
I ask this because this url http:&#x2F;&#x2F;mongohouse.com&#x2F; returns &quot;sudo rm -rf &#x2F; &gt; &#x2F;dev&#x2F;null 2&gt;&amp;1&quot; but is that just a joke or is there really a risk that it could get run?
======
kevsim
Quite a number of tools as you to do something like:

curl [https://someurl.sh](https://someurl.sh) | /bin/bash

To install them easily so I guess someone could be tricked into doing that
with this URL. Be sure to check those things in browser first before giving
them free reign on your system!

~~~
Nextgrid
Note that even checking the URL first doesn't help as there is a way to detect
whether the output is being piped into Bash:
[https://www.idontplaydarts.com/2016/04/detecting-curl-
pipe-b...](https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-
server-side/)

The proper way to tell is to _save_ the output to a file, analyze it, and then
run _that file_ with Bash. However, I would recommend against running these
for other reasons and instead prefer using the distribution's packages or the
manual installation instructions which you can understand and tweak to better
fit your system.

~~~
etewiah
Wow, that's frightening... Surely you will get prompted for a sudo password
first though right?

~~~
Nextgrid
The malicious code would run as your current user and would be able to
override your shell’s configuration to alias sudo to a malicious function
that’ll exfiltrate the password the next time you run it. The script itself
doesn’t even have to use sudo itself and can just wait until you use it for an
unrelated command at which point the malicious alias will steal your password.

