Post History

75%

+4 −0

Q&A Is it a bad idea to pipe a script from curl to your shell?

Online, I often see someone tell people to run a command like /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" (example from https://brew.sh/). The g...

2 answers · posted 4mo ago by matthewsnyder‭ · last activity 3mo ago by Stephen Kitt‭

Question security shell-scripting best-practices

#1: Initial revision by

matthewsnyder‭ · 2024-07-27T20:39:23Z (4 months ago)

Copy Link

Raw

Markdown

Is it a bad idea to pipe a script from curl to your shell?

Online, I often see someone tell people to run a command like `/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"` (example from https://brew.sh/).

The general pattern is that you download some shell script from an online location and send it straight to your shell.

Isn't this a bad idea? Why do so many developers put it in their instructions? I thought that perhaps the command is not meant literally, but you're supposed to read the more succinct command and compose your own alternative approach. But this seems more common with projects that try to be "user-friendly", ones where you'd suspect their audience is neither aware of the implications of doing this, nor able to analyze what the command does, nor able to construct an alternative approach.

security shell-scripting best-practices

Communities

Post History