12

Whenever I have to execute a shell script from the web curl -s [url] | sh, I first open url in my web browser to make sure the script isn't malicious and is safe to run.

I remember seeing a command line trick that made it was possible to read the script from the command line and then confirm execution after reading the script. If I recall correctly, it looked something like curl -s [url] | something...here | sh and didn't require any software install.

Does anyone know this trick?

Olivier Lalonde
  • 5,309

6 Answers6

5

There is a utility in moreutils called vipe that shows stdin in an editor, where you can revew and modify the file before it gets passed on to stdout.

If you don't want to install moreutils, you can accomplish something similar like so:

file=$(mktemp); curl -s "$url" > $file; $EDITOR $file; sh $file; rm $file

mktemp is in coreutils and is very likely already installed on your system.

Shawn J. Goff
  • 46,081
2

It's hard to imagine why you would even want to do this, let alone where you would find a source (or sources) of scripts to download and run like this frequently enough that it needs a special-purpose tool.

Why not just download the script with curl (or wget or snarf or whatever), examine and edit it (it's a rare script that wont need some customisation for your particular system) and then run it - either by making it executable with chmod or with sh scriptname?

cas
  • 78,579
  • I don't want a special-purpose tool. I remember there was an easy way to do this with standard tools. – Olivier Lalonde Aug 25 '12 at 01:18
  • 2
    It wouldn't be hard to write a small shell script (probably only 5 or so lines) to download a script, present it for viewing with less or something, and then ask you if you wanted to run it. I can't see that that would be any better than just downloading the script, viewing it, and then running it if it seemed OK. IMO it would be worse, it wouldn't offer any advantage but would remove the flexibility you get from just working in your shell. – cas Aug 25 '12 at 01:22
2

I can't think of a single utility that would do what you describe, but it's easy enough to make that a shell snippet.

script=$(curl -s "$url")
printf "%s\nDo you want to run this script? [yN]" "$script"
read line
case $line in
  [Yy]|[Yy][Ee][Ss]) sh -c "$script";;
esac

This assumes the script is a text file. Null bytes are not supported: depending on the shell, they may be removed, or they may cause a line or the whole file to be truncated. Also all newlines at the end of the file are removed (the heredoc construct adds one back). This is not normally a problem for a script, but it could be, for example, if the script ends with an archive in binary format which it extracts. This is not a very reliable way of distributing a file as there is a significant risk of such a binary script to be misencoded at some point. Nonetheless, you can handle it by writing the script to a temporary file.

script_file=$(mktemp)
curl -s "$url" | tee "$script_file"
printf "Do you want to run this script? [yN]"
read line
case $line in
  [Yy]|[Yy][Ee][Ss]) sh "$script_file";;
esac
rm "$script_file"
Gilles 'SO- stop being evil'
  • 829,060
0

Use this command line: 

curl URL | ( cat > /tmp/file; read REPLY; [[ ! $REPLY =~ ^[Yy]$ ]] && cat /tmp/file ) | sh

You could use a small function for that:

curlsh()
{
    curl "$1" \
    | ( cat > /tmp/file;read REPLY; [[ ! $REPLY =~ ^[Yy]$ ]] && cat /tmp/file ) \
    | sh
}

And than use it this way:

curlsh http://site.in.net/path/to/script
Igor Chubin
  • 1,144
0

Assuming your read knows -p (prompt), and the script needn't be executed with the interpreter, specified by the shebang:

curl URL | tee /tmp/x && read -p "execute?" key ; test $key = y && sh /tmp/x
user unknown
  • 10,482
0

I think you just type in the command without piping it.

I ran a similar script that pipes to bash, but removing the pipe so it is just curl and the URL, the file shows in the terminal as if I had just ran a cat command.

For instance, this command:

curl https://get.pimoroni.com/pantilthat | bash

Gave me this result:

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 38706  100 38706    0     0  47087      0 --:--:-- --:--:-- --:--:-- 47087

This script will install everything needed to use
Pan-Tilt HAT


Always be careful when running scripts and commands copied
from the internet. Ensure they are from a trusted source.


If you want to see what this script does before running it,
you should run: 'curl https://get.pimoroni.com/pantilthat'


Note: Pan-Tilt HAT requires I2C communication


Do you wish to continue? [y/N]

And running the following allowed me to view the file in my terminal:

curl https://get.pimoroni.com/pantilthat

I know its been almost 9 years, but I hope that helps you or anyone else who may have the same question!

Christopher Caldarella
  • 11
  • @AdminBee Apart from downloading the script twice (first to look at it and then to run it), this answer answers the question with a simple and accessible workflow. – Kusalananda Jun 14 '21 at 16:39
  • 1
    @Kusalananda I was under the impression that avoiding a manual two-pass approach was the core of the question. I may be mistaken, though, and I agree that not having to open a web browser is already an improvement. (Note that it was not me who downvoted the answer). – AdminBee Jun 15 '21 at 06:52