> curl -LsSf https://astral.sh/uv/install.sh | sh
"Just pipe a random script from the internet into your shell! What could possibly go wrong?"
> curl -LsSf https://astral.sh/uv/install.sh | sh
"Just pipe a random script from the internet into your shell! What could possibly go wrong?"
We've all done it. I'm curious though, I wonder what would be the best way to prevent a user from doing this.
Wrap curl to detect if /dev/stdout is a pipe and if the output is a script - this is fast because of the hash-bang. From there you can do a lot of fancy things: replace the output with echo "don't do this" ; exit 1", check the Url against a list of well known accepted scripts based on hash, run the unknown ones through an LLM to validate if they are potentially malicious, etc.
> run the unknown ones through an LLM
Run my command through an LLM and tell me "don't do this" once, I'm out to a different distro :-).
Also, if people copy-paste stuff they don't understand in a terminal (and running a script like this is pretty much "running stuff one does not understand"), I don't think there is anything you can do for them.
The user is the one copy-pasting that line in their terminal. There is no preventing them from doing it, they can `rm -rf /` if they feel like it.
They shouldn't, though...