Security: install.sh downloads and executes remote code without verification #2033
Description
Bug Report: Potential Security Issue in install.sh Script
Bug Title
install.sh script downloads and executes remote Python script without proper verification
Severity Tier
Medium (10 RTC) - Security issue that could lead to arbitrary code execution
Bug Description
The install.sh script downloads and executes a Python miner script from a remote URL without:
- Verifying the script's integrity (checksum/hash verification)
- Using HTTPS for the download (some URLs use HTTP)
- Providing a way to verify the authenticity of the downloaded script
Steps to Reproduce
-
Examine the
install.shscript in the RustChain repository -
Look at lines that download and execute remote code:
MINER_URL="https://raw.githubusercontent.com/Scottcjn/Rustchain/main/miners/rustchain_universal_miner.py" FINGERPRINT_URL="https://raw.githubusercontent.com/Scottcjn/Rustchain/main/miners/fingerprint_checks.py" NODE_URL="https://50.28.86.131" # Later in the script: curl -fsSL "$MINER_URL" -o "$INSTALL_DIR/rustchain_universal_miner.py" python3 "$INSTALL_DIR/rustchain_universal_miner.py" --wallet "$WALLET" --node "$NODE_URL" &
-
Notice that:
- The script is downloaded via
curl -fsSL(follow redirects, silent, location) - No hash/checksum verification is performed
- The script is immediately executed with
python3 - User's wallet information is passed to the downloaded script
- The script is downloaded via
Expected Behavior
- The installer should verify the integrity of downloaded scripts using checksums or cryptographic signatures
- All downloads should use HTTPS
- Users should be able to verify the authenticity of the scripts before execution
- Consider using package managers or signed releases for distribution
Actual Behavior
- Scripts are downloaded without verification
- Downloaded scripts are executed immediately with user credentials
- No mechanism for users to verify what they're running
Security Implications
- MITM Attacks: If the GitHub raw content is compromised or intercepted, attackers could inject malicious code
- Supply Chain Attack: If the repository is compromised, all users running the installer would be affected
- Credential Theft: The miner script receives wallet information which could be exfiltrated by malicious code
Screenshot/Evidence
# Relevant code from install.sh (lines 25-30 and 150-160):
MINER_URL="https://raw.githubusercontent.com/Scottcjn/Rustchain/main/miners/rustchain_universal_miner.py"
# ...
curl -fsSL "$MINER_URL" -o "$INSTALL_DIR/rustchain_universal_miner.py"
python3 "$INSTALL_DIR/rustchain_universal_miner.py" --wallet "$WALLET" --node "$NODE_URL" &Suggested Fix
-
Add checksum verification:
# Add expected SHA256 hashes MINER_HASH="expected_sha256_hash_here" FINGERPRINT_HASH="expected_sha256_hash_here" # Verify after download downloaded_hash=$(sha256sum "$INSTALL_DIR/rustchain_universal_miner.py" | cut -d' ' -f1) if [ "$downloaded_hash" != "$MINER_HASH" ]; then echo "ERROR: Hash verification failed!" exit 1 fi
-
Use signed releases from GitHub Releases instead of raw.githubusercontent.com
-
Provide verification instructions in the documentation
-
Consider using package managers like pip, brew, or apt for distribution
Impact
- All users who install RustChain miner using the install.sh script are potentially affected
- The issue affects the trust and security of the installation process
- Could lead to loss of funds if wallet information is compromised
Reproduction Environment
- OS: macOS (but affects all platforms)
- Script Version: Latest from main branch
- Date: 2026-03-31
Additional Notes
This bug was found during a security review of the installation process. While the current maintainers may be trustworthy, the installation pattern sets a dangerous precedent and could be exploited if any part of the delivery chain is compromised.
The fix is relatively simple to implement and would significantly improve the security posture of the RustChain installation process.