Hi! I'm reviewing untitaker/hyperlink for the Apache Software Foundation's GitHub Actions allowlist (downstream: apache/infrastructure-actions#916, bumping 0.2.0 → 0.2.1).
scripts/install.sh fetches the installer over the network and pipes it straight to a shell with no integrity check:
curl --proto '=https' --tlsv1.2 -LsSf https://github.com/untitaker/hyperlink/releases/download/$tag/hyperlink-installer.sh | sh
A compromised or MITM'd release asset would run arbitrary code on the runner. The good news: your releases already publish checksums — each artifact has a .sha256, plus an aggregate sha256.sum. Two ways to close the gap:
- Download the platform binary directly and verify it against the published
.sha256 before use, instead of curl … | sh; or
- pin + checksum-verify
hyperlink-installer.sh itself.
Happy to send a PR. Thanks for already shipping the checksums — it makes this a small change.
Hi! I'm reviewing
untitaker/hyperlinkfor the Apache Software Foundation's GitHub Actions allowlist (downstream: apache/infrastructure-actions#916, bumping 0.2.0 → 0.2.1).scripts/install.shfetches the installer over the network and pipes it straight to a shell with no integrity check:A compromised or MITM'd release asset would run arbitrary code on the runner. The good news: your releases already publish checksums — each artifact has a
.sha256, plus an aggregatesha256.sum. Two ways to close the gap:.sha256before use, instead ofcurl … | sh; orhyperlink-installer.shitself.Happy to send a PR. Thanks for already shipping the checksums — it makes this a small change.