Skip to content

No integrity verification on downloaded scripts or taballs #21

New issue
New issue
Open
Open
No integrity verification on downloaded scripts or taballs#21
@jabez007

Description

@jabez007
jabez007
opened on Jul 25, 2025

Blindly extracting archives or scripts fetched over HTTPS is a supply-chain risk.

For example:
Neovim publishes SHA256 sums – verify before install:

-    curl -LO "https://github.com/neovim/neovim/releases/download/stable/${nvim_tarball}.tar.gz" ||
+    curl -LO "https://github.com/neovim/neovim/releases/download/stable/${nvim_tarball}.tar.gz" ||
       die "Failed to download Neovim"
+    curl -LO "https://github.com/neovim/neovim/releases/download/stable/${nvim_tarball}.tar.gz.sha256sum"
+    sha256sum -c "${nvim_tarball}.tar.gz.sha256sum" ||
+      die "Checksum verification failed for Neovim"

Repeat the pattern for LazyGit & Bottom downloads.
[security]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

    curl -LO "https://github.com/neovim/neovim/releases/download/stable/${nvim_tarball}.tar.gz" ||
      die "Failed to download Neovim"
    curl -LO "https://github.com/neovim/neovim/releases/download/stable/${nvim_tarball}.tar.gz.sha256sum"
    sha256sum -c "${nvim_tarball}.tar.gz.sha256sum" ||
      die "Checksum verification failed for Neovim"

    run_as_admin rm -rf /opt/nvim*
    run_as_admin tar -C /opt -xzf "${nvim_tarball}.tar.gz" || die "Failed to extract Neovim"
    run_as_admin ln -sf "/opt/${nvim_tarball}/bin/nvim" /usr/local/bin/nvim
    rm "${nvim_tarball}.tar.gz"
🤖 Prompt for AI Agents 
In astro-nvim/.install/modules/editor.sh around lines 19 to 26, the script
downloads the Neovim tarball but does not verify its integrity, posing a
security risk. To fix this, download the corresponding SHA256 checksum file from
Neovim's release page, then compute the SHA256 hash of the downloaded tarball
and compare it against the official checksum before extraction. If the
verification fails, abort the installation with an error message. Apply the same
checksum verification process for the LazyGit and Bottom tarball downloads
elsewhere in the script.

Originally posted by @coderabbitai[bot] in #20 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions