Skip to content

Commit

Permalink
install.sh: Invoke curl with secure defaults
Browse files Browse the repository at this point in the history
When invoking the install script, the installation process can fail
silently so that the `k3d` binary includes only the ASCII string 'Not
found'. This can be avoided by passing the `--fail` flag so that the
command fails if a 4XX or 5XX response is received.

This change adds a `scurl` function that invokes `curl` with this flag,
as well as flags that ensure that at least TLS v1.2 is used (this helps
mitigate protocol downgrade attacks).

This is based on the defaults we use in Linkerd. See: https://github.com/linkerd/linkerd2/blob/a0b112471eef7e3975fbc8564df52d83894c3fa3/bin/scurl

Signed-off-by: Oliver Gould <[email protected]>
  • Loading branch information
olix0r committed Mar 4, 2022
1 parent dd07011 commit d259415
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions install.sh
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,18 @@ runAsRoot() {
$CMD
}

# scurl invokes `curl` with secure defaults
scurl() {
# - `--proto =https` requires that all URLs use HTTPS. Attempts to call http://
# URLs will fail.
# - `--tlsv1.2` ensures that at least TLS v1.2 is used, disabling less secure
# prior TLS versions.
# - `--fail` ensures that the command fails if HTTP response is not 2xx.
# - `--show-error` causes curl to output error messages when it fails (when
# also invoked with -s|--silent).
curl --proto =https --tlsv1.2 --fail --show-error "$@"
}

# verifySupported checks that the os/arch combination is supported for
# binary builds.
verifySupported() {
Expand Down Expand Up @@ -84,7 +96,7 @@ checkTagProvided() {
checkLatestVersion() {
local latest_release_url="$REPO_URL/releases/latest"
if type "curl" > /dev/null; then
TAG=$(curl -Ls -o /dev/null -w %{url_effective} $latest_release_url | grep -oE "[^/]+$" )
TAG=$(scurl -Ls -o /dev/null -w %{url_effective} $latest_release_url | grep -oE "[^/]+$" )
elif type "wget" > /dev/null; then
TAG=$(wget $latest_release_url --server-response -O /dev/null 2>&1 | awk '/^\s*Location: /{DEST=$2} END{ print DEST}' | grep -oE "[^/]+$")
fi
Expand All @@ -98,7 +110,7 @@ downloadFile() {
K3D_TMP_ROOT="$(mktemp -dt k3d-binary-XXXXXX)"
K3D_TMP_FILE="$K3D_TMP_ROOT/$K3D_DIST"
if type "curl" > /dev/null; then
curl -SsL "$DOWNLOAD_URL" -o "$K3D_TMP_FILE"
scurl "$DOWNLOAD_URL" -o "$K3D_TMP_FILE"
elif type "wget" > /dev/null; then
wget -q -O "$K3D_TMP_FILE" "$DOWNLOAD_URL"
fi
Expand Down

0 comments on commit d259415

Please sign in to comment.