coop-cloud/abra
coop-cloud
/
abra
Archived
7
0
Fork 2
Code Issues 21 Pull Requests Releases Activity

Security implications of source/executing abra.sh from abra #199

New Issue
Open
opened 2021-07-06 08:46:26 +00:00 by decentral1se · 0 comments
decentral1se commented 2021-07-06 08:46:26 +00:00
Owner
Copy Link

Is there something we should be considering here?

Packagers could indeed rm -rf / in the abra.sh but then we probably wouldn't be giving that person commit access to the repository. Someone could spoof the repositories? That sounds pretty far fetched.

I know Yunohost have a setup where they make packagers generate checksums of their scripts on the package side and then installer script validates those checksums. Do we also need to consider something like that?

Is there something we should be considering here? Packagers could indeed `rm -rf /` in the `abra.sh` but then we probably wouldn't be giving that person commit access to the repository. Someone could spoof the repositories? That sounds pretty far fetched. I know Yunohost have a setup where they make packagers generate checksums of their scripts on the package side and then installer script validates those checksums. Do we also need to consider something like that?
decentral1se added the
question
 label 2021-07-06 08:46:26 +00:00
This repo is archived. You cannot comment on issues.
No Branch/Tag Specified
Branches Tags
main
requirements-install-script
prefer-fast-option
add-bump-logic
prompt-cleanup
fix-pwgen
fix-subcommand-select
digest-version
backup_restore
command_help_2
merge-logging
monorepo
10.0.0
9.0.0
8.0.1
8.0.0
0.7.4
0.7.3
0.7.2
0.7.1
0.7.0
checkout
0.6.0
0.5.0
0.4.1
0.4.0
0.3.1
0.3.0
0.2.0
0.1.2
0.1.1
0.1.0
Labels
Clear labels   
breaking-change

Anything that breaks the existing API

  
bug

Something is not working

  
CI/CD

Anything to do with testing and infra

  
design

Anything to with UX of this tool

  
documentation

Documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
plugin

Related to the plugin architecture

  
question

More information is needed

  
secrets

Everything to do with docker secrets

  
shell-completion

To do with shell completion

  
versioning

All the things to do with versioning apps

  
wontfix

This won't be fixed

No Label
breaking-change
bug
CI/CD
design
documentation
duplicate
enhancement
help wanted
invalid
plugin
question
secrets
shell-completion
versioning
wontfix
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: coop-cloud/abra#199
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?