Fix unsafe curl-pipe-bash pattern in PHP install scripts#2
Draft
semgrep-code-badoo[bot] wants to merge 1 commit intomasterfrom
Draft
Fix unsafe curl-pipe-bash pattern in PHP install scripts#2semgrep-code-badoo[bot] wants to merge 1 commit intomasterfrom
semgrep-code-badoo[bot] wants to merge 1 commit intomasterfrom
Conversation
Fix security issue where remote scripts are fetched and piped directly to bash, enabling potential remote code execution. ## Changes - Modified `build_php7.0_mac` function to download install script before executing - Modified `build_php7.3_mac` function with the same fix - Added cleanup to remove temporary script files after execution ## Why Piping `curl` output directly to `bash` (`curl ... | bash`) is a security anti-pattern because: 1. The script executes before you can inspect its contents 2. A compromised or malicious server could serve arbitrary code 3. Network issues could cause partial script execution The fix downloads the script to a temporary file first, then executes it separately. This allows for inspection and prevents direct remote code execution from untrusted sources. ## Semgrep Finding Details Remote script is fetched and piped directly to a shell interpreter. In Claude Code and Cursor hooks, this enables remote code execution from untrusted sources. Download the script first, inspect it, then execute it separately. @9071412 requested Semgrep Assistant generate this pull request to fix [a finding](https://semgrep.dev/orgs/bmbl/findings/727472701).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fix security issue where remote scripts are fetched and piped directly to bash, enabling potential remote code execution.
Changes
build_php7.0_macfunction to download install script before executingbuild_php7.3_macfunction with the same fixWhy
Piping
curloutput directly tobash(curl ... | bash) is a security anti-pattern because:The fix downloads the script to a temporary file first, then executes it separately. This allows for inspection and prevents direct remote code execution from untrusted sources.
Semgrep Finding Details
Remote script is fetched and piped directly to a shell interpreter. In Claude Code and Cursor hooks, this enables remote code execution from untrusted sources. Download the script first, inspect it, then execute it separately.
@9071412 requested Semgrep Assistant generate this pull request to fix a finding.