1

I asked this at https://apple.stackexchange.com/questions/445343/macapps-link-possible-attack-vector-could-you-pipe-through-some-security-scr but I think this would be more appropriate place.

A work colleague said she is using https://macapps.link/en/ to help speed up software installation on company Macs. Choosing apps to install results in a terminal command like this:

curl -s 'https://api.macapps.link/en/chrome-etcher' | sh

This screamed attack vector to me since if that site is hacked then the result could be a malicious payload.

I guess https://brew.sh/ is the same:

/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"

Is there any script that the results could be piped through before hitting | sh (etc..) to check for malicious actions?

And of course there is what is downloaded (eg. chrome.dmg) but then that is a separate problem that would be needed to be solved with virus software (or put the DL URL through https://www.virustotal.com/gui/home/upload).

HankCa
  • 113
  • 4
  • Please note that [cross-posting is generally against community rules](https://meta.stackexchange.com/questions/64068/is-cross-posting-a-question-on-multiple-stack-exchange-sites-permitted-if-the-qu), even if done in good faith. – PasWei Aug 17 '22 at 08:57
  • Understood and wasn't intentional. I realised this might be a better place to ask the question :) – HankCa Aug 19 '22 at 08:58

1 Answers1

1

No, there's really no such script. It is impossible to create a script that will warn against every possible type of malicious action.

You could possible create a script to setup a sandboxed container for the program to run in - but the point of an installer is usually to put files outside the container, otherwise there wouldn't be the need for an installer. So I doubt that approach is practical here.

Also note that merely inspecting the contents of that link before running the command is also not enough to detect malicious actions. One thing is that it could be hidden and disguised to look like innocent code, another ting is that the server is actually in some cases able to detect whether you're downloading the link to inspect it or to run it.

Instead of piping the contents of links into bash, I would advise using a package manager for installing software that offers reasonable security features such as for example checking signatures on software before installing.

One of the most popular package managers for macOS is Homebrew. It is relatively weak in terms of checking software for authenticity, but it does check that the SHA-256 hash of the downloaded software package matches the hash that their package maintainer has listed as valid. With HomeBrew you can speed up software installation by similarly installing multiple software packages in one go with a simple commands such as:

brew install --cask chromium thunderbird alfred insomnia

This will install Chromium (browser), Thunderbird (email/calendar), Alfred (productivty) and Insomnia (API client).

jksoegaard
  • 126
  • 3
  • Yeah thanks @jksoegaard; I guess its a case of you don't know what you don't know. Homebrew is mainly CLI apps. I will give this feedback to my team as some seemed quite keen to use macapps and I suggested it might not be a good idea. – HankCa Aug 19 '22 at 08:53