CRITICAL: `curl | sudo bash` Without Integrity Check (NodeSource)

[ReterAI]

Description

CRITICAL: curl | sudo bash Without Integrity Check (NodeSource)

Field	Value
Severity	Critical
CWE	CWE-494 (Download of Code Without Integrity Check)
Files	scripts/brev-setup.sh, scripts/install.sh
Lines	brev-setup.sh:39, install.sh:233
Status	Active

Description

Two scripts download the NodeSource installer script from https://deb.nodesource.com/setup_22.x and pipe it directly into sudo -E bash - without any integrity verification. This executes arbitrary remote code as root.

This is the most severe instance of the curl|sh pattern in the codebase because:

1. It runs as root (via sudo)
2. The same codebase already implements SHA-256 verification for nvm in the root-level install.sh:118-143 (a different file), demonstrating awareness of the risk
3. Both occurrences are in active code paths (unlike the Ollama curl|sh which is commented out)

Vulnerable Code

Location 1: scripts/brev-setup.sh:37-41

# --- 0. Node.js (needed for services) ---
if ! command -v node > /dev/null 2>&1; then
  info "Installing Node.js..."
  curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - > /dev/null 2>&1
  sudo apt-get install -y -qq nodejs > /dev/null 2>&1
  info "Node.js $(node --version) installed"

Location 2: scripts/install.sh:232-234

    nodesource)
      curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash - > /dev/null 2>&1
      sudo apt-get install -y -qq nodejs > /dev/null 2>&1

This code path is reached when NODE_MGR="nodesource" (line 163), which happens on Linux when no other Node version manager (nvm, fnm, asdf) is detected.

Correct Pattern Already in the Codebase

The root-level install.sh (a separate file from scripts/install.sh) implements SHA-256 verification for the nvm installer at lines 118-143:

local NVM_VERSION="v0.40.4"
local NVM_SHA256="4b7412c49960c7d31e8df72da90c1fb5b8cccb419ac99537b737028d497aba4f"
local nvm_tmp
nvm_tmp="$(mktemp)"
curl -fsSL "https://raw.githubusercontent.com/nvm-sh/nvm/${NVM_VERSION}/install.sh" -o "$nvm_tmp" \
  || { rm -f "$nvm_tmp"; error "Failed to download nvm installer"; }
local actual_hash
if command_exists sha256sum; then
  actual_hash="$(sha256sum "$nvm_tmp" | awk '{print $1}')"
elif command_exists shasum; then
  actual_hash="$(shasum -a 256 "$nvm_tmp" | awk '{print $1}')"
else
  warn "No SHA-256 tool found — skipping nvm integrity check"
  actual_hash="$NVM_SHA256"
fi
if [[ "$actual_hash" != "$NVM_SHA256" ]]; then
  rm -f "$nvm_tmp"
  error "nvm installer integrity check failed\n  Expected: $NVM_SHA256\n  Actual:   $actual_hash"
fi
info "nvm installer integrity verified"
bash "$nvm_tmp"
rm -f "$nvm_tmp"

Attack Scenarios

1. Compromised CDN/mirror: If deb.nodesource.com is compromised or its CDN is poisoned, the attacker's payload runs as root on every fresh Brev VM or Linux installer run.

2. MITM on CI/CD: On CI runners without certificate pinning, a network-level attacker could intercept the HTTPS connection (especially if the runner's CA store is modified).

3. DNS hijacking: If deb.nodesource.com DNS is hijacked (e.g., expired domain, BGP hijack), the attacker controls what gets executed as root.

Note: HTTPS mitigates most MITM scenarios, but does not protect against server-side compromise of the NodeSource infrastructure.

Recommended Fix

Option A: Apply the nvm pattern (download + verify hash)

NODESOURCE_SHA256="<pinned-hash>"
nodesource_tmp="$(mktemp)"
curl -fsSL "https://deb.nodesource.com/setup_22.x" -o "$nodesource_tmp" \
  || { rm -f "$nodesource_tmp"; fail "Failed to download NodeSource installer"; }
actual_hash="$(sha256sum "$nodesource_tmp" | awk '{print $1}')"
if [[ "$actual_hash" != "$NODESOURCE_SHA256" ]]; then
  rm -f "$nodesource_tmp"
  fail "NodeSource installer integrity check failed"
fi
sudo -E bash "$nodesource_tmp" > /dev/null 2>&1
rm -f "$nodesource_tmp"

Option B: Use apt repository directly (skip the setup script)

# Add NodeSource GPG key and repository manually
curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key \
  | sudo gpg --dearmor -o /usr/share/keyrings/nodesource.gpg
echo "deb [signed-by=/usr/share/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" \
  | sudo tee /etc/apt/sources.list.d/nodesource.list > /dev/null
sudo apt-get update -qq && sudo apt-get install -y nodejs

Option B avoids running an arbitrary script as root entirely and relies on apt's built-in GPG signature verification.

Additional Occurrence in Documentation

spark-install.md:52 contains the same pattern in user-facing instructions:

curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -

While not executable code, this recommends users run the same unverified curl | sudo bash pattern manually.

Risk Assessment

• Impact: Arbitrary code execution as root on the target machine
• Exploitability: Requires compromise of NodeSource infrastructure or a network-level attack; mitigated by HTTPS but not eliminated
• Blast radius: Every fresh Brev VM (brev-setup.sh) and every Linux install without a version manager (install.sh) executes this path
• Mitigating factors: HTTPS transport protects against passive eavesdropping and most MITM. NodeSource is a well-known, established service. The attack requires active infrastructure compromise.

Reproduction Steps

Environment

Debug Output

--

Logs

-

Checklist

• I confirmed this bug is reproducible
• I searched existing issues and this is not a duplicate

[wscurran]

✨ Thanks for submitting this issue with a detailed description and severity assessment, it identifies a potential security vulnerability due to downloading code without integrity check, which could be related to the CI/CD pipeline or script security.

---

Possibly related open PRs:

• #696 fix(security): download installers to file before execution