sec(install): validate redirect URL origin before trusting resolved version

latenighthackathon · latenighthackathon · commit 5fcdb89a4245 · 2026-03-29T14:56:02.000-05:00
resolve_redirect() follows HTTP redirects to determine the latest release tag, but never validated that the final URL still pointed to the expected GitHub repository. A compromised CDN, DNS poisoning, or an open redirect could cause the installer to extract a version tag from — and subsequently download binaries from — an attacker-controlled origin. Add origin validation: reject resolved URLs that don't match https://github.com/NVIDIA/OpenShell/*. Also cap redirect depth in download() to 5 as defense-in-depth. Closes #638
diff --git a/install.sh b/install.sh
@@ -87,27 +87,38 @@ check_downloader() {
 }
 
 # Download a URL to a file. Outputs nothing on success.
+# Limits redirects to prevent open-redirect abuse from download URLs.
 download() {
   _url="$1"
   _output="$2"
 
   if has_cmd curl; then
-    curl -fLsS --retry 3 -o "$_output" "$_url"
+    curl -fLsS --retry 3 --max-redirs 5 -o "$_output" "$_url"
   elif has_cmd wget; then
-    wget -q --tries=3 -O "$_output" "$_url"
+    wget -q --tries=3 --max-redirect=5 -O "$_output" "$_url"
   fi
 }
 
 # Follow a URL and print the final resolved URL (for detecting redirect targets).
+# Validates that the final URL is still within the expected GitHub origin to
+# prevent redirect-based attacks (e.g., compromised CDN or DNS poisoning).
 resolve_redirect() {
   _url="$1"
 
   if has_cmd curl; then
-    curl -fLsS -o /dev/null -w '%{url_effective}' "$_url"
+    _resolved_url="$(curl -fLsS -o /dev/null -w '%{url_effective}' "$_url")"
   elif has_cmd wget; then
     # wget --spider follows redirects; capture the final Location from stderr
-    wget --spider --max-redirect=10 "$_url" 2>&1 | sed -n 's/^.*Location: \([^ ]*\).*/\1/p' | tail -1
+    _resolved_url="$(wget --spider --max-redirect=10 "$_url" 2>&1 | sed -n 's/^.*Location: \([^ ]*\).*/\1/p' | tail -1)"
   fi
+
+  # Verify the final URL points to the expected GitHub repository.
+  case "$_resolved_url" in
+    https://github.com/${REPO}/*) ;;
+    *) error "redirect resolved to unexpected origin: ${_resolved_url} (expected https://github.com/${REPO}/...)" ;;
+  esac
+
+  echo "$_resolved_url"
 }
 
 # ---------------------------------------------------------------------------
