Skip to content

fix(install): validate redirect URL origin before trusting resolved version#662

Open
latenighthackathon wants to merge 1 commit intoNVIDIA:mainfrom
latenighthackathon:sec/install-validate-redirect-origin
Open

fix(install): validate redirect URL origin before trusting resolved version#662
latenighthackathon wants to merge 1 commit intoNVIDIA:mainfrom
latenighthackathon:sec/install-validate-redirect-origin

Conversation

@latenighthackathon
Copy link
Copy Markdown
Contributor

@latenighthackathon latenighthackathon commented Mar 29, 2026

Summary

  • resolve_redirect() follows HTTP redirects to determine the latest release tag but never validated the final URL origin
  • A compromised CDN, DNS poisoning, or open redirect could cause the installer to download binaries from an attacker-controlled server
  • Added origin validation: resolved URLs must match https://github.com/NVIDIA/OpenShell/* or the installer aborts
  • Also capped redirect depth in download() to 5 as defense-in-depth

Test plan

  • Run install.sh normally — verify latest version resolves and installs correctly
  • Set OPENSHELL_VERSION explicitly — verify resolve_redirect is skipped (existing behavior)
  • Test with a mock redirect to a non-GitHub URL — verify the installer aborts with a clear error message

Closes #638

I have read the DCO document and I hereby sign the DCO.

@latenighthackathon
fix(install): validate redirect URL origin before trusting resolved v…
2549e46 
…ersion

resolve_redirect() follows HTTP redirects to determine the latest
release tag, but never validated that the final URL still pointed to
the expected GitHub repository. A compromised CDN, DNS poisoning, or
an open redirect could cause the installer to extract a version tag
from — and subsequently download binaries from — an attacker-controlled
origin.

Add origin validation: reject resolved URLs that don't match
https://github.com/NVIDIA/OpenShell/*. Also cap redirect depth
in download() to 5 as defense-in-depth.

Closes NVIDIA#638

Signed-off-by: latenighthackathon <latenighthackathon@users.noreply.github.com>
@latenighthackathon latenighthackathon requested a review from a team as a code owner March 29, 2026 22:41
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 29, 2026
edited
Loading

All contributors have signed the DCO ✍️ ✅
Posted by the DCO Assistant Lite bot.

@latenighthackathon
Copy link
Copy Markdown
Contributor Author

latenighthackathon commented Mar 29, 2026

I have read the DCO document and I hereby sign the DCO.

@drew drew self-assigned this Mar 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@drew drew

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

sec(install): install.sh follows redirects without validating final URL origin

2 participants

@latenighthackathon @drew