security: PATH injection vulnerability in install.sh symlink creation #3009
Description
Severity
HIGH
Location
sh/cli/install.sh, lines 114-132
Issue
The script resolves the bun binary path using command -v bun without validation, then symlinks it to /usr/local/bin/bun with sudo:
bun_path="$(command -v bun 2>/dev/null || true)"
if [ "$spawn_in_path" = false ]; then
# ... various sudo symlink operations using $bun_path ...
sudo ln -sf "$bun_path" /usr/local/bin/bun 2>/dev/null || true
fiAttack Scenario
If an attacker controls the user's PATH environment variable (e.g., via a compromised .bashrc or through a previous attack), they can:
- Place a malicious
bunbinary in a directory early in PATH - The install script will resolve to the malicious binary
- The script will symlink the malicious binary to
/usr/local/bin/bunwith sudo - All future invocations of
bun(including by spawn itself) will execute the malicious code with elevated privileges
Recommendation
Before symlinking, validate that the bun binary:
- Is located in an expected directory (e.g.,
~/.bun/bin/,/usr/local/bin/) - Has a valid signature or checksum
- Is owned by root or the current user (not a random user)
Example:
bun_path="$(command -v bun 2>/dev/null || true)"
case "$bun_path" in
"$HOME/.bun/bin/bun"|/usr/local/bin/bun)
# OK - expected location
;;
*)
log_warn "bun found at unexpected location: $bun_path"
bun_path=""
;;
esacImpact
Privilege escalation if an attacker can control the user's PATH before the install script runs.