Programming

17349 readers

318 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities [email protected]

founded 1 year ago

MODERATORS

[email protected]

203

Amber - the programming language compiled to Bash (amber-lang.com)

submitted 5 months ago by [email protected] to c/[email protected]

92 comments fedilink hide all child comments

New favorite tool 😍

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 11 points 5 months ago* (last edited 5 months ago) (1 children)

It is absolutely possible to know as the server serving a bash script if it is being piped into bash or not purely by the timing of the downloaded chunks. A server could halfway through start serving a different file if it detected that it is being run directly. This is not a theoretical situation, by the way, this has been done. At least when downloading the script first you know what you'll be running. Same for a source tarball. That's my main gripe with this piping stuff. It assumes you don't even care about the security.

[–] [email protected] -5 points 5 months ago* (last edited 5 months ago)

That makes the exploit less detectable sure. Not fundamentally less secure though.

This is not a theoretical situation, by the way, this has been done

Link btw? I have not heard of an actual attack using this.