Skip to content

GitHub Action evaluates curl's output

Avoid directly evaluating the output of a curlcommand. If possible, verify the integrity of the script by comparing its digest to a known value to ensure the script does not unexpectedly change.

Examples

Insecure Example

eval "$(curl https://example.com/install.sh)"

Secure Example

curl https://example.com/install.sh > install.sh
echo "af986793a51...  install.sh" | sha256sum --check && source install.sh