GitHub Action evaluates curl's output¶
Avoid directly evaluating the output of a curl
command. If possible, verify the integrity of the script by comparing its digest to a known value to ensure the script does not unexpectedly change.
Examples¶
Insecure Example
eval "$(curl https://example.com/install.sh)"
Secure Example
curl https://example.com/install.sh > install.sh
echo "af986793a51... install.sh" | sha256sum --check && source install.sh