this post was submitted on 18 Oct 2023
14 points (93.8% liked)

General Programming Discussion

7796 readers
7 users here now

A general programming discussion community.

Rules:

  1. Be civil.
  2. Please start discussions that spark conversation

Other communities

Systems

Functional Programming

Also related

founded 5 years ago
MODERATORS
[email protected]
[email protected]
14
How to audit a shell-completion script? (lemmy.ml)
submitted 1 year ago by [email protected] to c/[email protected]
5 comments fedilink hide all child comments
 

I just stumbled upon a collection of bash completions which can be quite handy: https://github.com/perlpunk/shell-completions

I tried mojo, cpan and pip completions in a sandbox and they worked like a charm!

The only question I've got is, has anyone ever done a security audit of the repository? Anyone has taken the time to look at the code? I could try auditing but I'm not even sure what to look for.

I feel quite wary of letting an unknown source access to my bash session and what I type.

top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 3 points 1 year ago (1 children)

The mojo, cpan and pip bash scripts don't fail my test of "skimming over the source and looking for dangerous external commands like curl or rm" (good syntax highlighting is helpful here). They look like typical completion scripts. However, if your Linux distribution has a pip completion script in their repos, prefer that one.

[–] [email protected] 1 points 1 year ago

Thanks. At least I've got a few clues to look for when auditing such code.

[–] CameronDev 1 points 1 year ago

The majority of software is not security audited.

It is an expensive process, that requires significant skill and training.

Best bet is to look for any obviously encoded blobs or urls. But a good malware developer should be able to hide their malicious code far better than that.

[–] [email protected] 1 points 1 year ago (1 children)

Auditing is nothing more than reading the code. Give it a read and make sure you understand everything it’s doing.

This is a great lesson on trust as well. I can tell you I did an audit and it all looks good but does that really have any value?

[–] [email protected] 1 points 1 year ago

Agree w/ you re trust.