replace verified setup as it is vulnerable to backdooring

[Lunarequest]

Select Topic Area

Feedback

Body

Background

Currently the verified loader on the wiki is this

local cs_ok='7fab1ecb8d2ffbdb4aa98dd1e51cebaeaa4d8137e1de11938f3e0df24af262bb'
local cs_get=$(sha256sum <(curl -sL init.zshell.dev) | awk '{print $1}')
[[ $cs_ok == $cs_get ]] && { source <(curl -sL init.zshell.dev); zzinit; } || {
  print -P "%F{160}▓▒░ Houston, we have a problem, the %F{226}$cs_get%F{160} do not match\!%f%b"; return 1
}
unset cs_ok cs_get

This however while it looks safe, is more dangerous than the non verified setup. Now you may ask, why is it more dangerous? The answer is very simple. 2 very quick curls happen. The first one is done to check the sha256sum. Then in quick succession we have a another call to curl, that is not verified. A server does not need to in any world return the same content in quick succession.

Theoretically the web server could do the following, Upon the first curl to init.zshell.dev return a redirect to github as intended. However if the request from the same ip occurs in a very short amount of time, return a backdoored version of zi-shell. This could also be extended to allow multiple requests in a day from the same ip and hence every time you open a new shell, a backdoor being implanted.

Other issues include the curl using http which is possible to Man in the middle. This is straightforward to fix so I am not going to dive into it further

Solution

The solution is simple. Avoid using curl as much as possible and we using it, enforce https. My solution is the following.

ocal cs_ok='23a563e80249a866c7cba3ac44eaedb1ca38f20c35690fb764a7cb75e95d38be'
local temp_file="/tmp/init_zshell_temp"
local curl_fail=false

fallback() {
  if [[ -s $temp_file ]]; then
    rm $temp_file
  fi
  typeset -Ag ZI
  typeset -x ZI[HOME_DIR]="${HOME}/.zi" 
  typeset -x ZI[BIN_DIR]="${ZI[HOME_DIR]}/bin"
  source "${ZI[BIN_DIR]}/zi.zsh"
}

if [[ ! -s $temp_file ]]; then
    curl -sL https://init.zshell.dev -o $temp_file || {
        print -P "%F{160}▓▒░ Houston, we have a problem. Could not download zi-init, falling back to local copy\!%f%b";
        curl_fail=true
    }
fi

if [ $curl_fail = false ]; then
    local cs_get=$(sha256sum $temp_file | awk '{print $1}')
    if [[ $cs_ok == $cs_get ]]; then
        source $temp_file; zzinit;
    else
        print -P "%F{160}▓▒░ Houston, we have a problem. The sha256sum %F{226}$cs_get%F{160} does not match, falling back to local copy\!%f%b";
        rm $temp_file
        fallback
    fi
else
  fallback
fi

unset cs_ok cs_get temp_file curl_fail

we save the curl output to /tmp essentially caching zi between reboots. Along with this I have made a change to fall back to the local zi install, as say if your network is down/extremely slow or you aren't connected to the internet return 1 effectively locks your out of terminals.

Code of Conduct

• I agree to follow this project's Code of Conduct

[ss-o]

Hi @Lunarequest 👋

I like the idea, I will update you on this ASAP.

[Lunarequest]

@ss-o I opened a pr with the changes required to the wiki can you please merge it z-shell/wiki#573

[meinzer1899]

@ss-o The merge request (z-shell/wiki#573) has not been merged. This topic seems quite important, doesn't it?

[Lunarequest]

this is a important issue, I was quite taken aback when @ss-o after the initial response ignored everything. While I find this to be extremely convenient to use I've more and more been looking into migrating away

• due to the poor security practices.
• the lack of transparency(project being a fork and no acknowledgement of the same)
• ignoring discourse about the weird seo online
• just ignoring the pr until it went stale.

Moving forward, I would request that members from the community be allowed to take control of the project. As far as I can tell @ss-o is the only person who actively merges things. The name of the project be changed to distinguish this project more from zsh and finally acknowledge that this is a fork of a project. This is a wonderful set of zsh tools and it as it stands in the rest of the zsh world it has a bad reputation. Lets fix it.

[meinzer1899]

I have also the opinion, that @ss-o manages quite a lot and keeps the project running. It does not need to be a one man show; I personally would love to have you in a place where you can contribute more to the project.

Recently, I got invited from @ss-o to https://github.com/orgs/z-shell/people. With this, I can also review merge requests. I have limited spare time, but I would like to look at z-shell/wiki#573. Can you please reopen it or create another merge request?

@ss-o I would like to have @Lunarequest in the z-shell core team. What do you think?

[Lunarequest]

Sorry I couldn't comment on this before. I was given a invite to the core team. Between university and work I don't have the free time to give the commitment I would like for to be added as a member of the org