Programming

423 readers

4 users here now

Welcome to the main community in programming.dev! Feel free to post anything relating to programming here!

Cross posting is strongly encouraged in the instance. If you feel your post or another person's post makes sense in another community cross post into it.

Hope you enjoy the instance!

Rules

Follow the programming.dev instance rules
Keep content related to programming in some way
If you're posting long videos try to add in some form of tldr for those who don't want to watch videos

Wormhole

Follow the wormhole through a path of communities !webdev@programming.dev

founded 1 year ago

MODERATORS

snowe@programming.dev

Ategon@programming.dev

MaungaHikoi@lemmy.nz

146

Amber - the programming language compiled to Bash (amber-lang.com)

submitted 6 months ago by syd@lemy.lol to c/programming@programming.dev

58 comments fedilink hide all child comments

New favorite tool 😍

you are viewing a single comment's thread
view the rest of the comments

[–] thingsiplay 62 points 6 months ago* (last edited 6 months ago) (15 children)

Basically another shell scripting language. But unlike most other languages like Csh or Fish, it can compile back to Bash. At the moment I am bit conflicted, but the thing it can compile back to Bash is what is very interesting. I'll keep an eye on this. But it makes the produced Bash code a bit less readable than a handwritten one, if that is the end goal.

curl -s "https://raw.githubusercontent.com/Ph0enixKM/AmberNative/master/setup/install.sh" | $(echo /bin/bash)

I wish this nonsense of piping a shell script from the internet directly into Bash would stop. It's a bad idea, because of security concerns. This install.sh script eval and will even run curl itself to download amber and install it from this url

url="https://github.com/Ph0enixKM/${__0_name}/releases/download/${__2_tag}/amber_${os}_${arch}" ... echo "Please make sure that root user can access /opt directory.";

And all of this while requiring root access.

I am not a fan of this kind of distribution and installation. Why not provide a normal manual installation process and link to the projects releases page: https://github.com/Ph0enixKM/Amber/releases BTW its a Rust application. So one could build it with Cargo, for those who have it installed.

[–] FizzyOrange@programming.dev 9 points 6 months ago (12 children)

I wish this nonsense of piping a shell script from the internet directly into Bash would stop. It’s a bad idea, because of security concerns.

I would encourage you to actually think about whether or not this is really true, rather than just parroting what other people say.

See if you can think of an exploit I perform if you pipe my install script to bash, but I can't do it you download a tarball of my program and run it.

while requiring root access

Again, think of an exploit I can do it you give me root, but I can't do if you run my program without root.

(Though I agree in this case it is stupid that it has to be installed in /opt; it should definitely install to your home dir like most modern languages - Go, Rust, etc.)

[–] tgt@programming.dev 12 points 6 months ago* (last edited 6 months ago) (1 children)

It is absolutely possible to know as the server serving a bash script if it is being piped into bash or not purely by the timing of the downloaded chunks. A server could halfway through start serving a different file if it detected that it is being run directly. This is not a theoretical situation, by the way, this has been done. At least when downloading the script first you know what you'll be running. Same for a source tarball. That's my main gripe with this piping stuff. It assumes you don't even care about the security.

[–] FizzyOrange@programming.dev 1 points 6 months ago* (last edited 6 months ago)

That makes the exploit less detectable sure. Not fundamentally less secure though.

This is not a theoretical situation, by the way, this has been done

Link btw? I have not heard of an actual attack using this.

load more comments (10 replies)

load more comments (12 replies)