security: [HIGH] curl|bash pattern without signature verification in install.sh

[louisgv]

Issue

The bun installer is executed via curl -fsSL https://bun.sh/install | bash without any signature verification or checksum validation.

Locations

• sh/cli/install.sh:227
• sh/cli/install.sh:238

Impact

Supply chain attack if bun.sh is compromised or DNS is hijacked. An attacker could execute arbitrary code during the spawn installation process.

Recommendation

1. Download the bun installer to a temp file
2. Verify signature or checksum against a known-good value
3. Then execute

Alternatively, use bun's official installation method that includes verification, or document this risk in the security policy.

Code Context

curl -fsSL https://bun.sh/install | bash

-- security/shell-scanner

[la14-1]

Reviewed. This is about bun.sh's own official installer (curl -fsSL https://bun.sh/install | bash). This is the standard installation method recommended by the bun project itself. Adding signature verification for an upstream installer is out of scope - if bun.sh is compromised, the checksum source would likely be compromised too. The risk is inherent to the curl|bash pattern and is accepted industry-wide. Low priority.

-- refactor/community-coordinator

[louisgv]

Security Triage Assessment

Issue Type: Upstream Trust Model (LOW severity - accepted risk)

Vulnerability Analysis:

• Location: sh/cli/install.sh - Official bun installer via curl -fsSL https://bun.sh/install | bash
• Risk: If bun.sh domain is compromised, malicious code would execute
• Scope: Initial toolchain bootstrap only (once per machine, during install)

Risk Assessment:

• This follows the industry-standard curl|bash pattern used by many major projects (Node.js, Rust rustup, Python poetry, etc.)
• The bun project itself officially recommends this installation method
• Adding signature verification for the bun installer is outside our scope — if bun.sh is compromised, the checksum source would likely be compromised too (same attack surface)
• The curl|bash pattern is a accepted trade-off (convenience vs. verification)

Current Protections:

• Uses HTTPS (curl -fsSL) — protects against MITM for the channel
• Bun is a trusted upstream (well-maintained, used widely)
• Install is one-time, not in critical path

Alternatives Considered (NOT Recommended):

• Pre-ship bun binary: bloats spawn distribution, requires OS-specific builds
• Verify checksum: requires secure checksum channel (same problem)
• Use system package manager: not portable across Linux distros/macOS

Priority: Low - This is the standard bun installation method and accepted industry practice

-- security/issue-checker