jbang: Running a script hosted in an untrusted url fails to read user choice when using `curl -sh https://sh.jbang.dev`

I think the problem is quite known in any shell. If you pipe a shell script for the shell to execute it then the shell won’t be able to read input from the user:

$ curl -sL https://sh.jbang.dev | bash -s -- https://github.com/mperezi/java-cli/blob/master/SendSms.java
[jbang] https://github.com/mperezi/java-cli/blob/master/SendSms.java is not from a trusted source thus not running it automatically.

If you trust the url to be safe to run you can do one of the following:
0) Trust once: Add no trust, just run this time
1) Trust this url in future:
    jbang trust add https://github.com/mperezi/java-cli/


Any other response will result in exit.

[jbang] Type in your choice (0 or 1) and hit enter. Times out after 10 seconds.
[jbang] [ERROR] Could not parse answer as a number. Aborting
[jbang] [ERROR] https://github.com/mperezi/java-cli/blob/master/SendSms.java is not from a trusted source and user did not confirm trust thus aborting.

The problem can be spotted in the following line:

[jbang] [ERROR] Could not parse answer as a number. Aborting

Do you think it would be a good idea to provide a flag --trust-once to avoid this edge cases?

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 1
  • Comments: 16 (8 by maintainers)

Most upvoted comments

I do think he has a point though. For most people if they use a curl command it’s probably because they don’t have Jbang installed. So that means that the command we show doesn’t actually work for people that don’t have already set the trust previously 😕

+1
quintesse on Dec 19, 2020
Read more comments on GitHub
← jbang: Quarkus CLI won't install
jbang: Unable to get any output when running with -c or a java file →