trailofbits.generic.installer-allow-untrusted.installer-allow-untrusted
trailofbits
Author
unknown
Download Count*
License
Found installer
command allowing untrusted installations
Run Locally
Run in CI
Defintion
rules:
- id: installer-allow-untrusted
message: Found `installer` command allowing untrusted installations
languages:
- generic
severity: WARNING
metadata:
category: security
subcategory:
- audit
technology:
- shell
cwe: "CWE-494: Download of Code Without Integrity Check"
confidence: HIGH
likelihood: HIGH
impact: HIGH
references:
- https://ss64.com/mac/installer.html
license: AGPL-3.0 license
vulnerability_class:
- Cryptographic Issues
pattern: installer ... -allowUntrusted
Examples
installer-allow-untrusted.sh
#!/bin/bash
# ruleid: installer-allow-untrusted
sudo installer -pkg /path/to/package.pkg -target / -allowUntrusted
# ok: installer-allow-untrusted
sudo installer -pkg /path/to/package.pkg -target /
Short Link: https://sg.run/zdLlk