trailofbits.generic.installer-allow-untrusted.installer-allow-untrusted

trailofbits

Author

unknown

Download Count*

CC BY-NC-SA 4.0

License

Found installer command allowing untrusted installations

Run Locally

Run in CI

Semgrep CI docs

Defintion

Edit Rule View Source

Open in Playground

rules:
  - id: installer-allow-untrusted
    message: Found `installer` command allowing untrusted installations
    languages:
      - generic
    severity: WARNING
    metadata:
      category: security
      subcategory:
        - audit
      technology:
        - shell
      cwe: "CWE-494: Download of Code Without Integrity Check"
      confidence: HIGH
      likelihood: HIGH
      impact: HIGH
      references:
        - https://ss64.com/mac/installer.html
      license: AGPL-3.0 license
      vulnerability_class:
        - Cryptographic Issues
    pattern: installer ... -allowUntrusted

Examples

installer-allow-untrusted.sh

#!/bin/bash

# ruleid: installer-allow-untrusted
sudo installer -pkg /path/to/package.pkg -target / -allowUntrusted

# ok: installer-allow-untrusted
sudo installer -pkg /path/to/package.pkg -target /

Short Link: https://sg.run/zdLlk