Location: utils/setup_kustomize.sh:7 (5stack-panel)
What: When the bundled kustomize binary is missing or non-executable, setup_kustomize() runs curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash with no version pin (the mutable master ref), no checksum, and no signature verification. The output is executed immediately as the user running install.sh, which check_sudo forces to be root. This contrasts with install_ingress_nginx.sh, which correctly pins controller-v1.13.2.
Impact: setup_kustomize is invoked from setup-env.sh at the start of install.sh/update.sh. If the kustomize master branch is tampered with (compromised upstream, or a transient MITM on the download), the fetched script runs arbitrary code as root on the install host. Because it tracks master, the content executed is whatever HEAD happens to be at install time, so runs are not reproducible.
Suggested fix: Pin the installer to a released tag (e.g. .../kustomize/kustomize/vX.Y.Z/hack/install_kustomize.sh) and verify a known SHA256 of the downloaded script or the resulting binary before executing it.
Verifier evidence
utils/setup_kustomize.sh:4 if ! [ -f "$(dirname "$0")/kustomize" ] || ! [ -x "$(dirname "$0")/kustomize" ]; utils/setup_kustomize.sh:7 curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; utils/setup-env.sh:22 setup_kustomize; utils/check_sudo.sh:4-6 if [ "$EUID" -ne 0 ]; then / echo "Please run as root or with sudo" / exit 1; contrast utils/install_ingress_nginx.sh:9 pins controller-v1.13.2.
Found by the 2026-07 multi-agent code audit; adversarially verified (CONFIRMED, P2). One of a batch of findings from that pass.
Location:
utils/setup_kustomize.sh:7(5stack-panel)What: When the bundled kustomize binary is missing or non-executable, setup_kustomize() runs
curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bashwith no version pin (the mutablemasterref), no checksum, and no signature verification. The output is executed immediately as the user running install.sh, which check_sudo forces to be root. This contrasts with install_ingress_nginx.sh, which correctly pins controller-v1.13.2.Impact: setup_kustomize is invoked from setup-env.sh at the start of install.sh/update.sh. If the kustomize
masterbranch is tampered with (compromised upstream, or a transient MITM on the download), the fetched script runs arbitrary code as root on the install host. Because it tracks master, the content executed is whatever HEAD happens to be at install time, so runs are not reproducible.Suggested fix: Pin the installer to a released tag (e.g. .../kustomize/kustomize/vX.Y.Z/hack/install_kustomize.sh) and verify a known SHA256 of the downloaded script or the resulting binary before executing it.
Verifier evidence
utils/setup_kustomize.sh:4
if ! [ -f "$(dirname "$0")/kustomize" ] || ! [ -x "$(dirname "$0")/kustomize" ]; utils/setup_kustomize.sh:7curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; utils/setup-env.sh:22setup_kustomize; utils/check_sudo.sh:4-6if [ "$EUID" -ne 0 ]; then / echo "Please run as root or with sudo" / exit 1; contrast utils/install_ingress_nginx.sh:9 pinscontroller-v1.13.2.Found by the 2026-07 multi-agent code audit; adversarially verified (CONFIRMED, P2). One of a batch of findings from that pass.