Skip to content

[Infrastructure] kustomize installer fetched from unpinned master and piped to bash #556

Description

@Flegma

Location: utils/setup_kustomize.sh:7 (5stack-panel)

What: When the bundled kustomize binary is missing or non-executable, setup_kustomize() runs curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash with no version pin (the mutable master ref), no checksum, and no signature verification. The output is executed immediately as the user running install.sh, which check_sudo forces to be root. This contrasts with install_ingress_nginx.sh, which correctly pins controller-v1.13.2.

Impact: setup_kustomize is invoked from setup-env.sh at the start of install.sh/update.sh. If the kustomize master branch is tampered with (compromised upstream, or a transient MITM on the download), the fetched script runs arbitrary code as root on the install host. Because it tracks master, the content executed is whatever HEAD happens to be at install time, so runs are not reproducible.

Suggested fix: Pin the installer to a released tag (e.g. .../kustomize/kustomize/vX.Y.Z/hack/install_kustomize.sh) and verify a known SHA256 of the downloaded script or the resulting binary before executing it.

Verifier evidence

utils/setup_kustomize.sh:4 if ! [ -f "$(dirname "$0")/kustomize" ] || ! [ -x "$(dirname "$0")/kustomize" ]; utils/setup_kustomize.sh:7 curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash; utils/setup-env.sh:22 setup_kustomize; utils/check_sudo.sh:4-6 if [ "$EUID" -ne 0 ]; then / echo "Please run as root or with sudo" / exit 1; contrast utils/install_ingress_nginx.sh:9 pins controller-v1.13.2.


Found by the 2026-07 multi-agent code audit; adversarially verified (CONFIRMED, P2). One of a batch of findings from that pass.

Metadata

Metadata

Assignees

No one assigned

    Labels

    P2-mediumCode quality & robustnessaudit-2026-07Findings from the 2026-07 code audit / review passsecuritySecurity vulnerability or hardeningservice:infrastructure5stackgg/5stack-panel infrastructure

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Backlog

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions