fix: resolve multi-channel install conflicts and critical security vulnerabilities in install.sh

fullstackjam · fullstackjam · commit 69f6852d15ec · 2026-02-13T00:22:43.000+08:00
- Add conflict detection for curl vs brew installations
- Fix P0-1: atomic file operations with temp file and trap cleanup
- Fix P0-2: remove unsafe eval, manually set PATH to prevent injection
- Fix P0-3: harden curl with --max-time, --retry, --proto=https, --tlsv1.2
- Fix P1-1: cleanup corrupted files on checksum failure
- Fix P1-2: add file size validation to detect download errors
- Fix P1-3: backup existing binary before installation for rollback
- Add checkInstallationConflicts() to doctor command

Security improvements address MITM attacks, command injection (CVE-2026-1665 pattern),
race conditions, and data integrity issues. Script now follows industry best practices
from mise, Deno, and rustup.
diff --git a/internal/cli/doctor.go b/internal/cli/doctor.go
@@ -44,6 +44,7 @@ func runDoctor() error {
 
 	results = append(results, checkNetwork()...)
 	results = append(results, checkDiskSpace()...)
+	results = append(results, checkInstallationConflicts()...)
 	results = append(results, checkHomebrew()...)
 	results = append(results, checkGit()...)
 	results = append(results, checkShell()...)
@@ -268,3 +269,62 @@ func checkDiskSpace() []checkResult {
 		status: "ok",
 	}}
 }
+
+func checkInstallationConflicts() []checkResult {
+	var results []checkResult
+	var installations []string
+
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return nil
+	}
+
+	curlInstallPath := filepath.Join(home, ".openboot", "bin", "openboot")
+	if _, err := os.Stat(curlInstallPath); err == nil {
+		installations = append(installations, curlInstallPath+" (curl install)")
+	}
+
+	if brewPath, err := exec.LookPath("brew"); err == nil {
+		cmd := exec.Command(brewPath, "list", "openboot")
+		if err := cmd.Run(); err == nil {
+			if openbootPath, err := exec.LookPath("openboot"); err == nil {
+				if realPath, err := filepath.EvalSymlinks(openbootPath); err == nil {
+					if strings.Contains(realPath, "Cellar/openboot") || strings.Contains(realPath, "opt/homebrew") {
+						installations = append(installations, openbootPath+" (Homebrew)")
+					}
+				}
+			}
+		}
+	}
+
+	if len(installations) == 0 {
+		return []checkResult{{
+			name:    "Installation",
+			status:  "error",
+			message: "OpenBoot not found in standard locations",
+		}}
+	}
+
+	if len(installations) > 1 {
+		results = append(results, checkResult{
+			name:    "Multiple installations",
+			status:  "warn",
+			message: fmt.Sprintf("found at: %s", strings.Join(installations, ", ")),
+		})
+		results = append(results, checkResult{
+			name:    "Recommendation",
+			status:  "info",
+			message: "keep only one installation method to avoid conflicts",
+		})
+		return results
+	}
+
+	if whichPath, err := exec.LookPath("openboot"); err == nil {
+		results = append(results, checkResult{
+			name:   fmt.Sprintf("Single installation: %s", whichPath),
+			status: "ok",
+		})
+	}
+
+	return results
+}
diff --git a/scripts/install.sh b/scripts/install.sh
@@ -37,17 +37,73 @@ install_homebrew() {
 
     /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
 
-    if [[ $(uname -m) == "arm64" ]]; then
-        eval "$(/opt/homebrew/bin/brew shellenv)"
-    else
-        eval "$(/usr/local/bin/brew shellenv)"
-    fi
+    # Manually set PATH instead of using eval for security
+    local arch
+    arch=$(uname -m)
+    case "$arch" in
+        arm64)
+            if [[ -x "/opt/homebrew/bin/brew" ]]; then
+                export PATH="/opt/homebrew/bin:/opt/homebrew/sbin:$PATH"
+                export HOMEBREW_PREFIX="/opt/homebrew"
+                export HOMEBREW_CELLAR="/opt/homebrew/Cellar"
+                export HOMEBREW_REPOSITORY="/opt/homebrew"
+            fi
+            ;;
+        x86_64)
+            if [[ -x "/usr/local/bin/brew" ]]; then
+                export PATH="/usr/local/bin:/usr/local/sbin:$PATH"
+                export HOMEBREW_PREFIX="/usr/local"
+                export HOMEBREW_CELLAR="/usr/local/Cellar"
+                export HOMEBREW_REPOSITORY="/usr/local/Homebrew"
+            fi
+            ;;
+        *)
+            echo "Error: Unsupported architecture: $arch" >&2
+            exit 1
+            ;;
+    esac
 
     echo ""
     echo "Homebrew installed!"
     echo ""
 }
 
+check_existing_installation() {
+    if ! command -v brew &>/dev/null; then
+        return 0
+    fi
+
+    if ! brew list openboot &>/dev/null 2>&1; then
+        return 0
+    fi
+
+    local existing_path
+    existing_path=$(command -v openboot 2>/dev/null || true)
+
+    if [[ -z "$existing_path" ]]; then
+        return 0
+    fi
+
+    if [[ -L "$existing_path" ]]; then
+        local link_target
+        link_target=$(readlink "$existing_path" 2>/dev/null || true)
+        if [[ "$link_target" == *"/Cellar/openboot"* ]] || [[ "$link_target" == *"/opt/homebrew"*"/openboot"* ]]; then
+            echo ""
+            echo "⚠️  OpenBoot is already installed via Homebrew"
+            echo "   Location: $existing_path"
+            echo ""
+            echo "Choose one:"
+            echo "  1. Update via Homebrew:  brew upgrade openboot"
+            echo "  2. Switch to curl:       brew uninstall openboot && curl -fsSL https://openboot.dev/install.sh | bash"
+            echo ""
+            exit 1
+        fi
+    fi
+
+    echo "Cleaning up stale Homebrew registration..."
+    brew uninstall --force openboot &>/dev/null || true
+}
+
 detect_arch() {
     local arch
     arch=$(uname -m)
@@ -96,7 +152,13 @@ verify_checksum() {
     fi
     
     local checksums
-    if ! checksums=$(curl -fsSL "$checksum_url" 2>/dev/null); then
+    if ! checksums=$(curl -fsSL \
+        --max-time 30 \
+        --retry 3 \
+        --retry-delay 2 \
+        --proto '=https' \
+        --tlsv1.2 \
+        "$checksum_url" 2>/dev/null); then
         echo "Warning: Could not download checksums file. Skipping verification."
         return 0
     fi
@@ -121,8 +183,12 @@ verify_checksum() {
     if [[ "$actual_checksum" != "$expected_checksum" ]]; then
         echo ""
         echo "Error: Downloaded file appears corrupted."
+        echo "Expected: $expected_checksum"
+        echo "Got:      $actual_checksum"
+        echo ""
         echo "Please try again or download manually from:"
         echo "  https://github.com/${REPO}/releases"
+        rm -f "$binary_path"
         exit 1
     fi
 }
@@ -169,6 +235,19 @@ EOF
 }
 
 add_to_path() {
+    if command -v openboot &>/dev/null; then
+        local existing_path
+        existing_path=$(command -v openboot)
+        if [[ "$existing_path" != "$INSTALL_DIR/openboot" ]]; then
+            echo "OpenBoot already available at: $existing_path"
+            echo "Skipping PATH modification to avoid conflicts"
+            echo ""
+            echo "If you want to use the version at $INSTALL_DIR/openboot instead,"
+            echo "remove the existing installation first or adjust your PATH manually."
+            return 0
+        fi
+    fi
+
     local shell_type
     shell_type=$(detect_shell)
     local rc_file
@@ -233,6 +312,7 @@ main() {
     if [[ "$os" == "darwin" && "$snapshot_mode" == false ]]; then
         install_xcode_clt
         install_homebrew
+        check_existing_installation
     fi
 
     url=$(get_download_url "$os" "$arch")
@@ -259,7 +339,23 @@ main() {
     echo "Downloading OpenBoot..."
     mkdir -p "$INSTALL_DIR"
 
-    if ! curl -fsSL "$url" -o "$binary_path"; then
+    local temp_binary="${INSTALL_DIR}/.openboot.tmp.$$"
+    trap 'rm -f "$temp_binary"' EXIT INT TERM
+
+    if [[ -f "$binary_path" ]]; then
+        local backup_path="${binary_path}.backup.$(date +%s)"
+        echo "Backing up existing binary to: ${backup_path##*/}"
+        mv "$binary_path" "$backup_path"
+    fi
+
+    if ! curl -fsSL \
+        --max-time 60 \
+        --retry 3 \
+        --retry-delay 2 \
+        --proto '=https' \
+        --tlsv1.2 \
+        "$url" \
+        -o "$temp_binary"; then
         echo ""
         echo "Error: Failed to download OpenBoot"
         echo "URL: $url"
@@ -268,9 +364,34 @@ main() {
         exit 1
     fi
 
-    verify_checksum "$binary_path" "$os" "$arch"
+    local file_size
+    if command -v stat &>/dev/null; then
+        if stat -f%z "$temp_binary" &>/dev/null 2>&1; then
+            file_size=$(stat -f%z "$temp_binary")
+        else
+            file_size=$(stat -c%s "$temp_binary" 2>/dev/null || echo "0")
+        fi
+    else
+        file_size="0"
+    fi
+
+    if [[ "$file_size" -lt 1000000 ]]; then
+        echo ""
+        echo "Error: Downloaded file is too small (${file_size} bytes)"
+        echo "This may indicate a download error or invalid release"
+        rm -f "$temp_binary"
+        exit 1
+    fi
 
-    chmod +x "$binary_path"
+    verify_checksum "$temp_binary" "$os" "$arch"
+
+    chmod 755 "$temp_binary"
+
+    if ! mv "$temp_binary" "$binary_path"; then
+        echo ""
+        echo "Error: Failed to install binary"
+        exit 1
+    fi
 
     add_to_path
     export PATH="$INSTALL_DIR:$PATH"
