Remove wget dependency from everywhere #3598
Conversation
There was a problem hiding this comment.
Pull request overview
This PR removes the wget dependency from the codebase, replacing all wget commands with equivalent curl commands across installation scripts, update scripts, Docker configuration, and utility scripts.
- Replaced all
wgetcommands withcurlusing semantically equivalent flags - Removed
wgetfrom package installation commands across multiple Linux distributions - Removed
wgetfrom the Dockerfile build dependencies
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 10 comments.
Show a summary per file
| File | Description |
|---|---|
| x-ui.sh | Replaced wget with curl for downloading scripts and geo data files using appropriate flags (-fLRo, -z for conditional downloads) |
| update.sh | Removed wget dependency check, removed wget from package installations across all distros, replaced all wget download commands with curl equivalents |
| install.sh | Removed wget from package installation commands for all supported distributions (Ubuntu, Debian, Fedora, CentOS, Arch, Alpine, etc.), replaced wget download commands with curl |
| Dockerfile | Removed wget from the Alpine package installation list |
| DockerInit.sh | Replaced all wget commands with curl, using -sfLRO for downloads with remote filenames and -sfLRo for downloads with custom filenames |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ${curl_bin} -fLRo /etc/init.d/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc >/dev/null 2>&1 | ||
| if [[ $? -ne 0 ]]; then | ||
| ${wget_bin} --inet4-only -O /etc/init.d/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc >/dev/null 2>&1 | ||
| ${curl_bin} -4fLRo /etc/init.d/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc >/dev/null 2>&1 |
There was a problem hiding this comment.
The Alpine-specific branch downloads the init script x-ui.rc from GitHub into /etc/init.d/x-ui without verifying its integrity or origin before it is executed at boot. A malicious or compromised upstream could ship an init script that executes arbitrary commands as root on every startup. Introduce a verification step (e.g. GPG-signed unit file or pinned checksum) before installing or updating this startup script.
| fi | ||
| echo -e "Got x-ui latest version: ${tag_version}, beginning the installation..." | ||
| wget --inet4-only -N -O /usr/local/x-ui-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz | ||
| curl -4fLRo /usr/local/x-ui-linux-$(arch).tar.gz -z /usr/local/x-ui-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz |
There was a problem hiding this comment.
The installer downloads the x-ui-linux-$(arch).tar.gz archive from GitHub and immediately extracts and installs it, but no checksum or signature is validated. If the release artifact or the download channel is compromised, a malicious binary can be installed and run as root. Require a cryptographic integrity check (e.g. verified hash or signature) for the archive before extraction.
| url="https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz" | ||
| echo -e "Beginning to install x-ui $1" | ||
| wget --inet4-only -N -O /usr/local/x-ui-linux-$(arch).tar.gz ${url} | ||
| curl -4fLRo /usr/local/x-ui-linux-$(arch).tar.gz -z /usr/local/x-ui-linux-$(arch).tar.gz ${url} |
There was a problem hiding this comment.
This code path allows installing an arbitrary tagged x-ui version by downloading the corresponding tarball from GitHub without any integrity or authenticity verification before extraction. An attacker with control over the release artifacts or network path could supply a Trojaned archive that will be installed and executed as root. Harden this by validating the archive against a trusted checksum or signature before untarring it.
| fi | ||
| fi | ||
| wget --inet4-only -O /usr/bin/x-ui-temp https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh | ||
| curl -4fLRo /usr/bin/x-ui-temp https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh |
There was a problem hiding this comment.
The installer fetches x-ui.sh from raw.githubusercontent.com into /usr/bin/x-ui-temp without any cryptographic verification before moving it into /usr/bin/x-ui and executing it. A compromised upstream or TLS channel would allow an attacker to replace the control script with arbitrary code run as root. Add a verification step based on a signed script or out-of-band checksum before updating the local executable.
|
|
||
| if [[ $release == "alpine" ]]; then | ||
| wget --inet4-only -O /etc/init.d/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc | ||
| curl -4fLRo /etc/init.d/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.rc |
There was a problem hiding this comment.
For Alpine, the init script x-ui.rc is downloaded from GitHub straight into /etc/init.d/x-ui with no integrity or authenticity validation before being executed on boot. If the remote file or connection is tampered with, a malicious init script could gain persistent root code execution. Validate the downloaded unit file against a trusted checksum or signature before installation.
| fi | ||
|
|
||
| wget -O /usr/bin/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh | ||
| curl -fLRo /usr/bin/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh |
There was a problem hiding this comment.
This line downloads the latest x-ui.sh control script over HTTPS directly into /usr/bin/x-ui without any signature or checksum verification before it is later executed as root. If the GitHub repository or the TLS connection is compromised, an attacker could supply a modified script that will be run with full privileges on update. Fetch a signed release or a pinned checksum from a trusted channel and verify it before replacing the local script.
|
|
||
| update_shell() { | ||
| wget -O /usr/bin/x-ui -N https://github.com/MHSanaei/3x-ui/raw/main/x-ui.sh | ||
| curl -fLRo /usr/bin/x-ui -z /usr/bin/x-ui https://github.com/MHSanaei/3x-ui/raw/main/x-ui.sh |
There was a problem hiding this comment.
This update path downloads x-ui.sh from GitHub into /usr/bin/x-ui without any cryptographic verification of integrity or authenticity before it is used. A compromise of the upstream repository, DNS, or TLS channel would allow an attacker to deliver a malicious script that will be executed as root. Add verification via a trusted checksum or signature (for example, a GPG-signed release manifest) before installing the new script.
| ${curl_bin} -fLRo /usr/local/x-ui-linux-$(arch).tar.gz -z /usr/local/x-ui-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz 2>/dev/null | ||
| if [[ $? -ne 0 ]]; then | ||
| echo -e "${yellow}Trying to fetch version with IPv4...${plain}" | ||
| ${wget_bin} --inet4-only -N -O /usr/local/x-ui-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz 2>/dev/null | ||
| ${curl_bin} -4fLRo /usr/local/x-ui-linux-$(arch).tar.gz -z /usr/local/x-ui-linux-$(arch).tar.gz https://github.com/MHSanaei/3x-ui/releases/download/${tag_version}/x-ui-linux-$(arch).tar.gz 2>/dev/null |
There was a problem hiding this comment.
The updater downloads the x-ui-linux-$(arch).tar.gz release archive from GitHub and later extracts and installs it without verifying a checksum or signature. If the remote release or network path is compromised, an attacker can serve a modified binary that will be installed and run as root. Protect this auto-update path by validating a cryptographic checksum or signature for the archive before extraction.
| ${curl_bin} -fLRo /usr/bin/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh >/dev/null 2>&1 | ||
| if [[ $? -ne 0 ]]; then | ||
| echo -e "${yellow}Trying to fetch x-ui with IPv4...${plain}" | ||
| ${wget_bin} --inet4-only -O /usr/bin/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh >/dev/null 2>&1 | ||
| ${curl_bin} -4fLRo /usr/bin/x-ui https://raw.githubusercontent.com/MHSanaei/3x-ui/main/x-ui.sh >/dev/null 2>&1 |
There was a problem hiding this comment.
These lines download the x-ui.sh management script from GitHub into /usr/bin/x-ui without any integrity or authenticity check before marking it executable. An attacker who can tamper with the upstream repository or TLS channel could provide a backdoored script that will be run as root. Fetch and verify a signed script or pinned checksum before replacing the existing binary.
|
Stop judging me mr. Copilot, that's not my code) |
1 participant
What is the pull request?
Removed redundant dependency (wget) from code.
Which part of the application is affected by the change?
Type of Changes