Skip to content

security: enforce HTTPS-only redirects in staging deploy script curl downloads#285

Merged
NickLetts2 merged 2 commits into
mainfrom
copilot/harden-staging-deploy-script
May 15, 2026
Merged

security: enforce HTTPS-only redirects in staging deploy script curl downloads#285
NickLetts2 merged 2 commits into
mainfrom
copilot/harden-staging-deploy-script

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 15, 2026
edited
Loading

curl -fsSL in the staging bootstrap script follows redirects without protocol restriction, allowing a potential downgrade from HTTPS to HTTP mid-redirect (SonarCloud shell:S6506, lines 144 and 162).

Changes

  • scripts/STAGING_FIRST_DEPLOY.sh — both binary download calls (sops, age) hardened:
    • Replace -fsSL shorthand with explicit --fail --show-error --silent --location --proto '=https' --tlsv1.2
    • --proto '=https' blocks any redirect that would leave HTTPS
    • --tlsv1.2 enforces minimum TLS version on the connection
    • Inline comments added so intent is clear to future reviewers
# Before
curl -fsSL "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/..." \
  -o /usr/local/bin/sops

# After
# Public GitHub release URL — enforce HTTPS-only redirects to prevent protocol downgrade.
curl --fail --show-error --silent --location --proto '=https' --tlsv1.2 \
  "https://github.com/getsops/sops/releases/download/${SOPS_VERSION}/..." \
  -o /usr/local/bin/sops

Both download targets are public GitHub release endpoints; no local/internal HTTP checks are present in this script, so --proto '=https' is the correct and complete remedy for both hotspots.

Copilot AI linked an issue May 15, 2026 that may be closed by this pull request
Security Hotspots: Harden staging deploy script HTTPS redirect handling #276
Closed
4 tasks
@NickLetts2
security: enforce HTTPS-only redirects in staging deploy script curl …
fa2cc41 
…calls

Replace `curl -fsSL` with `curl --fail --show-error --silent --location
--proto '=https' --tlsv1.2` for both public GitHub binary downloads
(sops and age) in STAGING_FIRST_DEPLOY.sh.

This resolves SonarCloud shell:S6506 hotspots on lines 144 and 162 by
preventing curl from following redirects to non-HTTPS URLs. Add inline
comments explaining the HTTPS restriction for each call.

Shellcheck exits 0 on the modified script.

Agent-Logs-Url: https://github.com/NickLetts2/Curvit/sessions/fa1b3a40-7840-4a00-81b7-eb544de09b98

Co-authored-by: NickLetts2 <90337962+NickLetts2@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix HTTPS redirect handling in staging deploy script security: enforce HTTPS-only redirects in staging deploy script curl downloads May 15, 2026
Copilot AI requested a review from NickLetts2 May 15, 2026 20:17
@NickLetts2 NickLetts2 marked this pull request as ready for review May 15, 2026 20:35
Copilot AI review requested due to automatic review settings May 15, 2026 20:35
@NickLetts2 NickLetts2 merged commit 205cd96 into main May 15, 2026
6 checks passed
Copilot AI review requested due to automatic review settings May 15, 2026 20:57
NickLetts2 added a commit that referenced this pull request Jun 1, 2026
@NickLetts2
Merge pull request #285 from NickLetts2/copilot/harden-staging-deploy…
874505d 
…-script

security: enforce HTTPS-only redirects in staging deploy script curl downloads
@NickLetts2 NickLetts2 deleted the copilot/harden-staging-deploy-script branch June 2, 2026 09:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@NickLetts2 NickLetts2 Awaiting requested review from NickLetts2

Assignees

@NickLetts2 NickLetts2

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Hotspots: Harden staging deploy script HTTPS redirect handling

2 participants

@NickLetts2