sec(install): install.sh follows redirects without validating final URL origin

[latenighthackathon]

Agent Diagnostic

• Loaded the OpenShell repo and reviewed install.sh
• Identified that the resolve_redirect() function (lines 101-111) follows HTTP redirects to determine the latest release URL
• The extracted version is taken from the final URL path (line 165: _version="${_resolved##*/}") with no validation that the URL is still on github.com
• Checked existing issue sec(install): checksum verification silently skipped when sha256sum unavailable #590 (checksum verification silently skipped) and PR fix(install): make checksum verification mandatory #626 — those cover a different vector (missing sha256sum binary). This issue is about the redirect itself.
• Reviewed the download flow: resolve redirect → extract version → download binary → verify checksum. If the redirect is hijacked, the checksum file also comes from the attacker's URL, making checksum verification meaningless.

Description

In install.sh, the installer resolves the latest release by following GitHub redirects:

_latest_url="${GITHUB_URL}/releases/latest"
_resolved="$(resolve_redirect "$_latest_url")"
_version="${_resolved##*/}"

The resolved URL is not validated against the expected origin (github.com). If a MITM or DNS hijack redirects github.com/NVIDIA/OpenShell/releases/latest to an attacker-controlled domain, the script will:

1. Extract the attacker's version string from the URL path
2. Download the binary from the attacker's URL
3. Download the checksums file from the same attacker's URL — so checksum verification passes even for a malicious binary

This is distinct from #590 (checksum tool unavailable). Even with sha256sum present, the checksum file itself could be attacker-controlled if the redirect is hijacked.

Reproduction Steps

1. Review install.sh lines 101-111 (resolve_redirect) and 161-165:

resolve_redirect() {
    if cmd_exists curl; then
        curl -sI -o /dev/null -w '%{url_effective}' -L "$1"
    elif cmd_exists wget; then
        wget -q --spider --server-response -O /dev/null "$1" 2>&1 | \
            awk '/^  Location:/{loc=$2} END{print loc}'
    fi
}
# ...
_resolved="$(resolve_redirect "$_latest_url")"
_version="${_resolved##*/}"

2. The final URL from resolve_redirect is used to construct download URLs without validating that it points to github.com/NVIDIA/OpenShell

Environment

• Code review of main branch (commit HEAD as of 2026-03-26)
• Affected file: install.sh lines 101-111, 161-165

Logs

Suggested fix — validate redirect target:

_resolved="$(resolve_redirect "$_latest_url")"
case "$_resolved" in
    https://github.com/NVIDIA/OpenShell/releases/*)
        ;;
    *)
        err "Unexpected redirect target: $_resolved"
        exit 1
        ;;
esac
_version="${_resolved##*/}"

Related: #590 (checksum verification silently skipped when sha256sum unavailable)

Agent-First Checklist

• I pointed my agent at the repo and had it investigate this issue
• I loaded relevant skills (e.g., debug-openshell-cluster, debug-inference, openshell-cli)
• My agent could not resolve this — the diagnostic above explains why