fix(shell): verify OMZ install script SHA256 before execution

Author: fullstackjam

internal/shell/shell.go

@@ -1,16 +1,29 @@
 package shell
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
 	"fmt"
+	"io"
+	"net/http"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"
 
+	"github.com/openbootdotdev/openboot/internal/httputil"
 	"github.com/openbootdotdev/openboot/internal/system"
 )
 
+// knownOMZInstallHash is the SHA256 of the Oh-My-Zsh install script pinned on
+// 2026-04-19 (ohmyzsh/ohmyzsh master, commit circa that date). Update this
+// constant whenever the installer script changes upstream.
+const knownOMZInstallHash = "21043aec5b791ce4835479dc33ba2f92155946aeafd54604a8c83522627cc803"
+
+// omzInstallURL is a var so tests can redirect it to a local httptest server.
+var omzInstallURL = "https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh"
+
 var shellIdentifierRe = regexp.MustCompile(`^[a-zA-Z0-9_.-]+$`)
 
 func validateShellIdentifier(value, label string) error {
@@ -42,12 +55,53 @@ func InstallOhMyZsh(dryRun bool) error {
 		return nil
 	}
 
-	script := `sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended`
-	cmd := exec.Command("bash", "-c", script)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	return cmd.Run()
+	// Download the installer via httputil.Do so rate-limit handling is applied.
+	req, err := http.NewRequest(http.MethodGet, omzInstallURL, nil)
+	if err != nil {
+		return fmt.Errorf("create omz install request: %w", err)
+	}
+	resp, err := httputil.Do(http.DefaultClient, req)
+	if err != nil {
+		return fmt.Errorf("download omz install script: %w", err)
+	}
+	defer resp.Body.Close()
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("download omz install script: unexpected status %d", resp.StatusCode)
+	}
+
+	scriptBytes, err := io.ReadAll(resp.Body)
+	if err != nil {
+		return fmt.Errorf("read omz install script: %w", err)
+	}
+
+	// Verify SHA256 before executing anything.
+	sum := sha256.Sum256(scriptBytes)
+	got := hex.EncodeToString(sum[:])
+	if got != knownOMZInstallHash {
+		return fmt.Errorf("Oh-My-Zsh install script hash mismatch: download may be compromised (got %s, want %s)", got, knownOMZInstallHash)
+	}
+
+	// Write verified script to a temp file, execute, then clean up.
+	tmpFile, err := os.CreateTemp("", "omz-install-*.sh")
+	if err != nil {
+		return fmt.Errorf("create temp file for omz install: %w", err)
+	}
+	defer os.Remove(tmpFile.Name())
+
+	if _, err := tmpFile.Write(scriptBytes); err != nil {
+		tmpFile.Close()
+		return fmt.Errorf("write omz install script: %w", err)
+	}
+	if err := tmpFile.Close(); err != nil {
+		return fmt.Errorf("close omz install script: %w", err)
+	}
+
+	if err := os.Chmod(tmpFile.Name(), 0700); err != nil {
+		return fmt.Errorf("chmod omz install script: %w", err)
+	}
+
+	return system.RunCommand(tmpFile.Name(), "--unattended")
 }
 
 const brewShellenvLine = `eval "$(/opt/homebrew/bin/brew shellenv)"`

internal/shell/shell_test.go

@@ -1,6 +1,11 @@
 package shell
 
 import (
+	"crypto/sha256"
+	"encoding/hex"
+	"fmt"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"path/filepath"
 	"strings"
@@ -206,3 +211,68 @@ source $ZSH/oh-my-zsh.sh
 	assert.Contains(t, string(content), `ZSH_THEME="agnoster"`)
 	assert.NotContains(t, string(content), `ZSH_THEME="robbyrussell"`)
 }
+
+// --- Hash verification tests for InstallOhMyZsh ---
+
+// hashOf returns the lowercase hex SHA256 of data.
+func hashOf(data []byte) string {
+	sum := sha256.Sum256(data)
+	return hex.EncodeToString(sum[:])
+}
+
+// serveScript starts an httptest server that returns body as the script payload.
+// It restores omzInstallURL when the test completes.
+func serveScript(t *testing.T, body []byte, statusCode int) {
+	t.Helper()
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(statusCode)
+		_, _ = w.Write(body)
+	}))
+	t.Cleanup(srv.Close)
+
+	orig := omzInstallURL
+	omzInstallURL = srv.URL
+	t.Cleanup(func() { omzInstallURL = orig })
+}
+
+func TestInstallOhMyZsh_HashMismatch(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+
+	// Serve a script whose hash does NOT match knownOMZInstallHash.
+	fakeScript := []byte("#!/bin/sh\necho fake\n")
+	serveScript(t, fakeScript, http.StatusOK)
+
+	err := InstallOhMyZsh(false)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "hash mismatch")
+	assert.Contains(t, err.Error(), "download may be compromised")
+	// The returned hash should be the hash of the fake content.
+	assert.Contains(t, err.Error(), hashOf(fakeScript))
+}
+
+func TestInstallOhMyZsh_HTTPError(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+
+	// Serve a 500 so the status-code check fires.
+	serveScript(t, nil, http.StatusInternalServerError)
+
+	err := InstallOhMyZsh(false)
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), fmt.Sprintf("unexpected status %d", http.StatusInternalServerError))
+}
+
+func TestInstallOhMyZsh_DryRun_NoNetwork(t *testing.T) {
+	home := t.TempDir()
+	t.Setenv("HOME", home)
+
+	// Dry-run must return without making any network call — URL is deliberately
+	// set to something unreachable to catch any accidental HTTP access.
+	orig := omzInstallURL
+	omzInstallURL = "http://127.0.0.1:0/should-not-be-called"
+	t.Cleanup(func() { omzInstallURL = orig })
+
+	err := InstallOhMyZsh(true)
+	assert.NoError(t, err)
+}