The infamous Barmin's patch doesn't have any `sh` mentions either:

``` echo "test... test... test..." | perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see' ```

Yeah, but if there's a code execution vulnerability in any of the tools in the pipeline it's as good as piping to sh.

Yup! Using curl at all is downright dangerous.

/s

Well, it's all about risk assessment. Curl has had RCE security bugs before[1]. That doesn't mean curl is "downright dangerous" it just means that "it's safe because it doesn't pipe to sh" is also not a correct thing to say.

[1]: http://blog.volema.com/curl-rce.html

Incidentally, cURL just had a major security audit. The dev is doing due diligence to avoid RCE vulnerabilities.

Piping to jq and sed is just fine. I'm not sure where sh comes into this...

Unless there's a bug in curl, jq or sed that leads to an RCE, which is what my point was.

I suppose 'devoply pattern-matched "curl -sS <sth> | <sth else>" to "don't do that". I think that because that's exactly what I did now; it took me a few seconds to realize that - this time - the invocation is mostly harmless.