How to make copying command from website to terminal secure?

terminal bash browser linux

Today I found intriguing example website-terminal-copy-paste. For example you may need to clone git repository. In webpage it looks like:

git clone git://git.kernel.org/pub/scm/utils/kup/kup.git

but when you copy it terminal it becomes:

git clone /dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!
Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
git clone git://git.kernel.org/pub/scm/utils/kup/kup.git

because the rest is hidden:

<p class="codeblock">
      <!-- Oh noes, you found it! -->
      git clone
      <span style="position: absolute; left: -100px; top: -100px">/dev/null; clear; echo -n "Hello ";whoami|tr -d '\n';echo -e '!\nThat was a bad idea. Don'"'"'t copy code from websites you don'"'"'t trust!<br>Here'"'"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd<br>git clone </span>
      git://git.kernel.org/pub/scm/utils/kup/kup.git
    </p>

Of course it can be any command. So my question is how to make sure we don't get malicious code.

Is copying from website, pasting it to text editor(that show non-priniting character), checking the commands and copy-paste to terminal secure way to avoid this kind of attacks?

EDIT:

Probably the best way is never paste anything from website directly to terminal. Check this case:

<h1>Welcome on my tutorial site</h1>

<h3>Below code learn you how to use echo command. Copy both commands and paste it to your terminal</h6>

<hr/>
<p class="codeblock" >
      <!-- Oh noes, you found it! -->
      echo Line1;
      <pre style="position: absolute; left: -100px; top: -100px">echo "Owned";</pre>
      echo Line2;
    </p>
<hr/>

LiveDemo

When you copy and paste it to terminal, command 1 and hidden will be executed immediately. You won't get a chance to check it in terminal.


Solution 1:

It depends on how paranoid you want to be. But to be safe you should first make sure you understand the command and then type it in yourself.

If you don't trust the source do not accept any input from it without sanitizing it.

Related

What ffmpeg settings to get the best possible video resolution/framerate that my webcam is capable of?
Brightness adjustment interval in windows
Change Windows explorer font size
Realtek HD Audio latency leading to crackling sounds from the speakers
SSH authentication using biometrics
Can I connect to Synology NAS DS 215j directly over ethernet cable while NAS in DHCP mode
Windows 10 boot suddenly takes 10-20 minutes
Why didn't Windows 10 ever try to force itself onto my machine?
How to disable natural scrolling on Mac OS X (El Captain) with command line?
Emulating a Chromecast on a Windows desktop
Windows 10 Pro 64 bit version 1607 fails to install KB3176938 with 0x800F0922
Apple numbers: How can I create a filtered column (B) with only unique values from column (A)?