Skip to content

chore: adopt official curl installer for Claude Code CLI setup #1432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
atxtechbro merged 1 commit into from
Dec 4, 2025
Merged

chore: adopt official curl installer for Claude Code CLI setup #1432

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 10 additions & 16 deletions utils/configure-claude-code.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash
# Claude Code configuration script
# Primary purpose: Configure Claude Code CLI with MCP servers and settings
# Secondary purpose: Install Claude Code if not present (trivial npm install)
# Secondary purpose: Install Claude Code if not present (one-line curl install)
#
# Configuration is the interesting problem - installation is a solved problem

Expand Down Expand Up @@ -54,17 +54,6 @@ configure_claude_code() {
# Installation is a one-time solved problem, configuration is ongoing
# ============================================================================
install_claude_if_needed() {
# Check prerequisites
if ! command -v node &> /dev/null; then
echo -e "${RED}Node.js is not installed. Please install Node.js first.${NC}"
return 1
fi

if ! command -v npm &> /dev/null; then
echo -e "${RED}npm is not installed. Please install npm first.${NC}"
return 1
fi

# Check if Claude Code is already installed
# Use type -P to ignore aliases and confirm the actual binary exists
if type -P claude &> /dev/null; then
Expand All @@ -74,10 +63,15 @@ install_claude_if_needed() {
return 0
fi

# Perform the trivial installation
echo "Installing Claude Code CLI (one-time setup)..."
if ! npm install -g @anthropic-ai/claude-code; then
echo -e "${RED}Failed to install Claude Code CLI. Please try again or check your npm installation.${NC}"
# Perform the one-line curl installation
if ! command -v curl &> /dev/null; then
echo -e "${RED}curl is not installed. Please install curl first.${NC}"
return 1
fi

echo "Installing Claude Code CLI via official install script..."
if ! curl -fsSL https://claude.ai/install.sh | bash; then
Copy link
Copy Markdown
Contributor

@amazon-q-developer amazon-q-developer bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Security Vulnerability: Piping curl output directly to bash without verification creates a significant security risk. The script downloads and executes code from without any integrity checks, certificate validation, or content verification.

Suggested change
if ! curl -fsSL https://claude.ai/install.sh | bash; then
# Download and verify the install script before execution
INSTALL_SCRIPT=$(mktemp)
if ! curl -fsSL -o "$INSTALL_SCRIPT"; then
echo -e "${RED}Failed to download Claude Code CLI installer. Please check your network connectivity.${NC}"
rm -f "$INSTALL_SCRIPT"
return 1
fi
# Basic verification - check if it looks like a shell script
if ! head -1 "$INSTALL_SCRIPT" | grep -q "^#!/"; then
echo -e "${RED}Downloaded installer does not appear to be a valid shell script.${NC}"
rm -f "$INSTALL_SCRIPT"
return 1
fi
echo "Installing Claude Code CLI via official install script..."
if ! bash "$INSTALL_SCRIPT"; then
echo -e "${RED}Failed to install Claude Code CLI. Please try again or check your network connectivity.${NC}"
rm -f "$INSTALL_SCRIPT"

echo -e "${RED}Failed to install Claude Code CLI. Please try again or check your network connectivity.${NC}"
return 1
fi
Comment on lines 75 to 76
Copy link
Copy Markdown
Contributor

@amazon-q-developer amazon-q-developer bot Dec 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing cleanup of temporary file. The temporary install script should be removed after execution to prevent leaving sensitive files on the filesystem.

Suggested change
return 1
fi
return 1
fi
rm -f "$INSTALL_SCRIPT" # Clean up temporary file

hash -r # ensure the shell picks up the newly installed binary
Expand Down