Flawed integrity check of a bash script can be hacked
The Codecov integrity check itself can be hacked because the version string extracted from the shell file is neither properly quoted nor validated. Here is the proper Twitter reference:
https://twitter.com/lorenc_dan/status/1383598341347368967?s=19
What we know is the LAST file. There were many changes to the hacked file so we don't know what else the script could have done.
I was able to do a few more things with the flawed integrity check described at https://docs.codecov.io/docs/about-the-codecov-bash-uploader#validating-the-bash-script
curl -s https://codecov.io/bash > codecov;
VERSION=$(grep 'VERSION=\".*\"' codecov | cut -d'"' -f2);
for i in 1 256 512
do
shasum -a $i -c --ignore-missing <(curl -s https://raw.githubusercontent.com/codecov/codecov-bash/${VERSION}/SHA${i}SUM)
done