Show HN: Uncurl.dev – Convert curl commands to a shareable, executable UI(uncurl.dev)

115 pointsby darubramha10 days ago18 comments

ajnin10 days ago
Hum I'm definitely not the target for this but I don't see the value to obfuscate all the info in an UUID, I'd have kept things simple and stored things into an URL fragment, that way it's possible to operate client-side only and nothing gets leaked to a server I don't know much about like headers or whatever tokens or API keys could be passed in an URL.
- themanmaran9 days ago
  I see a fair bit of utility here. We have an API product, and (despite having pretty clear docs) I almost always have to send people curl requests they can copy and run.
  So I see this as similar to having a sandbox built into your docs page. Except I can customize a request and send it directly to a user. The only missing piece is the authentication part. Since I wouldn't want to embed an api key in this link.
  - darubramha9 days ago
    Totally with you on that—your use case is exactly what I had in mind when I built uncurl.dev.
    I kept finding myself sending curl requests in Slack or email, and it felt clunky—especially when non-devs or support teams needed to test something quickly. uncurl.dev started as a way to make that share-and-execute process more visual and frictionless.
    For the auth part—embedding API keys in payload is a no-go in most cases. For now, sending out auth headers separately for them to fill in themselves is what I did within my workplace.
    I'm exploring a couple of ideas to help with this:
    Team-scoped secrets: For logged-in users or teams, saving common auth headers that aren’t part of the shared link.
    One-time, encrypted secrets: The link works once and destroys the sensitive payload after execution.
- aae4210 days ago
  could also just do the request in javascript instead of needing a (presumably hosted) sandbox
  - TheDong10 days ago
    curl supports many things javascript doesn't. Like http proxies, tls versions, and half the other flags
  - ultrafez10 days ago
    There are many types of request that cannot be made with client-side JS alone, but for those that can, the ability to send those requests client-side would be handy.
    markerz10 days ago
    I think that 99.9% of CURL commands are copied from Chrome/Firefox's network inspector and are the simple "client-side JS" types.
    I also think it's weird to be so willing to let people run arbitrary CURL commands from your platform, without any billing or account verification. It feels ripe for abuse.
    jasir10 days ago
    Even for commands that use the subset of cURL features that fetch supports, most requests to other domains (cross origin requests) wouldn't work anyway because the responses won't have the CORS[0] headers to allow being accessed from arbitrary websites. So running it client side would be infeasible for most requests.
    [0]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/COR...
    darubramha9 days ago
    Exactly — this was one of the core constraints I ran into early on.
    CORS was a blocker for client side requests, I have a separate branch where this is integrated, maybe will add it alongside server side execution to let the person creating the curl decide whether they can execute on browser or server side.
markerz10 days ago
Hey OP, your DELETE curl endpoint is unauthenticated! I can't DM you on HN and there's no contact on your website, so sorry for the public security disclosure. :(
- mzronek10 days ago
  That's part of the vibe in vibe coding.
  - reassess_blind9 days ago
    V.I.B.E - Very Insecure Backend Endpoint
- darubramha9 days ago
  Hey, thank you so much for catching this and calling it out , will take this up and fix it!
  Really appreciate you taking the time to look and let me know (even if it had to be in public). I have added a github repo for filing bugs (https://github.com/uncurl/uncurl-support) in the docs page :)
treesknees10 days ago
This is why in our codebase we have a rule to not use short options/flags for called commands like curl. And if there is only a short option available, it must be explained in a code comment.
- xrisk10 days ago
  Why do you call curl via the binary instead of using libcurl?
  - treesknees10 days ago
    As others stated, shell scripts and some other automation that have to call the cli tool directly, or where we need to build out the cmd and execute it on a remote node.
    We use libcurl and pycurl where it makes sense. This rule for cli options extends to other binaries as well, some that don’t offer libraries like curl does (think closed source firmware tools or ancient homegrown cli tools.)
  - markerz10 days ago
    Docker files too, basically just bash scripts with a different syntax
  - notpushkin10 days ago
    Bash scripts?
trollied10 days ago
Flagged this because it is a security clusterfuck.
- darubramha9 days ago
  Fair. I appreciate the honesty — even if it's a bit brutal :)
  Security is a top priority for this project, and I'm actively working to tighten things up. This initial version was launched to validate the concept, and admittedly, there were oversights (including an unauthenticated DELETE endpoint that was highlighted).
  If you're open to it, I'd love to learn more about what you'd want to see from a security standpoint in a tool like this. I'm building in public and happy to be corrected where needed.
  Thanks again for keeping things real.
VWWHFSfQ10 days ago
This would be useful if it was client-side only. I only very rarely have curl commands to run that don't also include some stuff like cookies and tokens, which I'm not sending to someone's server so they can run curl for me.
- byearthithatius10 days ago
  Multiple people already did and are confirming they can't even delete it. This website is literally a security issue itself.
  - darubramha9 days ago
    Hey, you can absolutely delete any curls created if done from a logged in user, for others it will get auto-purged in 30 days of non-usage.
- cgannett10 days ago
  I cant even get the thing to work
Tabular-Iceberg10 days ago
It seems very particular about what curl options it supports. I keep getting “Please enter a valid curl command” no matter what I do.
Maybe the only solution is to somehow extract the actual command line parser from curl itself.
- darubramha9 days ago
  Hey that is weird, can you file a bug report here with the curl you were trying?
  https://github.com/uncurl/uncurl-support
h1fra10 days ago
Interesting. Default behavior could be improved. I blindly pasted a curl, except showing my curl it didn't make any headers modifiable. It also didn't redacted the Authorization header. Also there is no way to delete a page.
- markerz10 days ago
  FYI, you can delete anyone's CURL (including your own if you were unauthenticated) with the following curl:
  https://uncurl.dev/curl/78ab4bf5-34e8-45a0-b3b1-32dd6aa7e360
  or this command
  curl -X DELETE "https://uncurl.dev/api/curls?id=051606b5-49c8-4f14-9689-4d424f71d331"
  Looks like deletes are unauthenticated.
  - darubramha9 days ago
    Haha love that you shared the curl with the uncurl.dev url!
    Yes, delete is unauthenticated as highlighted, will be working on a fix for this. And you can delete any API if it is created as a logged in user.
- serial_dev10 days ago
  Whether redacting the auth header is the best choice can be determined on a case by case basis, so I don't think it should redact by default. A big scary warning would definitely make sense, though!
- byearthithatius10 days ago
  Exact same thing happened to me. Had to reset my HN user cookie because accidentally pasted my downvote curl command.
benoitg10 days ago
The Jetbrains suite of IDEs have this handy feature : if you copy a curl command into an HTTP scratch file, it is automatically converted to the HTTP equivalent, which is IMHO much more readable.
Your project looks very cool though, and expands on the share aspect of the Jetbrains feature, very interesting!
- darubramha9 days ago
  Appreciate the kind words—and the comparison!
  uncurl.dev kind of grew out of that same spirit, but with the goal of making the output shareable and executable in a browser, especially for folks who might not have an IDE set up or are outside the usual dev loop (PMs, etc.)
- hk133710 days ago
  Paw (Now RapidAPI) has a nice feature that generates a http request. The curl plugin and http plugin are the main ones I use but there's several others to generate the code in other languages too.
- _kidlike10 days ago
  my thoughts exactly!
  Lately I feel like a lot of people think they are finding gaps around developer experience, but it's only because they don't know the right tools that already exist...
niek_pas10 days ago
Looks cool! One bug I found:
`curl www.google.com` works using 8.7.1 on macOS, but I get "Please enter a valid curl command" on your website.
- darubramha9 days ago
  :) the curl command parser expects some flags of GET, POST, stupidly overlooked, will get it fixed!
lenkite10 days ago
Feels like a security nightmare - this is far better distributed as a local desktop UI rather than one hosted.
- byearthithatius10 days ago
  It 100% is because he just keeps your curl and you can't even delete it. He just keeps it forever for himself even if you made a whoops. Already accidentally uploaded my HN user cookie and had to reset it. JFC.... -_-
  - darubramha9 days ago
    I have implemented auto-purge all curls that are created without login will get auto deleted after 30 days of non-usage.
    You can absolutely delete your curl if you have created as a logged in user.
  - thomasfromcdnjs9 days ago
    lmao I did similar.
flipperto10 days ago
While it looks good and even possibly useful, it seems to be a great way to leak sensitive cookies (especially since "copy as cURL" is so easy on the browser's network tab).
I would 100% forbid its use in a company environment and I would encourage people in general not to use it for any non-trivial use case.
- byearthithatius10 days ago
  Thank you. I literally already accidentally uploaded a cookie that I now need to reset because the website doesn't let me delete the curl -_-
byearthithatius10 days ago
This is just waiting for people to leak cookies oh my lord....
fitsumbelay10 days ago
This is a pretty cool project.
One thing: it's rejecting dict lookups as invalid URL, eg. `curl dict://dict.org/d:failure:fd-eng-fra`
I'm checking first here whether I missed something in the docs about not supporting DICT before I add issue to the GH repo
- darubramha9 days ago
  You didn’t miss anything in the docs. Right now uncurl.dev only supports http/https (and technically ftp, though it’s untested). Protocols like dict://, smtp://, etc. aren’t parsed or handled correctly yet, which is why you’re seeing that “invalid URL” error.
  I hadn’t actually considered dict:// usage, I see the bug report as well, thanks, will see if I can include it.
byearthithatius10 days ago
I already accidentally uploaded a cookie that I now need to reset because the website doesn't let me delete the curl -_-
- dwrowe10 days ago
  There is both this post about not being able to delete a curl, and other posts about being able to delete curls unauthenticated. Looks like you should be able to issue a DELETE curl request, to delete your curl.
- markerz10 days ago
  Definitely reset your password/account even if you can delete it from their website. Otherwise, you are trusting a stranger with no privacy policy or reputation.
  - byearthithatius10 days ago
    Great point, true!
- darubramha9 days ago
  You can delete the curl request if created from a logged in account.
  Non-logged in curls are auto purged after 30 days.
ustad10 days ago
Hey, that looks great.
Could you describe more about the docker sandbox that you have? I am especially interested in the network restrictions.
- darubramha9 days ago
  The sandbox is a lightweight Alpine-based container, it runs as a non-root user for security, it has minimal dependencies installed (curl, bash, coreutils)
  The container has restricted outbound access—only HTTP/S requests are allowed. It runs inside an isolated network namespace with no access to the host network or other infrastructure components. There's no inbound access, and the container can't receive unsolicited requests from the outside world.
  The sandbox container can only communicate with other containers in the same network, the main application container and sandbox container are on the same network, allowing them to communicate.
  - ustad9 days ago
    Thanks for the details!
    Do you think there could be ways for someone to abuse the network setup you have?
    For example, accessing other internet hosts or other containers in the same container network?
    What happens when curl gets redirect responses?
10 days ago
undefined
10 days ago
undefined
polishdude2010 days ago
Why the need for an account to execute? Are you executing the command on behalf of the user on your server? Is it possible to just do it locally in browser?
- darubramha9 days ago
  Yes — executions are done server-side, inside a resource-limited, sandboxed Docker container. That’s why login is required: to prevent abuse, rate-limit usage.
  I have a feature working to allow users browser side execution, but as others have also pointed out CORS is a big blocker for client side execution not working for all APIs.
- zamadatix10 days ago
  The post mentions the server is used during the optional execution. My guess as to why would be primarily because there are plenty of curl commands which are impossible to execute via the browser due to browser restrictions and secondarily because the execution is literally running curl, not trying to approximate the equivalent action.
  Local execution could still be a handy feature for at least the most common basic commands though, but it'd start to have to wade into "explaining a lot to the user why this isn't really what the result might look like" territory.
  - VWWHFSfQ10 days ago
    It actually looks like the server is used regardless. It's sending the full curl command to the backend even if not executing it.
    zamadatix10 days ago
    Well yeah, it's generating short links. I mean to highlight the server runs curl in a sandbox against the 3rd party host on behalf of the user, not just that the server and client talk to each other as you use the page.