←back to thread

Helm local code execution via a malicious chart

(github.com)
171 points irke882 | 2 comments | 09 Jul 25 05:49 UTC | HN request time: 0.507s | source
Show context
sugarpimpdorsey ◴[09 Jul 25 06:59 UTC] No.44507048[source]
If we're being honest, YAML is one of the dumbest ideas of the last 20 years to have proliferated. How we got from XML to here I cannot comprehend.

This is not the first RCE involving YAML and it won't be the last.

replies(8): >>44507063 #>>44507118 #>>44507128 #>>44507156 #>>44507406 #>>44507812 #>>44507872 #>>44509145 #
ChocolateGod ◴[09 Jul 25 07:03 UTC] No.44507063[source]
Why we settled on a file format that relies on invisible characters I'll never know.
replies(3): >>44507183 #>>44507280 #>>44515549 #
imiric ◴[09 Jul 25 07:26 UTC] No.44507183[source]
You use invisible characters whenever you press Enter or Space. If you're referring to Tab, many of the most popular programming languages like Go and Python use them as part of their syntax.

The reason YAML was popularized is because it was a response to XML which isn't user friendly to write. It's unfortunate that the spec got so convoluted, and uses a lot of implicit behavior, but I'd rather write YAML than XML, JSON or TOML for things like configuration files. Nowadays there might be better alternatives, but YAML is the de facto standard.

It's also unfortunate that YAML got abused by people who wanted to turn it into a DSL, so we ended up with thousands of lines of Ansible playbooks, CI workflows, and Helm charts, but here we are.

replies(3): >>44507315 #>>44507341 #>>44508467 #
1. drysart ◴[09 Jul 25 07:49 UTC] No.44507315[source]
It's unfortunate, but inevitable. Every structured text data format that sees widespread use, given enough time, will eventually be turned into a DSL.
replies(1): >>44508395 #
2. cluckindan ◴[09 Jul 25 10:51 UTC] No.44508395[source]
In fact, once a structured text format is used as a data source for any process, it has already become a DSL.