Helm local code execution via a malicious chart

(github.com)

171 points irke882 | 1 comments | 09 Jul 25 05:49 UTC | HN request time: 0.421s | source

Show context

sugarpimpdorsey ◴[09 Jul 25 06:59 UTC] No.44507048[source]▶

If we're being honest, YAML is one of the dumbest ideas of the last 20 years to have proliferated. How we got from XML to here I cannot comprehend.

This is not the first RCE involving YAML and it won't be the last.

replies(8): >>44507063 #>>44507118 #>>44507128 #>>44507156 #>>44507406 #>>44507812 #>>44507872 #>>44509145 #

ChocolateGod ◴[09 Jul 25 07:03 UTC] No.44507063[source]▶

>>44507048 #

Why we settled on a file format that relies on invisible characters I'll never know.

replies(3): >>44507183 #>>44507280 #>>44515549 #

imiric ◴[09 Jul 25 07:26 UTC] No.44507183[source]▶

>>44507063 #

You use invisible characters whenever you press Enter or Space. If you're referring to Tab, many of the most popular programming languages like Go and Python use them as part of their syntax.

The reason YAML was popularized is because it was a response to XML which isn't user friendly to write. It's unfortunate that the spec got so convoluted, and uses a lot of implicit behavior, but I'd rather write YAML than XML, JSON or TOML for things like configuration files. Nowadays there might be better alternatives, but YAML is the de facto standard.

It's also unfortunate that YAML got abused by people who wanted to turn it into a DSL, so we ended up with thousands of lines of Ansible playbooks, CI workflows, and Helm charts, but here we are.

replies(3): >>44507315 #>>44507341 #>>44508467 #

1. sofixa ◴[09 Jul 25 10:58 UTC] No.44508467[source]▶

>>44507183 #

> many of the most popular programming languages like Go and Python use them as part of their syntax

Go doesn't use tabs or whitespace as a part of its syntax. It's a part of the formatting, but not the syntax of the language.

Python on the other hand, one extra tab or whitespace can cause havoc.

↑