←back to thread

Helm local code execution via a malicious chart

(github.com)
171 points irke882 | 3 comments | 09 Jul 25 05:49 UTC | HN request time: 0.656s | source
Show context
sugarpimpdorsey ◴[09 Jul 25 06:59 UTC] No.44507048[source]
If we're being honest, YAML is one of the dumbest ideas of the last 20 years to have proliferated. How we got from XML to here I cannot comprehend.

This is not the first RCE involving YAML and it won't be the last.

replies(8): >>44507063 #>>44507118 #>>44507128 #>>44507156 #>>44507406 #>>44507812 #>>44507872 #>>44509145 #
immibis ◴[09 Jul 25 09:21 UTC] No.44507872[source]
NIH syndrome and "inverse second system effect". In the real second system effect, the second system is more complicated because it includes everything that could possibly be perceived as missing in the first system. In the inverse second system effect the first system was perceived as too complicated, not too simple, so the second system is much simpler and doesn't do its job well.

Also this vuln has nothing to do with YAML

replies(1): >>44509110 #
1. galangalalgol ◴[09 Jul 25 12:16 UTC] No.44509110[source]
It is tangentially related in that yaml became normal to use as a DSL within the devops world. As another post said, everything becomes a DSL eventually because people want to be "fully configurable" not realizing that is roughly the same thing as not being complete yet. But in this case the lack of direct acknowledgement of yaml as an interpreted language with an interpreter that doesn't think of itself as such and hence doesn't have a real sandbox, is what leads us to the present. People didn't use xml as a DSL as often because it was so flexible. That would be like using c++ as a DSL instead to write the interpreter for one.
replies(1): >>44531353 #
2. moondev ◴[11 Jul 25 12:27 UTC] No.44531353[source]
This is like blaming python problems on yaml because someone embedded a python script in a multiline string.
replies(1): >>44533823 #
3. galangalalgol ◴[11 Jul 25 16:07 UTC] No.44533823[source]
I wasn't blaming yaml at all. Our mistake is thinking we are using it as a configuration file. When we are actually using it as an interpreted language. Not yaml's fault people are writing dsl interpreters unknowingly. It's just related because people who make that mistake are picking yaml. I nearly made the mistake with toml a few years ago. You could even make the mistake with complicated environment variable usage. Whenever your configuration source is flexible enough to create executable primitives it needs to be sanitized. And really that is whenever a configurable value gets used in a conditional, which is often. Especially considering that even numeric values become conditional when they are used in operations that can result in ub or even just exceptions/panics/unhandled errors. Not a yaml exclusive.