←back to thread

Helm local code execution via a malicious chart

(github.com)
171 points irke882 | 4 comments | 09 Jul 25 05:49 UTC | HN request time: 0.769s | source
Show context
ivan4th ◴[09 Jul 25 12:23 UTC] No.44509174[source]
Helm is an abomination, as the whole idea of using a text template engine to generate YAML is. And this vulnerability adds insult to injury ;)

Sorry, just can't really recover from trauma of counting spaces and messing up newlines, etc. when writing Helm templates. You know, Lisp "sucks" because "you need to count parenthesis" (you actually don't), yet Helm is a widely accepted technology where you need to count spaces for (n)indent ;)

replies(5): >>44511394 #>>44512692 #>>44512702 #>>44515521 #>>44516363 #
1. JohnMakin ◴[09 Jul 25 17:27 UTC] No.44512692[source]
This isn't a uniquely helm thing though, they mostly use modified go templating. Lots of other things do this with yaml as well.
replies(2): >>44515896 #>>44531265 #
2. deathanatos ◴[09 Jul 25 23:52 UTC] No.44515896[source]
… and I think I'd argue that the parent's argument against the tooling would apply equally as well to those "other things", too.

The alternative here is something that manipulates the data structure directly. E.g., it might permit me to say:

  my_config_map.data["key"] = some_string_value
(This is in some pseudo-imperative language, vs. the parent's Lisp, but that distinction isn't particular relevant to the core of their argument, I think.)

And then at the end, the thing itself takes care of converting the resulting objects to YAML, thus preventing me from inadvertently turning what is meant to be a string into something like an accidental YAML-injection that results in terrible errors because I miscounted the number of spaces to indent something.

replies(1): >>44520276 #
3. JohnMakin ◴[10 Jul 25 12:33 UTC] No.44520276[source]
I wrote a small terraform wrapper around helm provider that basically does what you’re saying. official kubernetes + tf support is poor, but it’s been working well for me. I rarely if ever have to touch the yaml templates that I maintain.

however, this is usually true with working with helm in general if you are using charts other people maintain. That’s one of the strengths of helm. you just shove your values into the chart and it should work. Maintaining charts is not fun though which is why I wrote the wrapper for my purposes.

4. moondev ◴[11 Jul 25 12:15 UTC] No.44531265[source]
The funny thing is helm is as good or bad as what you make it. When folks complain about helm they are actually complaining about their own self created charts or poor selection of charts they install.