undefined | Better HN

0 pointsajross10mo ago0 comments

> A symlink can be packaged up in a tarball and shipped from one system to another.

True enough, but if you have a victim unpacking and building untrusted tarballs there's no security boundary being crossed, is there? You don't have to bother with this symlink nonsense, just update the install script to include your payload directly.

Honestly this vulnerability is dumb. I don't see any realistic scenario where it can be exploited by an unprivileged attacker.

0 comments

url0010mo ago

When you do a helm pull and download a chart from a repo, I believe it's a tar-ball. So if you have a workflow where you install charts from the filesystem you could be impacted. I've done that in the past.

ajrossOP10mo ago

I can only repeat the assertion: if you have a victim pulling and installing untrusted tarballs, there is no security boundary being crossed.

It doesn't matter whether it's "from a repo". If you can't trust the repo it can feed you whatever it wants.

1 more reply

j / k navigate · click thread line to collapse