Comment by mfer

5 days ago

This has nothing to do with Git. A symlink can be packaged up in a tarball and shipped from one system to another. An attacker would need to create a malicious Chart.yaml file and a Chart.lock file pointing to another file. Then ship those to a system where dependencies are then updated.

This doesn't affect things like installing or upgrading a chart. Dependencies aren't updated at that time.

6 comments

mfer

Reply
ajross  5 days ago

> A symlink can be packaged up in a tarball and shipped from one system to another.

True enough, but if you have a victim unpacking and building untrusted tarballs there's no security boundary being crossed, is there? You don't have to bother with this symlink nonsense, just update the install script to include your payload directly.

Honestly this vulnerability is dumb. I don't see any realistic scenario where it can be exploited by an unprivileged attacker.

  • url00  5 days ago

    When you do a helm pull and download a chart from a repo, I believe it's a tar-ball. So if you have a workflow where you install charts from the filesystem you could be impacted. I've done that in the past.

    • ajross  5 days ago

      I can only repeat the assertion: if you have a victim pulling and installing untrusted tarballs, there is no security boundary being crossed.

      It doesn't matter whether it's "from a repo". If you can't trust the repo it can feed you whatever it wants.

      3 replies →