Comment by yokaze

5 days ago

I create a malicious chart or compromise one you use (with symlink to an arbitrary file and code).

You download charts either as a tarball from a helm repo or oci registry with helm and helm will create the files and links with your permissions, and send me whatever I wanted to extract from your system.

Yes, you should check things you download from the internet. But also, that is not how a chart is supposed to work.

1 comment

yokaze

Reply
JohnMakin  5 days ago

As noted in other comments, a symlink is just a text reference to a file. It does not need to be created on the host system.