Programmer Humor

21851 readers

1552 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

Keep content in english
No advertisements
Posts must be related to programming or programmer topics

founded 2 years ago

MODERATORS

Feyter@programming.dev

anzo@programming.dev

BurningTurtle@programming.dev

pylapp@programming.dev

670

isInHell = 'true' (fedia.io)

submitted 3 days ago by MHLoppy@fedia.io to c/programmer_humor@programming.dev

83 comments fedilink hide all child comments

Original post: hachyderm.io (Mastodon)

you are viewing a single comment's thread
view the rest of the comments

[–] testfactor@lemmy.world 135 points 3 days ago (4 children)

Probably, but if you're interpreting user inputs as raw code, you've got much much worse problems going on, lol.

[–] LostXOR@fedia.io 36 points 3 days ago (1 children)

[...]&register=import os; os.system("sudo rm -rf /"); return True

[–] MajorHavoc@programming.dev 17 points 3 days ago

Hey, that's my username too. Or it was going to be, while the site was still up.

What a coincidence!

I guess I'll wait for the site to come back, and see if it's still available...

[–] mmddmm@lemm.ee 18 points 3 days ago (1 children)

It's the settiings file... It's probably supposed to only be written by the system admin.

[–] raldone01@lemmy.world 9 points 3 days ago* (last edited 3 days ago) (2 children)

A good place to put persistent malware. That's why when using docker images always mount as ro if at all possible.

[–] ashley@lemmy.ca 9 points 3 days ago (1 children)

It’s you can modify the settings file you sure as hell can put the malware anywhere you want

[–] MajorHavoc@programming.dev 1 points 14 hours ago* (last edited 14 hours ago)

It’s you can modify the settings file you sure as hell can put the malware anywhere you want

True. (But in case it amuses you or others reading along:) But a code settings file still carries it's own special risk, as an executable file, in a predictable place, that gets run regularly.

An executable settings file is particularly nice for the attacker, as it's a great place to ensure that any injected code gets executed without much effort.

In particular, if an attacker can force a reboot, they know the settings file will get read reasonably early during the start-up process.

So a settings file that's written in code can be useful for an attacker who can write to the disk (like through a poorly secured upload prompt), but doesn't have full shell access yet.

They will typically upload a reverse shell, and use a line added to settings to ensure the reverse shell gets executed and starts listening for connections.

Edit (because it may also amuse anyone reading along): The same attack can be accomplished with a JSON or YAML settings file, but it relies on the JSON or YAML interpreter having a known critical security flaw. Thankfully most of them don't usually have one, most of the time, if they're kept up to date.

[–] mmddmm@lemm.ee 4 points 3 days ago

Every environment has plenty of good places to put persistent malware. Even if you run your docker images as ro.

[–] 0x0@lemmy.dbzer0.com 8 points 3 days ago (1 children)

Given the warning about capitalization, the best possible case is that they're using ast.literal_eval() rather than throwing untrusted input into eval().

Err, I guess they might be comparing strings to 'True' and are choosing to be really strict about capitalization for some reason.

[–] MajorHavoc@programming.dev 12 points 3 days ago

Yeah. Maybe .to_lower() is really expensive in their environment, lol.

[–] SchwertImStein@lemmy.dbzer0.com 5 points 3 days ago

It's not User input, it's config file