Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

devfiles are a mechanism for describes Workspaces in Kubernetes environments for Gitlab. Workspaces are isolated environments. The parent field can be used as a base for a workspace, but was banned in the devfile for security reasons.

At this point, the author noticed that two parsers existed: Ruby for Gitlab and Go for the Workspaces. So, if the author found a difference between the two parsers where Ruby didn't see something but workspaces did, it would be possible to smuggle in the parent field.

Prior to this, they had found a difference between Python and Go with the !!binary option. This didn't work but something similar did - !binary. The Go parser will decode the binary data for the key but the Ruby parser doesn't not. So, it's possible to add a parent but ONLY within the Go parser.

The author needed another bug to make this worthwhile. The devfile tar.gz parsing had a directory traversal issue. They had told the Go linter to ignore the opening of an arbitrary file because it was cleared. However, with relative paths, filepath.Clean does NOT actually clean the path. So, this directory traversal allows for the writing outside of the intended area.

They add a few more notes... First, parser differentials are everywhere and should be looked for. Second, don't trust the comments. Third, you can't find all the bugs, as they missed a go-git vulnerability while auditing this that was reported afterwards. Overall, a good writeup on an interesting bug!