Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Argo CD is a Continuous Delivery (CD) service platform used all over the world.

To build a deployment pipeline, a user crates a Git repository or a Kubernetes Helm chart. A Helm Chart is a YAML file that embedded different fields to declare resources and configurations to deploy an application. The application can contain file names and paths in order to interact with the service with a more custom configuration.

These files being referenced in the Helm files should ONLY be within the single directory. In 2019, a commit was released to make this the case. For avoid stealing data, Helm charts should not be able to see files outside of the Helm directory. Was the patch implemented properly?

While viewing the Helm files, they noticed multiple locations where a URL could be specified. When doing the validation for the directory traversal, the code path only does this validation on file paths, not URLs. So, what's the difference between a URL and a file path?

In Go, the function ParseRequestURI is used. The documentation says the following:" It assumes that url was received in an HTTP request, so the url is interpreted only as an absolute URI or an absolute path." By getting the parser to accept a local file path, the validation step can be bypassed but request will still use a local file. The path /directory/values.yaml parses like a URL but is a legitimate file path.

According to the official security advisory, symbolic links can point outside of the Helm directory as well. Damn, this is a super classic problem that we are still seeing today!

Overall, the bugs are fairly straight forward but the article is not styled very well and is sometimes hard to parse. The Go language function to treat a URL as a local file was super interesting and not something that I anticipated.