Hacker News new | past | comments | ask | show | jobs | submit login

Fully compiled languages don't even have an eval at all.



Not with that attitude

Start shipping the compiler with your code for infrastructure-agnostic RCEs


When you turn pro you call it security software and add it to the kernel.


No, but they have system or the like, which is effectively the same, just being evaluated by the shell. https://man7.org/linux/man-pages/man3/system.3.html


And thanks to the magic of "shoving strings from the Internet into a command line", poof, RCE! It bit GitLab twice


What incident are you referring to?


https://gitlab.com/gitlab-org/gitlab/-/issues/327121 is the first one, and I'm having trouble locating up the second (possibly due to the search pollution from the first one) but there are a bunch of "Exiftool has been updated to version [0-9.]+ in order to mitigate security issues" style lines in their security releases feed so it's possible they were bitten by upstream Exiftool CVEs

Anyway, turns out that shelling out to an external binary fed with bytes from the Internet is good fun


a) system doesn't let you modify the state of the running process so it doesn't attract abuse like the example here. It's still a bad function but calling it effectively the same is absurd - the scope for "clever" usage of it is much much lower.

b) It's a legacy misfeature that I hope new compiled languages don't copy. There are much much better better interfaces for running processes that don't rely on an intermediate shell.

c) Shell escaping is much more stable than some hipster language like PHP where you'd need to update your escaping for new language changes all the time.


You can build an eval for a compiled language, absolutely. You can embed an interpreter, for example, or build one using closures. There's entire books on this, like LiSP in Small Pieces.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: