this post was submitted on 21 Mar 2025
681 points (100.0% liked)

Programmer Humor

22995 readers
1622 users here now

Welcome to Programmer Humor!

This is a place where you can post jokes, memes, humor, etc. related to programming!

For sharing awful code theres also Programming Horror.

Rules

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
681
isInHell = 'true' (fedia.io)
submitted 1 month ago by [email protected] to c/[email protected]
82 comments fedilink hide all child comments
 

Original post: hachyderm.io (Mastodon)

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 93 points 1 month ago (23 children)

Is the backend Python and the frontend JavaScript? Because then that would happen and just be normal, because Boolean true is True in python.

[–] [email protected] 140 points 1 month ago (10 children)

Probably, but if you're interpreting user inputs as raw code, you've got much much worse problems going on, lol.

[–] [email protected] 22 points 1 month ago (4 children)

It's the settiings file... It's probably supposed to only be written by the system admin.

[–] [email protected] 10 points 1 month ago* (last edited 1 month ago) (2 children)

A good place to put persistent malware. That's why when using docker images always mount as ro if at all possible.

[–] [email protected] 10 points 1 month ago (1 children)

It’s you can modify the settings file you sure as hell can put the malware anywhere you want

[–] [email protected] 2 points 1 month ago* (last edited 1 month ago)

It’s you can modify the settings file you sure as hell can put the malware anywhere you want

True. (But in case it amuses you or others reading along:) But a code settings file still carries it's own special risk, as an executable file, in a predictable place, that gets run regularly.

An executable settings file is particularly nice for the attacker, as it's a great place to ensure that any injected code gets executed without much effort.

In particular, if an attacker can force a reboot, they know the settings file will get read reasonably early during the start-up process.

So a settings file that's written in code can be useful for an attacker who can write to the disk (like through a poorly secured upload prompt), but doesn't have full shell access yet.

They will typically upload a reverse shell, and use a line added to settings to ensure the reverse shell gets executed and starts listening for connections.

Edit (because it may also amuse anyone reading along): The same attack can be accomplished with a JSON or YAML settings file, but it relies on the JSON or YAML interpreter having a known critical security flaw. Thankfully most of them don't usually have one, most of the time, if they're kept up to date.

[–] [email protected] 4 points 1 month ago

Every environment has plenty of good places to put persistent malware. Even if you run your docker images as ro.

load more comments (1 replies)
load more comments (6 replies)
load more comments (18 replies)