MAJOR EXPLOIT: GitLab was Hacked with an IMAGE??

  Рет қаралды 208,003

Daniel Boctor

Daniel Boctor

Күн бұрын

Пікірлер
@DanielBoctor
@DanielBoctor 11 ай бұрын
THANKS FOR WATCHING ❤ JOIN THE DISCORD! 👉 discord.gg/WYqqp7DXbm 👇 Let me know what type of bug bounty reports you would like to see next! 👇
@ArthurKhazbs
@ArthurKhazbs 11 ай бұрын
Epic move from the GitLab team paying 100% bounty for a vulnerability in the code they didn't even write
@DanielBoctor
@DanielBoctor 11 ай бұрын
I know, GitLab made a good move. A good reputation among bug hunters can be very valuable.
@tg_2137
@tg_2137 11 ай бұрын
You could argue that the way they validate file types is part of the exploit, at least on their end.
@hunchie
@hunchie 11 ай бұрын
Very true, but it’s tough that it’s only $20,000. The sad reality is that such a “small” quantity means you rely on the morality of the white hat hacker rather than the economic incentive, since surely there are millions of dollars of potential payout for zero-day exploits on major SCM platforms in an immoral market.
@nostii
@nostii 11 ай бұрын
@@hunchie i mean 20k is 20k, still a lot of money
@DanielBoctor
@DanielBoctor 11 ай бұрын
@huchie it's a real issue for sure. In September 2023, Operation Zero raised it's payouts for iOS and Android RCE exploits to $20,000,000. For comparison, the Apply bug bounty program is only offering up to $1,000,000 for the same type of exploit, if reported.
@jems5996
@jems5996 11 ай бұрын
I think the inventor of PHP once said about eval: “If eval is the answer, you’re almost certainly asking the wrong question.”
@DanielBoctor
@DanielBoctor 11 ай бұрын
beautifully said
@ozanmuyes
@ozanmuyes 10 ай бұрын
Even PHP guys knows it 🧐
@joehunterdev
@joehunterdev 10 ай бұрын
🤣
@JohnGardnerAlhadis
@JohnGardnerAlhadis 4 ай бұрын
Coming from the bloke who designed PHP? The language that can't decide if it wants to be a libc(3) front-end, a templating language, a general-purpose programming language, or a glue language for webservers? That's rich.
@dealloc
@dealloc 11 ай бұрын
Anytime I see user input being passed to eval it sends shivers down my spine. There's always the question _when_ (not if) it will be exploited.
@DanielBoctor
@DanielBoctor 11 ай бұрын
yup, guess someone never learned about defensive programming 😔
@twitchizle
@twitchizle 11 ай бұрын
​@@DanielBoctor i recently learnt that, you shouldn't trust user input even after successful database query, I'm not talking about SQL injection, I'm talking about character encoding.
@dealloc
@dealloc 11 ай бұрын
@@twitchizle Absolutely. God forbid you use regex, but in case you need to, you have to think twice before passing user input directly in to a regex without any form of sanitization. It will simplify the regex as well so you don't have to handle all kinds of edge cases that are likely to make it exploitable to ReDoS.
@MasterBroNetwork
@MasterBroNetwork 11 ай бұрын
Why do people use eval in production code in the first place?
@boomknuffelaar
@boomknuffelaar 11 ай бұрын
@@twitchizle Wait, shouldn't trust input after successful database query? Are you doing input validation after using the input to query a database?
@jalvrus
@jalvrus 11 ай бұрын
As soon as you said "metadata", I was expecting a buffer overflow. Instead I got regex *and* eval. Double evil!
@brawldude2656
@brawldude2656 9 ай бұрын
eval the oldest trick in the book still works time to time
@shrunkensimon
@shrunkensimon 11 ай бұрын
Eval and regex together. Delicious.
@DanielBoctor
@DanielBoctor 11 ай бұрын
the forbidden combo
@anon_y_mousse
@anon_y_mousse 11 ай бұрын
It still amazes me how many people fail to adequately check user input. If you're reading something that comes from an external source or that can be modified by a user of the system, that is most definitely user input and should be checked.
@battokizu
@battokizu 7 ай бұрын
Im glad it wasn't sanitized and they deserve it.
@AM-yk5yd
@AM-yk5yd 11 ай бұрын
I was ready to write snarky "wouldn't happen in Rust", but the bug is so bizarre, it wouldn't happen in C. In fact using eval seems like a clever trick. And "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it" comes from Kernighan himself.
@robertkiestov3734
@robertkiestov3734 10 ай бұрын
You will never be a woman
@KryptLynx
@KryptLynx 9 ай бұрын
Well using "eval" for anything but executing code from string violates "minimal authority" principle. Also, I pretty sure, djvu's list of escaped symbols do not match perl's list of escaped symbols
@teeesen
@teeesen 11 ай бұрын
13:44 The buggy code wasn’t fixed. It was made unexploitable; but the bug remains. As someone else mentioned, the simple and straight forward approach is to deal with escapes and finding the closing quote in one pass.
@Yolwoocle
@Yolwoocle 11 ай бұрын
Would you mind explaining how? The eval call was removed
@DanielBoctor
@DanielBoctor 11 ай бұрын
It's sneaky, but @teeesen is right. It was a strange choice indeed. The underlying bug originated on line 227, which was due to the misuse of the dollar symbol within the regular expression. When you look at what was patched (full diff is in my description), no changes were made to line 227. Only the eval line was replaced. Technically, the bug still exists ($tok would continue to contain the same string), however it was made unexploitable due to the removal of the eval line, which is what caused the harm. You would need both lines to pull off the exploit. Link to the still present regex POST PATCH: github.com/exiftool/exiftool/blob/cf0f4e7dcd024ca99615bfd1102a841a25dde031/lib/Image/ExifTool/DjVu.pm#L227 Link to the diff github.com/exiftool/exiftool/commit/cf0f4e7dcd024ca99615bfd1102a841a25dde031
@TheJamesM
@TheJamesM 10 ай бұрын
In the interest of pedantry: while the eval _call_ was removed, the /e modifier on the regex substitution means that the replacement half of the regex will be evaluated by Perl. What the new regex does is look up the escaped character in a hash table. If it's present, it substitutes in the corresponding value; if not, it leaves the escape sequence as-is (using short circuit evaluation). Presumably the more naïve solution would be preferable: consume the string character-by-character, keeping track of whether the preceding character was an unescaped backslash (using an escape sequence whitelist as they've done in their patch probably isn't a bad idea). I'm not sure if this would have a meaningful performance impact when parsing very large numbers of files. Regardless, security is more important.
@Jeff-ss6qt
@Jeff-ss6qt 9 ай бұрын
​​​@@DanielBoctorIf they then blindly deem the bug patched and the code secure, what would happen if they decide to directly use the output from the code somewhere else in another program?
@lordkekz4
@lordkekz4 6 ай бұрын
@@TheJamesM I'd actually expect the naive solution to be more performant, since even that regex is way more complicated than just flipping a boolean variable. Also I find the code way harder to read than it needs to be. Someone tried to be clever and make it beautiful, but it requires a lot more thought to work with.
@thegreatbambino3358
@thegreatbambino3358 11 ай бұрын
Im surprised they didnt just rm -rf their db1 again to solve the problem
@DanielBoctor
@DanielBoctor 11 ай бұрын
underrated comment
@perrintommy1765
@perrintommy1765 6 ай бұрын
@@DanielBoctor underated reply
@placeholder-k9n
@placeholder-k9n 6 ай бұрын
As soon as you mentioned metadata, my first thought was "somebody used it to inject code into memory." Sometimes the worst issues come from the simplest oversights.
@newwindserver
@newwindserver 11 ай бұрын
jeez this is horrible security, languages should not be able to evaluate code from user input during runtime, even if its *almost* always "safely" sanitized.
@HwSystems
@HwSystems 11 ай бұрын
So true, the laziness and carelessness of some programmer is astonishing.
@joe-skeen
@joe-skeen 11 ай бұрын
And especially not inside a library or tool that others consume without knowing what risks they are accepting.
@JorgetePanete
@JorgetePanete 11 ай бұрын
it's*
@dennisestenson7820
@dennisestenson7820 11 ай бұрын
It's not really up to the language to decide whether code should be executed or not. It doesn't know or care where the code came from. Even if it did, there'd be ways to subvert it.
@Aera223
@Aera223 11 ай бұрын
@@dennisestenson7820 like writing to a file, then using include to include it as code... if include is disabled, lots of stuff fails, and timestamp checking could cause other bugs, if it is intended behaviour, for example
@Rotem_S
@Rotem_S 11 ай бұрын
DJVU isn't an obscure file format, it's the standard way to share things like book scans and is much better at that than PDF
@TheJamesM
@TheJamesM 10 ай бұрын
Sounds like "specialist" would have been a better description.
@aiexzs
@aiexzs 10 ай бұрын
i'd rather manually write an image in binary than try to edit a PDF so i'm sure it's better
@JohnGardnerAlhadis
@JohnGardnerAlhadis 4 ай бұрын
​@@aiexzs Why would you not edit the PDF in binary, then? Its structure is extensible but quite straightforward.
@aiexzs
@aiexzs 4 ай бұрын
@@JohnGardnerAlhadis isn't it XML and a bunch of raw data mixed in? i'd definitely write an svg manually over that
@VaguerGolf05
@VaguerGolf05 11 ай бұрын
This is hugely interesting it’s crazy how people can find these over looked bugs
@DanielBoctor
@DanielBoctor 11 ай бұрын
Some of these bug hunters are on another level
@jfbeam
@jfbeam 11 ай бұрын
True, but this one could be found with grep. ANYTHING that calls eval is bound to have an issue like this. (I won't count the number of times I've seen this is stupid in "web applications" - perl, php, python, ...)
@s1nistr433
@s1nistr433 11 ай бұрын
There are so many microscopic bells and whistles you have to focus on while making a website, so many ways of remote code execution by some small file format from 20 years ago where the specific exif metadata allows for direct access to the database, like it's difficult even for an entire team of people. If making websites was more streamlined and didn't require so many random libraries and so much of the same repetitive manual labor we wouldn't have issues like this. Web frameworks do help but not nearly enough
@jfbeam
@jfbeam 11 ай бұрын
@@s1nistr433 And there's the problem: no one actually builds a website anymore, they just install and glue together whatever shiny they see. (and then ignore any security alerts / patches. Wordpress anyone?) That's what happened here. They grabbed EXIF and never cared to look at what it _can_ do.
@beepbop6697
@beepbop6697 11 ай бұрын
They likely just searched the opensource code for usage of "eval", and figured: I can hack that.
@IvanToshkov
@IvanToshkov 11 ай бұрын
Thank you for the very informative video! Besides the horrific use of `eval` here, I can't understand why they used regexes for this in the first place. The whole escape processing and finding the closing quote can be done together with a single loop pass. There's must be a law that you have to use regex everywhere in Perl. Just take a look at the patch! (13:41).
@DanielBoctor
@DanielBoctor 11 ай бұрын
Glad you liked it! It definitely seems that it could have been done differently. It's already alarming enough when you find this commented directly above the function lol. # Notes: The DjVu annotation syntax is not well documented, so I make a number of assumptions here!
@jerobarraco
@jerobarraco 11 ай бұрын
nice comment. ive seen people using regex becauae its 'fancy' but they themselves dont really understand it. and even if they do it makes it harder to understand for other devs, and more expensive to maintain. since now you require more knowledgable devs to deal with that.
@davestorm6718
@davestorm6718 11 ай бұрын
Naturally, using eval for this task was a bad idea (or lazy), but don't put all your faith in regex. It's cool and saves a lot of dev time, but, honestly, it's kind of slow (and requires a lot of testing with different inputs when your match pattern gets really complex). Sometimes you have to just go back to the basic loops and simple tests (gasp!) - that eliminates ambiguity, but doesn't look as "cool" - though a potential exploit would reveal itself immediately (not so with regex). This is all relative to the skills of the dev for these high level functions we take for granted, of course.
@TheJamesM
@TheJamesM 10 ай бұрын
I think it's a pretty good demonstration of how languages with roughly equivalent capabilities can lead people to code quite differently by way of the languages' respective design choices. Perl treats regular expressions as an integral part of the language to the degree that there are operators for regex matching and substitution. That doesn't necessarily correspond to any greater efficiency behind the scenes, but psychologically it feels that much more natural to use them. If nothing else, the resultant code will be shorter, which on some level feels like it ought to be faster.
@almightyhydra
@almightyhydra 11 ай бұрын
Ugh. Surely rather than using regex, just iterating the string one character at a time and figuring out the escapes along the way would be simpler, safer and faster?
@acters124
@acters124 11 ай бұрын
It would be easier and safer to just grab the string, make sure the size is not too big, and iterate over the entire string, and convert them, Its entirely possible there are libraries already made for this. Not sure why this is what ended up in prod. eval sucks
@davestorm6718
@davestorm6718 11 ай бұрын
I agree. Regex saves time and makes difficult parsing tasks easier. On the flip side, it has all that extra overhead to handle generalized cases. This means it is slower (a lot of throughput tests done over the years shows this to be true). For this particular task, it's overkill (like using a microcontroller to make a blinking light instead of single transistor).
@TheJamesM
@TheJamesM 10 ай бұрын
Yeah, do it the way the specification is defined: left to right in atomic units.
@austingoodrich2193
@austingoodrich2193 11 ай бұрын
About 20 seconds in, I turned my headset up to max volume because I thought I was hearing the "Cicada 3301" video by LEMMiNo! Checked your description and saw the mentions, good choice!
@DanielBoctor
@DanielBoctor 11 ай бұрын
haha I know! He's an inspiration to me. It's cool that you picked up on it!
@Bokatrice
@Bokatrice 10 ай бұрын
This reminds me about how you used to be able to run console commands in Garry's Mod by sending a chat message containing "; ...because the chatbox just ran the 'say' command and you can cut the quote early. It's not sanitised. Then the semicolon tells the console that a second command is being typed. So, typing the following: man i'm dead"; kill would get interpreted as say "man i'm dead"; kill This no longer works as they now properly escape double quotes in the chatbox.
@nicholasvinen
@nicholasvinen 11 ай бұрын
That Perl code looks like something out of an obfuscated programming competition...
@einsteinx2
@einsteinx2 10 ай бұрын
So basically just standard Perl then. 😂They don’t call it a write-only programming language for nothing!
@saeedgnu
@saeedgnu 11 ай бұрын
Running an external Perl program (or any script) in a non-isolated environment sounds very stupid! Specially since Perl is something between Bash and Python! And with low readability!
@RuriYoshinova
@RuriYoshinova 11 ай бұрын
A lot of people already told me how dangerous eval is, and I'm surprised that even big companies do this..
@DanielBoctor
@DanielBoctor 11 ай бұрын
Keep in mind that this was done in ExifTool, which is a 3rd party library that GitLab was using. They didn't write it themselves, but yeah, it shouldn't have been used regardless.
@RuriYoshinova
@RuriYoshinova 10 ай бұрын
@@DanielBoctor it is still their end though, they couldn't have used a tool that is vulnerable to exploits, or review them before even using it.
@purelaziness7095
@purelaziness7095 9 ай бұрын
An offering for the algorithm gods. Keep it up!
@DanielBoctor
@DanielBoctor 9 ай бұрын
Thank you!
@bringbackwindowsphone
@bringbackwindowsphone 10 ай бұрын
Loved the video! Just wanted to point out that WhatsApp is native instead of Electron as of mid 2023.
@DanielBoctor
@DanielBoctor 10 ай бұрын
Thanks! Also good catch, thanks for pointing this out. I stand corrected. Also, did you comment this on the wrong video? lol
@bringbackwindowsphone
@bringbackwindowsphone 10 ай бұрын
@@DanielBoctor HUH HOW DID THE COMMENT END UP HERE WHAT??? Maybe it autoplayed while I was typing it lol
@MyAmazingUsername
@MyAmazingUsername 10 ай бұрын
Wow, the production quality is like a channel with 100k+ subscribers. I subscribed. This is awesome!
@DanielBoctor
@DanielBoctor 10 ай бұрын
Thank you! Glad to have you apart of the community. If you thought this one was good, just wait until my next one 😜
@MrHenryG123
@MrHenryG123 10 ай бұрын
Mind boggling that Workhorse would determine filetype based off extension, like it isnt even difficult to implement a solution to fix that (i.e. just run it through `file` on most Linux distros).
@beepbop6697
@beepbop6697 11 ай бұрын
8:10 eval -- oh no. Just no. Never execute anything that is untrusted!!
@DanielBoctor
@DanielBoctor 11 ай бұрын
rule #1 was broken 😔
@TopchetoEU
@TopchetoEU 11 ай бұрын
regex and eval? seems like a recipy for disaster
@DanielBoctor
@DanielBoctor 11 ай бұрын
couldn't have said it better myself
@SivaranjanGoswami
@SivaranjanGoswami 10 ай бұрын
I expensively use regex when I need to analyze some text data on my local. But when I write a code for production, I avoid regex most of the time. I always feel safer to write string parsers manually.
@Mitch-xo1rd
@Mitch-xo1rd 11 ай бұрын
I might superstitious, but eval should NEVER be used in production code. Especially with user input, "sanitized" or not. No exception.
@DanielBoctor
@DanielBoctor 11 ай бұрын
It should definitely be avoided whenever possible. It's not only a massive risk, but also unnecessary most of the time.
@marsovac
@marsovac 11 ай бұрын
Never is a hard word. WOuld you also say that user provided data should never be sent to SQL? You just need to correctly escape and sanitize the data. But you need it, you cannot avoid using it. If you don't you get SQL injection, or in this case unautorized code execution. It could have been avoided here, but there are use cases where it is needed by design (eg. scripting). In this scenario the process running Exif also should never have had permission to run system calls, which exif doesn't need, but that is beside the point, a last measure of protection when all rest fails.
@ratchy1231
@ratchy1231 11 ай бұрын
​@@marsovac In SQL you can also use parametrized queries instead of escaping user input inside a query string. I think that's the safest choice.
@marsovac
@marsovac 11 ай бұрын
@@ratchy1231 i know, but that is the same thing, except you don't do the escaping yourself, but let it to a framework.
@ratchy1231
@ratchy1231 11 ай бұрын
@@marsovac Technically parameterized queries/prepared statements are made in a way that user input sanitization is not necessary, as the statement and the parameters are processed completely separately, bypassing the problem of SQL injection altogether. I only wanted to mention this to remind everyone that even SQL doesn't require an "eval". Sanitizing string input works well but you never know, someone could find a way to escape it under weird circumstances!
@forty4seven46
@forty4seven46 11 ай бұрын
I really enjoy your videos! However, I suggest slightly lowering the volume of the background music to enhance the overall experience. 😅 Keep up the fantastic work! ❤️❤❤
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thank you!! I appreciate the support ❤. Means a lot
@TheControlMastr
@TheControlMastr 10 ай бұрын
What an amazing video, always learning from you Dan! I missed the OG background music 😁 The sandwich analogy is literally clutch, new way of looking into backslashes and quotes!
@DanielBoctor
@DanielBoctor 10 ай бұрын
Thank you @TheControlMastr! You're a real one for all the support. Thanks for watching 😊
@IlluminatiBG
@IlluminatiBG 9 ай бұрын
Eval is quite useful for dynamic feature check, but it is often misunderstood and used for either data processing or breaking the boundary of trust. Everything passed to eval should come only from sources that already have execution access. But this specific usage of eval fails on both cases. Here there is another bug due to infinite loops. All data (especially untrusted data) should be under a length constraint. 1GiB of key or a value in a metadata is not valid metadata, parser loops passing such data should be finite and reasonably small.
@sherpya
@sherpya 11 ай бұрын
using eval to unescape strings 💀
@DanielBoctor
@DanielBoctor 11 ай бұрын
bro really used eval 💀
@cat-.-
@cat-.- 11 ай бұрын
the hidden semantics in the $ of the regex is wild, but parsing a string literal with the approach showed in the video is still a clever trick. I only know to scan the literal and handle escape sequences on site. I will keep doing that though
@m.projects
@m.projects 11 ай бұрын
3:39 RAM pictures are the old DIMM sticks, nice
@DanielBoctor
@DanielBoctor 11 ай бұрын
very observant lol
@SuperPupperDoggo
@SuperPupperDoggo 11 ай бұрын
you say that disposable browser is free… what’s the catch?
@DanielBoctor
@DanielBoctor 11 ай бұрын
Right now, SquareX is pre earnings startup. They're running on funding they raised apart of a seed round led by Sequoia Capital. In the future, they plan on launching a paid version of their service, however they will always offer a free tier, even after monetization.
@aendererseje
@aendererseje 11 ай бұрын
I got a GitLab ad on this video 😂
@DanielBoctor
@DanielBoctor 11 ай бұрын
no way LOL. I didn't think they would be running ads on KZbin since they're main customers are enterprises.
@S3Kglitches
@S3Kglitches 5 ай бұрын
Why do you put escape sequences into ()? That probably confuses people who don't understand it in depth thinking that () are actually a marker of the escape sequence as well
@myname-mz3lo
@myname-mz3lo 11 ай бұрын
20 k is so little for how importand of a bug he found .
@ayushmishra6077
@ayushmishra6077 11 ай бұрын
We need more people like you :simle:
@DanielBoctor
@DanielBoctor 11 ай бұрын
Glad to have you apart of the community. Thanks for the kind words, keep on doing what you're doing 😊
@slingshot99
@slingshot99 11 ай бұрын
You deserve a lot more views!
@DanielBoctor
@DanielBoctor 11 ай бұрын
I can hope! Thank you for the support - I appreciate it
@camelotenglishtuition6394
@camelotenglishtuition6394 11 ай бұрын
Very well edited and very interesting ..thanks! **edit .. I wonder how long it took him to find that 0day
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thanks! Glad you liked it 😊. Me too - these bug hunters are unreal. One day I hope to make one of these videos where I am the one who found the bug 😆
@camelotenglishtuition6394
@camelotenglishtuition6394 11 ай бұрын
@@DanielBoctor same!!
@camelotenglishtuition6394
@camelotenglishtuition6394 11 ай бұрын
@@DanielBoctor or sell it to zerodium and retire
@palapapa0201
@palapapa0201 4 ай бұрын
Why TF does Perl expand the escape sequences in the argument of eval again? Even Python doesn't do that. 13:18 Even shell scripting is not this bad. The string content is being textually replaced into the line like a C macro. Why does it still do that if $tok is already quoted? I have never used Perl but I already hate it.
@Twisted_Code
@Twisted_Code 10 ай бұрын
2:00 I have a guess where this is going: is one of the metadata tags in djvu (and supported by EXIF) a "run this thing" tag?
@Twisted_Code
@Twisted_Code 10 ай бұрын
4:15 Seems my guess is probably wrong. New guess: Buffer overflow in the code that interprets the C-string
@Twisted_Code
@Twisted_Code 10 ай бұрын
7:40 I'm now uncertain, since this part of the video dealt with RegEx, and there's frankly a lot of ways to mishandle RegEx. The algorithm looks solid, but I don't use RegEx enough to be certain.
@Twisted_Code
@Twisted_Code 10 ай бұрын
7:50 wait, what happens if the string never has a true closing quote?
@Twisted_Code
@Twisted_Code 10 ай бұрын
8:15 (This is the comment where, as the video predicted around 10:15, I confidently assumed "eval is evil" and was not yet aware of the qq. Obviously I'm getting ahead of things, so while I basically see where this is going, I'm not going to make any more predictions on how they escaped the string.)
@FadkinsDiet
@FadkinsDiet 9 ай бұрын
The video sequences when nothing is happening, are those AI generated or stock? Looking very professional.
@DanielBoctor
@DanielBoctor 9 ай бұрын
They are really well done indeed. They come from a collection of "Visualising AI" animations from Google DeepMind. Here is the source if you want to check it out! deepmind.google/discover/visualising-ai/
@MakHoles
@MakHoles 11 ай бұрын
Also you forgot .MP3 files that display the cover art album artist name release date genre number on the album which disc it is on
@SuperPupperDoggo
@SuperPupperDoggo 11 ай бұрын
honestly I think you should have to use a flag when executing to enable eval (i.e. ‘python whatever.py --enable-eval-unsafe’). I guarantee this would not have passed review if that were the case.
@thewhitefalcon8539
@thewhitefalcon8539 11 ай бұрын
you could say that about every language feature though
@SuperPupperDoggo
@SuperPupperDoggo 11 ай бұрын
@@thewhitefalcon8539 but eval in particular because as you’ve seen, it is not a question of *if* but *when* it will be exploited if the code interacts with data from users basically at all. It is literally Arbitrary code execution, which when exploited is generally considered the most severe vulnerability possible. The only reason to use eval is if the input will change in ways that cannot be accounted for by just writing the code normally, and since there is almost always a way to do something without eval, this means there is only a very slim number of cases where it is truly necessary, and given the known potential for security disasters, programmers should be forced to either find a way around using it, or have to explain to anyone who runs the code why it really is necessary. This would make sure anyone running the code knows that it uses eval without having to look through every line of code, and then they can make their own decision from there.
@mudi2000a
@mudi2000a 11 ай бұрын
Incredible! I used to write a lot of code in perl like 20-30 years ago but even then I would have never used the eval function on data which came from the outside. Actually I probably wouldn’t have used it at all because it is inherently dangerous. I can’t believe that this code was still present in a tool used in 2023.
@ainiro
@ainiro 11 ай бұрын
What a ridiculous algorithm. You can scan forward until you find the first ", then if you find a \, you just read the next character raw, without checking for ". The algorithm is fundamentally flawed ...
@mo938
@mo938 11 ай бұрын
Excellent vid! Subbed!!
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thank for watching!
@battokizu
@battokizu 7 ай бұрын
Either heavily sanitize the input, strip all and recreate it from scratch, take whole words and no strings, remove all floating point numbers or round up numbers, remove all tags besides date and name. The f are they doing.
@ElChapoDel8
@ElChapoDel8 11 ай бұрын
20.000 dollars for that? What a rats
@itaynafrin3409
@itaynafrin3409 11 ай бұрын
This is pure quality!
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thank you! Glad you liked it
@llynnmarks3382
@llynnmarks3382 11 ай бұрын
Great video but I wonder how I could understand this at a deeper level. If I had to explain this I'd find it challenging.
@DanielBoctor
@DanielBoctor 11 ай бұрын
Interesting comment - would you say this was because of how I made the video? Would there be anything you suggest I do differently?
@brawldude2656
@brawldude2656 9 ай бұрын
Tbh I wasn't expecting it to be this simple. Sometimes some things are really over looked
@mcrotbot
@mcrotbot 11 ай бұрын
Awesome breakdown!
@DanielBoctor
@DanielBoctor 11 ай бұрын
Not as awesome as you
@Wynadorn
@Wynadorn 7 ай бұрын
truly the root of all eval
@pabloenriquegorga4222
@pabloenriquegorga4222 11 ай бұрын
An other master piece ! thanks you !
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thank you too! Glad you liked it 😊
@mohammadthamyizna8036
@mohammadthamyizna8036 9 ай бұрын
damn, i thought i'm watching the same video, when that "on april 7th 2021" came in. it looks definetrly the same as, the other video with "on april 7th 2020"
@Henrix1998
@Henrix1998 10 ай бұрын
It always amazes me how big part of all exploits are running user input string as code
@yux5188
@yux5188 11 ай бұрын
Good video thanks for making it daniel
@DanielBoctor
@DanielBoctor 11 ай бұрын
Glad you liked it!
@The_Last_Question
@The_Last_Question 11 ай бұрын
Title made me think of an old psp exploit that used .tiff images
@DanielBoctor
@DanielBoctor 11 ай бұрын
interesting, never heard of that one before
@PKua007
@PKua007 11 ай бұрын
I just got to the part with “eval-ing” the string just to process escapes. I facepalmed hard and even though I didn’t see the rest of the video yet, I’m pretty sure this is the problem
@kingman351
@kingman351 11 ай бұрын
Wow! What an amazing video!
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thank you!!
@MorgurEdits
@MorgurEdits 10 ай бұрын
Your sponsor actually seems interesting. Rarely do I hear useful sponsors.
@Mmouse_
@Mmouse_ 8 ай бұрын
Second I heard "Eval" I chuckled.
@samgoodwin89
@samgoodwin89 9 ай бұрын
20k is too cheap. He deserves 200k
@tomtravis858
@tomtravis858 11 ай бұрын
Honestly that code just smells, multiple regex, eval, commented out code.
@netomtoloko01
@netomtoloko01 11 ай бұрын
I'm really thinking about move to cybersec at the moment, but these clever moves looks so fun and so scary at the same time... thanks for the explanation!
@DanielBoctor
@DanielBoctor 11 ай бұрын
Cyber is definitely a blast. Glad you enjoyed the video!
@James-l5s7k
@James-l5s7k 11 ай бұрын
Is this why space doesn't render svgs in markdown?
@ejonesss
@ejonesss 11 ай бұрын
is square x adblockers able to stop the effects of youtube crackdown on ad blockers? it seems as youtube is somehow able to detect adguard.
@officiallyjk420
@officiallyjk420 11 ай бұрын
That was adguard itself malfunctioning
@squarex_zee
@squarex_zee 11 ай бұрын
Hello, we have uBlock Origin built into our extension, which works perfectly with KZbin.
11 ай бұрын
Many years ago I heard the phrase "eval is the root of all evil" when using eval in JS. Still true.
@Jango1989
@Jango1989 10 ай бұрын
This is a brilliant video!
@DanielBoctor
@DanielBoctor 10 ай бұрын
Glad you liked it!
@farble1670
@farble1670 9 ай бұрын
Interpolate doesn't mean the same thing as interpret.
@megaing1322
@megaing1322 10 ай бұрын
Even ignoring the use of eval (which can be justified for exactly these kinds of situations where you want to handle escape sequences), that is a *terrible* way of parsing a string literal. You are already using regex. Just define a regex that cleanly matches an entire string literal, it's really not that hard and can be debugged and checked for correctness in isolation.
@kevinwydler7305
@kevinwydler7305 11 ай бұрын
Love your content!
@DanielBoctor
@DanielBoctor 10 ай бұрын
love you more
@fomxgorl
@fomxgorl 15 күн бұрын
i legit thought this was going to direction of environment variables when you mentioned key/value pairs. but nope, it was once again regex this time paired with eval. 3/4 exploit history vids i watched today were cause of regex and im like, i already knew it was bad, but now im definitely debating on banning it from my project
@jmd489
@jmd489 11 ай бұрын
$20k for these exploits are chump change compared to the potential damage they could cause. Surprised bounty hunters put up with it.
@DanielBoctor
@DanielBoctor 11 ай бұрын
yup, it's a real issue. In September 2023, Operation Zero raised it's payouts for mobile RCE exploits to $20,000,000. For comparison, the Apply bug bounty program is only offering up to $1,000,000 for the same type of exploit, if reported.
@bledlbledlbledl
@bledlbledlbledl 11 ай бұрын
8:10 IT'S A FOUR-LETTER WORD
@jacobjayme6280
@jacobjayme6280 11 ай бұрын
Dan delivers phenomenal content again. Make sure to subscribe so we can have the most ultimate world changing ping pong game you have ever seen.
@DanielBoctor
@DanielBoctor 11 ай бұрын
LOOOOOOL we're so close
@christopherstaples6758
@christopherstaples6758 10 ай бұрын
well worth the $20k
@brocolliduck
@brocolliduck 11 ай бұрын
Nice video
@DanielBoctor
@DanielBoctor 11 ай бұрын
glad you liked it
@pierrekilgoretrout3143
@pierrekilgoretrout3143 10 ай бұрын
as soon as I saw eval I understood that code injection was possible, argh!
@theprantadutta
@theprantadutta 11 ай бұрын
Jeez, and I thought my codes are bad
@atierintel
@atierintel 11 ай бұрын
For someone who knows their shit like this, youd figure they would do a lot more with SEO. Which you should. Because you deserve way more views than this
@DanielBoctor
@DanielBoctor 11 ай бұрын
I appreciate the support LOL. I'm trying my best
@avwie132
@avwie132 11 ай бұрын
Gitlab populates 40% of the top 20 bug bounty list….
@StevenAkinyemi
@StevenAkinyemi 11 ай бұрын
The should rewrite it in Rust already
@_modiX
@_modiX 11 ай бұрын
gitlab was indeed at fault for trusting an extension and sending the file to an universal third party lib
@minibun04
@minibun04 11 ай бұрын
LEMMINO MUSIC !
@DanielBoctor
@DanielBoctor 11 ай бұрын
a living legend
@eclypze_
@eclypze_ 10 ай бұрын
11/10 explanation
@DanielBoctor
@DanielBoctor 10 ай бұрын
Glad you think so
@kirillt9009
@kirillt9009 11 ай бұрын
Good work.
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thanks!
@AshkanKiani
@AshkanKiani 9 ай бұрын
“Written in perl” say no more fam.
@SchoolTeensHavingFun
@SchoolTeensHavingFun 11 ай бұрын
Very entertaining!
@DanielBoctor
@DanielBoctor 11 ай бұрын
Thanks! Glad you liked it 😊
@guai9632
@guai9632 11 ай бұрын
eval in a parser. genius
@sizur
@sizur 10 ай бұрын
Just say there was eval, done. There was no need to walk through parsing part.
@scifino1
@scifino1 11 ай бұрын
Ahh, yes, passing caller provided data to eval... Something you should probably avoid unless you absolutely need it and know what you're doing.
@StevenAkinyemi
@StevenAkinyemi 11 ай бұрын
I say we ban it! 😅
@StevenAkinyemi
@StevenAkinyemi 11 ай бұрын
What is a valid use case for eval?
@ankk98
@ankk98 11 ай бұрын
Eval is the biggest evil
@narimantasglinskis7562
@narimantasglinskis7562 11 ай бұрын
i sense GitHub roast coming
@Will-uv9kx
@Will-uv9kx 7 ай бұрын
I thought your yt name was doctor boctor
@nymvno
@nymvno 8 ай бұрын
Are guys pronouncing it regex or regex?
@NeverGiveUpYo
@NeverGiveUpYo 11 ай бұрын
Cool video.
@DanielBoctor
@DanielBoctor 11 ай бұрын
not as cool as you
The Hacker who could turn on ANYONE'S Zoom Camera [Zero-Day]
14:17
Daniel Boctor
Рет қаралды 80 М.
When you Accidentally Compromise every CPU on Earth
15:59
Daniel Boctor
Рет қаралды 875 М.
小丑女COCO的审判。#天使 #小丑 #超人不会飞
00:53
超人不会飞
Рет қаралды 16 МЛН
Cat mode and a glass of water #family #humor #fun
00:22
Kotiki_Z
Рет қаралды 42 МЛН
To Brawl AND BEYOND!
00:51
Brawl Stars
Рет қаралды 17 МЛН
When you Accidentally leak 100 MILLION Medical Records
16:40
Daniel Boctor
Рет қаралды 97 М.
When Optimisations Work, But for the Wrong Reasons
22:19
SimonDev
Рет қаралды 1,1 МЛН
How Microsoft Accidentally Backdoored 270 MILLION Users
14:45
Daniel Boctor
Рет қаралды 254 М.
Cloudflare Deploys Really Slow Code, Takes Down Entire Company
13:24
Using docker in unusual ways
12:58
Dreams of Code
Рет қаралды 465 М.
researchers find unfixable bug in apple computers
8:32
Low Level
Рет қаралды 718 М.
Who was REALLY behind the Microsoft Backdoor...
19:56
Daniel Boctor
Рет қаралды 1 МЛН
I built my own 16-Bit CPU in Excel
15:45
Inkbox
Рет қаралды 1,6 МЛН
this vulnerability shouldn’t even exist
14:33
Low Level
Рет қаралды 233 М.
小丑女COCO的审判。#天使 #小丑 #超人不会飞
00:53
超人不会飞
Рет қаралды 16 МЛН