undefined | Better HN

0 pointsgreentxt1y ago0 comments

CSV is CSV. A serialized object is a serialized object. The main concern they cite, are supply chain attacks. So it’s like saying loading a package can… load a package. Supply chain attacks will always be a thing. I’m grateful for the work of the researchers in question but don’t feel this is much of a blemish when it comes to R itself being insecure.

0 comments

fanf21y ago

I think the researchers didn’t identify the main vulnerability. They should have talked about the risk of remote code execution from reading serialized objects from untrusted sources, when the R programmer thinks they are reading data but they are actually running code. This mistake has led to huge numbers of remote code execution vulnerabilities in all sorts of object deserialization libraries; it’s a much more common threat than supply chain attacks.

skybrian1y ago

It’s true that it’s always been that way, but there are other common but unsafe ways of doing things that people eventually stopped using. Some pressure to deprecate and migrate away from unsafe API’s seems good.

jojobas1y ago

Is there another way to load a saved dataset in R though, so that it can't execute anything?

vharuck1y ago

Save it in the usual text-based formats, like a CSV or JSON. Outside of packages, which use serialized data by default for good reasons, I haven't seen many people loading strangers' RDS or RData files.

If an attacker can control a package's rdb and rdx files, it's game over. They could just stick an `.onAttach` function in that does whatever they want when the package is loaded directly or imported by another package.

jojobas1y ago

The fact that they had to mess with unbounded promises, and that the bug got fixed suggests you normally can't run any code from load().

j / k navigate · click thread line to collapse

0 pointsgreentxt1y ago0 comments

0 comments

fanf21y ago

skybrian1y ago

jojobas1y ago

Is there another way to load a saved dataset in R though, so that it can't execute anything?

vharuck1y ago

jojobas1y ago

The fact that they had to mess with unbounded promises, and that the bug got fixed suggests you normally can't run any code from load().

j / k navigate · click thread line to collapse