top | item 41072579

(no title)

Re: Insta-load

Please don't do this. Exec'ing arbitrary, obfuscated code you just copied from the internet directly in a running environment is such a bad idea it shouldn't even be suggested.

At the very lease please put huge warnings around this section to let people know that it is a horrendously bad idea and they do it at their own peril.

discuss

oreilles|1 year ago

How is it any different than installing the package via pip ? Not only most people won't check the source before running the code, but there is also no way to be sure that the code shipped by pip is the one you read on GitHub...

__MatrixMan__|1 year ago

gp has a leg to stand on only if they regularly audit the contents of their site packages. Otherwise you're totally right.

tantalor|1 year ago

This is so bad it should be nsfw-blurred and you have to click 2 buttons to even see it.

erinaceousjones|1 year ago

Yes, the big warning disclaimer in that part of the docs is definitely required here.

That idea of exec'ing arbitrary obfuscated (compressed) shell code that's easy to copy-paste into a python shell is very helpful, mind.

I've had to debug issues in production with silently hanging I/O threads and my only access is via `kubectl exec`.

This wat tool and that "insta-load" idea pairs nicely with pyrasite for that very useful !!!DO NOT DO THIS, YOUR CONTAINERS SHOULD BE LOCKED DOWN SO YOU CANNOT DO THIS!!! step of copying gdb and the pyrasite library into a running container when all you have is a python shell to play with.

(This almost feels like an exploit, running shellcode after getting RCE :))

https://pypi.org/project/pyrasite/

slt2021|1 year ago

the gzipped payload is static, you are free to inspect the payload before eval()

timdorr|1 year ago

I'm not a Python dev. Why would they do this? This is giving vibes of malware embedded into npm packages.

skeledrew|1 year ago

Convenient way to quickly add extra debugging capability without rerunning. It isn't much different from the many `curl example.com/install.sh |bash` you see around. It's up to the user to check things out before running.

CornCobs|1 year ago

Not everywhere that python is run has access to pip. Sshing into some locked down remote machine and needing to debug some script is a use case that comes to mind.

jampekka|1 year ago

Pip install allows arbitrary code execution.

stavros|1 year ago

[deleted]

unknown|1 year ago

[deleted]