Web Excursions 2021-04-25
🌟 [Post of The Day] Remote code execution in Homebrew by compromising the official Cask repository
In theÂ
Homebrew/homebrew-cask
 repository, it was possible to merge the malicious pull request by confusing the library that is used in the automated pull request review script developed by the Homebrew project.By abusing it, an attacker could execute arbitrary Ruby codes on users' machine who usesÂ
brew
.Homebrew project uses GitHub Actions to run the CI scripts.
It looks like review.yml checks the contents of the user-submitted pull request, and if that pull request is simple enough (e.g. Bumps version), it’ll approve these pull requests.
After that, automerge.yml automatically merges approved pull requests.
The ruby script used by review.yml4 fetches pull request contents as a diff file and parses it with git_diff Gem.
And then, it’ll approve the pull request only if all of several conditions below are met
[The way in which git_diff processes file] seem to be okay at first glance, but it was possible to change the source/destination file path information multiple times in step 3.
if the added line matchesÂ
++ "?b/(.*)
, it’ll be treated as a file path information rather than the change against file contents.the required condition for the file path being changed is onlyÂ
\ACasks/[^/]+\.rb\Z
.can be bypassed by making the following changes, and the pull request will be treated as a harmless pull request with 0 line changes.
++ "b/#{Arbitrary codes here}" ++ b/Casks/cask.rb
Homebrew’s Security Incident Disclosure
Podcast Subscriptions vs. the App Store
Before iTunes 4.9 subscribing and listening to a podcast was a multi-step process,
and most of those steps were so obscure as to be effective barriers for all but the most committed of listeners.
It was the dramatic improvement to the user experience that, for the vast majority of would-be listeners, made podcasts even worth discovering in the first place.
Centralized platforms win because they make things easier for the user; producers willingly follow.
Given that Apple’s goal was only ever to sell more iPods (and then more iPhones) the company never pursued centralization to its logical conclusion
it was Spotify that identified the vacuum that Apple had created, aggressively expanding its podcasting business in an attempt to displace Apple’s Aggregator position
Apple’s podcast offering is an excellent example of how the App Store should operate (with one big exception).
What Podcast Subscriptions Gets Right
A Great Customer Experience with Competitive Creator Economics
increased customer trust means an increased conversion rate.
Apple controls the entire experience; Integration has value
15% is extremely competitive
Everything else that I like about Apple’s offering is in stark contrast to the App Store.
Easy Access to Alternative Payment Methods
Availability of Alternative Podcast Players
Two Big Problems
Who Owns the Customer
From the Podcasters Program Agreement: You represent and warrant that You and Your personnel, agents, and contractors will not access or otherwise process any information that can be used to uniquely identify or contact an individual
The Anticompetitive Angle
no one else can offer a podcast subscription service like Apple’s.
Spotify will not be able to upsell customers from within the Spotify app, like Apple is from within the Podcast app.
Not because it is technically impossible,
but because Apple is leveraging its control of the operating system
into control of the App Store
into control of apps and now podcast monetization.
Apple’s Flipped Motivations
The obvious reason why Podcasts only warranted a minute of Apple’s time is that the company had so many other cool things to announce:
perhaps Apple spent so little time on podcasts for a rather less attractive reason:
while iTunes 4.9 was created to make iPods better, the end game of all of these beautiful devices seems ever more focused on locking in services that make Apple richer;
that’s a conversation better saved for Congress.