[alex-mohr]

The code in question reminds me a lot of my favorite Kubernetes bug:

  if (request.authenticationData) {
    ok := validate(etc);
    if (!ok) {
      return authenticationFailure;
    }
  }

Turns out the same meme spans decades.

[snackbroken]

This is a nice example of why one should parse, not validate. If every function that requires some kind of permission takes that permission as an argument, say (pseudocode)

  void doFoo(PermissionToDoFoo permission, ...){...}

and then, the only way to call it is through something like

  from request import getAuth, respond
  \\  Maybe<AuthenticationData> getAuth(Request request)
  \\  void respond(String response)
  from permissions import askForPermissionToDoFoo
  \\  Maybe<PermissionToDoFoo> askForPermissionToDoFoo(AuthenticationData auth)

  response =
    try
      auth <- getAuth(request)
      permission <- askForPermissionToDoFoo(auth)
      doFoo(permission)
      "Success!"
    fail
      "Oopsie!"

  respond(response)

It becomes impossible to represent the invalid state of doing Foo without permission.

[trympet]

This is also known as capability-based access control. It was implemented in Project Midori [1] — Microsoft’s flopped managed microkernel OS

[1] - https://en.wikipedia.org/wiki/Midori_(operating_system)

[jve]

Where can I read about the bug? And what is the bug? If there is no authenticationData it is authenticated by default or what?

[alex-mohr]

It was in the early days of Kubernetes and long since fixed. I don't recall the precise details, but it was likely the first official CVE we published: https://kubernetes.io/docs/reference/issues-security/officia...

Link to the patch fixing it: https://github.com/kubernetes/kubernetes/commit/7fef0a4f6a44...

Of course, we'd already fixed other issues like Kubelet listening on a secondary debug port with no authentication. Those problems stemmed from its origins as a make-it-possible hacker project and it took a while to pivot it to something usable in an enterprise.

[DHRicoF]

I don't know where you can read about this, but you are in the good track

If there is no authenticationData then the if !Ok is never run and the code continues execution as it were authenticated.

[grumpyprole]

The way software is built hasn't changed in decades.

[hulitu]

> The way software is built hasn't changed in decades.

Correct. The only thing that changed is the number of level of abstractions.