{{- if not .Values.existingSecret }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ template "minio.secretName" . }}
  labels:
    app: {{ template "minio.name" . }}
    chart: {{ template "minio.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
type: Opaque
data:
  rootUser: {{ include "minio.root.username" . | b64enc | quote }}
  rootPassword: {{ include "minio.root.password" . | b64enc | quote }}

from fastapi import FastAPI

app = FastAPI(openapi_url="/api/v1/openapi.json")


@app.get("/items/")
async def read_items():

## Example Attack { #example-attack }

Imagine you build a way to run a local AI agent.

It provides an API at

```
http://localhost:8000/v1/agents/multivac
```

There's also a frontend at

```
http://localhost:8000
```

/// tip

Note that both have the same host.

///

     * @param v1 the first part of the API path (e.g., "cluster", "nodes")
     * @param v2 the second part of the API path (e.g., "health", "stats")
     */
    protected void writeElastisearchJsonApi(final ZipOutputStream zos, final String id, final String v1, final String v2) {
        final ZipEntry entry = new ZipEntry(id + "/es_" + v1 + "_" + v2 + ".json");
        try {

	                    </Rule>`,
			expectedErr: errXMLNotWellFormed,
		},
		{
			inputXML: `<Rule>
				<ID>Rule with a tag and DelMarkerExpiration</ID>
				<Filter><Tag><Key>k1</Key><Value>v1</Value></Tag></Filter>
				<DelMarkerExpiration>
					<Days>365</Days>
				</DelMarkerExpiration>
                            <Status>Enabled</Status>
	                    </Rule>`,

    } catch (e: GeneralSecurityException) {
      throw IllegalArgumentException("failed to decode certificate", e)
    }
  }
}

internal data class TbsCertificate(
  /** This is a integer enum. Use 0L for v1, 1L for v2, and 2L for v3. */
  val version: Long,
  val serialNumber: BigInteger,
  val signature: AlgorithmIdentifier,
  val issuer: List<List<AttributeTypeAndValue>>,
  val validity: Validity,

    sink().writeUtf8(value)
  }

  fun writeObjectIdentifier(s: String) {
    val utf8 = Buffer().writeUtf8(s)
    val v1 = utf8.readDecimalLong()
    require(utf8.readByte() == '.'.code.toByte())
    val v2 = utf8.readDecimalLong()
    writeVariableLengthLong(v1 * 40 + v2)

    while (!utf8.exhausted()) {
      require(utf8.readByte() == '.'.code.toByte())
      val vN = utf8.readDecimalLong()

frameborder="0" scrolling="no" marginheight="0" marginwidth="0" src="https://xr4n4.mjt.lu/wgt/xr4n4/hj5/form?c=40a44fa4" width="100%" style="height: 800px;"></iframe>

<script type="text/javascript" src="https://app.mailjet.com/pas-nc-embedded-v1.js"></script>...

  - [Changelog since v1.17.1](#changelog-since-v1171)
- [v1.17.1](#v1171)
  - [Downloads for v1.17.1](#downloads-for-v1171)
    - [Client Binaries](#client-binaries-16)
    - [Server Binaries](#server-binaries-16)
    - [Node Binaries](#node-binaries-16)
  - [Changelog since v1.17.0](#changelog-since-v1170)
    - [Other notable changes](#other-notable-changes)
- [v1.17.0](#v1170)

- 且不发送任何认证凭据。

这种攻击主要在以下情况下相关：

- 应用在本地（如 `localhost`）或内网中运行
- 且应用没有任何认证，假定来自同一网络的请求都可信。

## 攻击示例 { #example-attack }

假设你构建了一个本地运行的 AI 代理。

它提供了一个 API，地址为

```
http://localhost:8000/v1/agents/multivac
```

另有一个前端，地址为

```
http://localhost:8000
```

/// tip | 提示

注意它们的主机相同。

///

之后，你可以通过前端让该 AI 代理替你执行操作。

由于它在本地运行、而非暴露在开放的互联网，你决定不配置任何认证，只信任对本地网络的访问。