Readit News logoReadit News
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
vadepaysa · 7 days ago
I cancelled my coderabbit paid subscription, because it always worries me when a post has to go viral on HN for a company to even acknowledge an issue occurred. Their blogs are clean of any mention of this vulnerability and they don't have any new posts today either.

I understand mistakes happen, but lack of transparency when these happen makes them look bad.

curuinor · 7 days ago
https://www.coderabbit.ai/blog/our-response-to-the-january-2...
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
curuinor · 7 days ago
CodeRabbit response -

https://www.coderabbit.ai/blog/our-response-to-the-january-2...

curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
cleverwebb · 7 days ago
I had a visceral and (quite audible) reaction when I got to the environment variable listing.
curuinor · 7 days ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
thyrfa · 7 days ago
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff. https://docs.github.com/en/apps/creating-github-apps/authent...
curuinor · 7 days ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
tadfisher · 7 days ago
But do you still store your GH API private key in environment variables?
curuinor · 7 days ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
curuinor · 7 days ago
hey, this is Howon from CodeRabbit here. we wish to note that this RCE was reported and fixed in January. it was entirely prospective and no customer data was affected. we have extensive sandboxing for basically any execution of anything now, including any and every tool and all generated code of any kind under the CodeRabbit umbrella.

if you want to learn how CodeRabbit does the isolation, here's a blog post about how: https://cloud.google.com/blog/products/ai-machine-learning/h...

Deleted Comment

Deleted Comment

curuinor commented on Quantum computing's reality check   spectrum.ieee.org/quantum... · Posted by u/mathgenius
Vervious · 2 years ago
I don’t see how you can read and understood Nielsen and Chuang in one sitting, unless you are already a quantum computation theorist. I also don’t see how reading what is essentially an algorithms textbook can lead you to develop an informed opinion about the state of quantum computer engineering…

it’s like reading saying “I was curious about how computer software works so I ordered and read CLRS and I don’t think faster computers are anywhere on the horizon in 100 years…”

curuinor · 2 years ago
they didn't say or give the implicature that it was in one sitting. might be months
c

u/curuinor

KarmaCake day1970December 5, 2011
About
I am a person

It is not the case that I am not a person

View Original