Readit News logoReadit News
curuinor commented on Deep dive into Turso, the “SQLite rewrite in Rust”   kerkour.com/turso-sqlite... · Posted by u/unsolved73
cozzyd · 14 days ago
Are there any VC-funded open source projects that didn't attempt rug pulls? (There must be, right?)
curuinor · 14 days ago
metabase.com, but metabase is intended for business analyst types and is AGPL, with shenanigans for embedding and an enterprise edition thing
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
vadepaysa · 6 months ago
I cancelled my coderabbit paid subscription, because it always worries me when a post has to go viral on HN for a company to even acknowledge an issue occurred. Their blogs are clean of any mention of this vulnerability and they don't have any new posts today either.

I understand mistakes happen, but lack of transparency when these happen makes them look bad.

curuinor · 6 months ago
https://www.coderabbit.ai/blog/our-response-to-the-january-2...
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
curuinor · 6 months ago
CodeRabbit response -

https://www.coderabbit.ai/blog/our-response-to-the-january-2...

curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
cleverwebb · 6 months ago
I had a visceral and (quite audible) reaction when I got to the environment variable listing.
curuinor · 6 months ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
thyrfa · 6 months ago
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff. https://docs.github.com/en/apps/creating-github-apps/authent...
curuinor · 6 months ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
tadfisher · 6 months ago
But do you still store your GH API private key in environment variables?
curuinor · 6 months ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
curuinor commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
curuinor · 6 months ago
hey, this is Howon from CodeRabbit here. we wish to note that this RCE was reported and fixed in January. it was entirely prospective and no customer data was affected. we have extensive sandboxing for basically any execution of anything now, including any and every tool and all generated code of any kind under the CodeRabbit umbrella.

if you want to learn how CodeRabbit does the isolation, here's a blog post about how: https://cloud.google.com/blog/products/ai-machine-learning/h...

Deleted Comment

Deleted Comment

c

u/curuinor

KarmaCake day1970December 5, 2011
About
I am a person

It is not the case that I am not a person

View Original