Readit News logoReadit News
thyrfa commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
curuinor · 12 days ago
hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.
thyrfa · 12 days ago
Not at that time though, right, considering it was dumped? You have changed since, which is good, but under a year ago had it as just an env var
thyrfa commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
curuinor · 12 days ago
hey, this is Howon from CodeRabbit here. we wish to note that this RCE was reported and fixed in January. it was entirely prospective and no customer data was affected. we have extensive sandboxing for basically any execution of anything now, including any and every tool and all generated code of any kind under the CodeRabbit umbrella.

if you want to learn how CodeRabbit does the isolation, here's a blog post about how: https://cloud.google.com/blog/products/ai-machine-learning/h...

thyrfa · 12 days ago
How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?
thyrfa commented on How we exploited CodeRabbit: From simple PR to RCE and write access on 1M repos   research.kudelskisecurity... · Posted by u/spiridow
thyrfa · 12 days ago
It is incredibly bad practice that their "become the github app as you desire" keys to the kingdom private key was just sitting in the environment variables. Anybody can get hacked, but that's just basic secrets management, that doesn't have to be there. Github LITERALLY SAYS on their doc that storing it in an environment variable is a bad idea. Just day 1 stuff. https://docs.github.com/en/apps/creating-github-apps/authent...
t

u/thyrfa

KarmaCake day35August 19, 2025View Original