Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
KingOfCoders
5 months ago
|
parent
|
context
|
favorite
| on:
How we exploited CodeRabbit: From simple PR to RCE...
Did I misread the article, or did they take the tool config from the PR not the repo?
yxhuvud
5 months ago
|
next
[–]
Unfortunately that mostly has to be the case or else the developer experience configuring these would be too bad.
morgante
5 months ago
|
prev
[–]
The exploit is there either way.
KingOfCoders
5 months ago
|
parent
[–]
The exploit depends on changing the config to execute a .rb file. And the config was supplied by a PR.
flexagoon
5 months ago
|
root
|
parent
[–]
Yes, but the exploit grants you access to ALL repos, not just the one the PR is in. You could just as well change the config in your own private repo and run coderabbit in it.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
