Comment by curuinor

Comment by curuinor 6 days ago

23 replies

View on Hacker News

hey, this is Howon from CodeRabbit here. we wish to note that this RCE was reported and fixed in January. it was entirely prospective and no customer data was affected. we have extensive sandboxing for basically any execution of anything now, including any and every tool and all generated code of any kind under the CodeRabbit umbrella.

if you want to learn how CodeRabbit does the isolation, here's a blog post about how: https://cloud.google.com/blog/products/ai-machine-learning/h...

mpeg 6 days ago

Where can we find the blog post you made back in January about the RCE fix explaining what measures you took to check if any customer data had been affected?

Reply View 0 replies
cleverwebb 6 days ago

how do you know that no customer data was affected? did you work with github and scan all uses of your keys? how do you know if a use of your github key was authentic or not? did you check with anthroipic/openai/etc to scan logs usage?

It's really hard to trust a "hey we got this guys" statement after a fuckup this big

Reply View 1 reply
  • Xunjin 6 days ago

    That's why countries should start to legislate on these matters, there are no incentives in focusing on security and properly report to the customers such vulnerability.

    Reply View 0 replies
thyrfa 6 days ago

How can you guarantee that nobody ripped the private key before the researcher told you about the issue though?

Reply View 2 replies
  • blibble 6 days ago

    if they can't guarantee this then every single repo that had coderabbit is potentially compromised

    Reply View 0 replies
frankfrank13 6 days ago

Reading this, its not clear how your blog posts relates:

1. You run git clone inside the GCR function, so, you have at the very least a user token for the git provider

2. RCE exploit basically used the external tools, like a static analysis checker, which again, is inside your GCR function

3. As a contrived example, if I could RCE `console.log(process.env)` then seemingly I could do `fetch(mywebsite....`

I get it, you can hand wave some amount of "VPC" and "sandbox" here. But, you're still executing code, explicitly labeling it "untrusted" and "sandboxed" doesn't excuse it.

Reply View 0 replies
progbits 6 days ago

> no customer data was affected

Someone could have taken the private github key and cloned your customers' private repos.

You would need to audit every single access to github made via your app since the beginning and link it somehow to your side. Did you do this?

Reply View 0 replies
yunohn 6 days ago

While I fully understand that things sometimes get missed, it just seems really bizarre to me that somehow “sandboxing/isolation” was never considered prior to this incident. To me, it feels like the first thing to implement in a system that is explicitly built to run third party untrusted code?

Reply View 2 replies
  • wging 6 days ago

    The article seems to imply that something of the sort had actually been attempted prior to the incident, but was either incomplete or buggy. I'm not sure the details would be entirely exculpatory, but unless you want to flatly disbelieve their statements, "not considered" isn't quite right.

    > After responsibly disclosing this critical vulnerability to the CodeRabbit team, we learned from them that they had an isolation mechanism in place, but Rubocop somehow was not running inside it.

    Reply View 0 replies
  • roywiggins 6 days ago

    It seems to me that they thought the linter would be safe to run as it wasn't meant to actually run untrusted code, just statically analyze it.

    Reply View 0 replies
elpakal 6 days ago

> Sandboxing: All Cloud Run instances are sandboxed with two layers of sandboxing and can be configured to have minimal IAM permissions via dedicated service identity. In addition, CodeRabbit is leveraging Cloud Run's second generation execution environment, a microVM providing full Linux cgroup functionality. Within each Cloud Run instance, CodeRabbit uses Jailkit to create isolated processes and cgroups to further restrict the privileges of the jailed process.

In case you don't want to read through the PR

Reply View 1 reply
  • 0x457 6 days ago

    I don't get it, if you're running on linux then just use Landlock LSM inside a VM.

    Reply View 0 replies
KingOfCoders 6 days ago

The chuzpe to use this as PR.

Reply View 3 replies
  • woodruffw 6 days ago

    Off topic, but: chutzpah is the conventional English spelling :-)

    Edit: I'm this old when I learned that Germans spell it "chuzpe."

    Reply View 1 reply
    • KingOfCoders 6 days ago

      I'm this old to learn that the Yiddish spelling is chutzpe with a `T` (thought it would be Chuzpe).

      Reply View 0 replies
  • Xunjin 6 days ago

    Silicon Valley sitcom comedy moment right here.

    Reply View 0 replies
tadfisher 6 days ago

But do you still store your GH API private key in environment variables?

Reply View 3 replies
  • curuinor 6 days ago

    hey, this is Howon from CodeRabbit. We use a cloud-provider-provided key vault for application secrets, including GH private key.

    Reply View 2 replies
    • musicnarcoman 6 days ago

      So the CodeRabbit application with access to application secrets still runs in the same virtual machine as untrusted code from the outside?

      Reply View 0 replies
    • megamorf 6 days ago

      Howon, you can stop posting that canned response. It's not helping the discussion in any way and matches the lack of detail the other commenters have pointed out.

      Reply View 0 replies
smsm42 6 days ago

The word "now" here is kinda worrying tbh. How was it a good idea to release and sell this product before it has been the case?

Reply View 0 replies