Comment by yunohn
While I fully understand that things sometimes get missed, it just seems really bizarre to me that somehow “sandboxing/isolation” was never considered prior to this incident. To me, it feels like the first thing to implement in a system that is explicitly built to run third party untrusted code?
The article seems to imply that something of the sort had actually been attempted prior to the incident, but was either incomplete or buggy. I'm not sure the details would be entirely exculpatory, but unless you want to flatly disbelieve their statements, "not considered" isn't quite right.
> After responsibly disclosing this critical vulnerability to the CodeRabbit team, we learned from them that they had an isolation mechanism in place, but Rubocop somehow was not running inside it.