Comment by KingOfCoders
Comment by KingOfCoders 6 days ago
They let the static tool get its config from the PR? Is this madness?
Or did I read the article wrong?
Comment by KingOfCoders 6 days ago
They let the static tool get its config from the PR? Is this madness?
Or did I read the article wrong?
But where does the configuration for Rubocop come from? From CodeRabbit (e.g. you configure it on their server for your repo), from the repository or (new) config files in the PR?
The security researcher noticed that CodeRabbit runs linters against your code base and noticed that Rubocop was among the provided linters. Rubocop supports extensions that contain custom code, so he crafted an extension that exfiltrated the environment variables of the running Rubocop process when it linted the contents of his PR.