Comment by KingOfCoders

Comment by KingOfCoders 6 days ago

View on Hacker News

Did I misread the article, or did they take the tool config from the PR not the repo?

yxhuvud 6 days ago

Unfortunately that mostly has to be the case or else the developer experience configuring these would be too bad.

Reply View 0 replies

morgante 6 days ago

The exploit is there either way.

Reply View 2 replies

KingOfCoders 6 days ago

The exploit depends on changing the config to execute a .rb file. And the config was supplied by a PR.

Reply View | 1 reply
- flexagoon 6 days ago
  
  Yes, but the exploit grants you access to ALL repos, not just the one the PR is in. You could just as well change the config in your own private repo and run coderabbit in it.
  
  Reply View | 0 replies