| ▲ | KingOfCoders 5 days ago | ||||||||||||||||
They let the static tool get its config from the PR? Is this madness? Or did I read the article wrong? | |||||||||||||||||
| ▲ | megamorf 5 days ago | parent [-] | ||||||||||||||||
The security researcher noticed that CodeRabbit runs linters against your code base and noticed that Rubocop was among the provided linters. Rubocop supports extensions that contain custom code, so he crafted an extension that exfiltrated the environment variables of the running Rubocop process when it linted the contents of his PR. | |||||||||||||||||
| |||||||||||||||||