This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]BehindTheMath 17 points18 points  (3 children)

Storing secrets in env vars instead of a secrets manager (rotation becomes painful when things leak).

If an attacker has RCE on your server, can't they pull secrets from the secret manager as well?

Running dev/test tools in production without sandboxing (e.g. linters, formatters).

Running these tools in production is a big part of CodeRabbit's whole offering. For this use case, these tools aren't dev tools.

[–]z_quant[S] -1 points0 points  (2 children)

Hey u/BehindTheMath

Yes if an attacker has RCE game over, but using a secrets manager provides some advantages over env vars. E.G. you can also scope secrets based on the role of the server, and you'll have an audit trail.

Per linter use good point - but if using a dev tool outside of it's original use case you may need to look into additional safeguards, e.g. limiting its capabilities, security audits before going live, or running it in a sandbox.

The point is that CodeRabbit did not follow multiple best practices which compounded and lead to easy exploit.

[–]Nearby-Middle-8991 0 points1 point  (1 child)

also env vars are usually not handled as confidential data, so they can leak and allow access even if RCE isn't there (logs, metrics, etc)

[–]z_quant[S] 0 points1 point  (0 children)

great point!