How are they getting access to the PostgreSQL database, unless this running code... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		nodesocket 33 days ago \| parent \| context \| favorite \| on: How we exploited CodeRabbit: From simple PR to RCE... How are they getting access to the PostgreSQL database, unless this running code can communicate with it? That’s a big red flag, user provided code should always be sandboxed and isolated right?

megamorf 33 days ago [–]

The exfiltrated environment variables contained these entries:

``` "POSTGRESQL_DATABASE": "(CENSORED)", "POSTGRESQL_HOST": "(CENSORED)", "POSTGRESQL_PASSWORD": "(CENSORED)", "POSTGRESQL_USER": "(CENSORED)", ```

nodesocket 33 days ago | [–]

Sure, but connections from these worker machines shouldn’t be allowed directly to the database.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact