BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//cfp.cccv.de//XXXSWE BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-38c3-XXXSWE@cfp.cccv.de DTSTART;TZID=CET:20241229T120000 DTEND;TZID=CET:20241229T124000 DESCRIPTION:The whole world is talking about AI\, and developers are no exc eption. When a developer hears about a tool that can help them handle git pull requests using AI\, it is likely that they will start using it for th eir open source project.\n\nThis is precisely what's happening with Qodo M erge (formerly PR-Agent)\, an open source tool that can help review and ha ndle git pull requests by using AI to provide feedback and suggestions to developers. It is getting adopted by more and more open source projects\, including popular ones.\n\nIt is so easy to add new features by relying on external tools\, yet the consequences on security can be catastrophic.\n\ nIndeed\, if the tool contains security vulnerabilities\, the project usin g it may become vulnerable too and may grant anyone permissions to perform unexpected actions without realizing it. But everyone wants to use AI so security may be overlooked.\n\nWe found multiple vulnerabilities in Qodo M erge that may lead to privilege escalation on Gitlab\, getting write acces s to Github repositories and leaking Github repository secrets. Additional ly we found multiple high profile Github repositories using Qodo Merge wit h a configuration that makes them vulnerable\, such as highly popular proj ects\, government official repositories\, self-driving automotive industry projects\, blockchains and more.\n\nIn this talk we go through what Qodo Merge is\, how it can be used\, how it works\, how it can be exploited\, w hat projects are affected and what are the impacts. We also mention remedi ation steps to fix these issues. DTSTAMP:20241227T122832Z LOCATION:Saal ZIGZAG SUMMARY:AI Meets Git: Unmasking Security Flaws in Qodo Merge - Nils Amiet URL:https://fahrplan.events.ccc.de/congress/2024/fahrplan/talk/XXXSWE/ END:VEVENT END:VCALENDAR