Comment by throw_me_uwu

1 month ago

WTF, they not just made unauthenticated RCE http endpoint, they also helpfully added CORS bypass for it... all in CLI tool? That silently starts http server??

6 comments

throw_me_uwu

never_inline 1 month ago

Someone tell the AI labs to stop training on tutorial code.

Hamuko 1 month ago

I'm slightly surprised that the CORS policy wasn't just "*" considering how wide open the server itself was.

throw_me_uwu 1 month ago

That's the point, it was!
https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32...
gpm 1 month ago

It seems like it was prior to 1.0.216?

Bridged7756 1 month ago

Just run it in a sandbox, bro.

lifetimerubyist 1 month ago

It’s a vibe, bro.