Comment by throw_me_uwu

3 days ago

WTF, they not just made unauthenticated RCE http endpoint, they also helpfully added CORS bypass for it... all in CLI tool? That silently starts http server??

6 comments

throw_me_uwu

never_inline 2 days ago

Someone tell the AI labs to stop training on tutorial code.

Hamuko 3 days ago

I'm slightly surprised that the CORS policy wasn't just "*" considering how wide open the server itself was.

throw_me_uwu 3 days ago

That's the point, it was!
https://github.com/anomalyco/opencode/commit/7d2d87fa2c44e32...
gpm 3 days ago

It seems like it was prior to 1.0.216?

Bridged7756 2 days ago

Just run it in a sandbox, bro.

lifetimerubyist 2 days ago

It’s a vibe, bro.