Description: Software & Security Blog
Software & Security Blog
Some time ago, I read a blogpost from Doyensec that explained a simple but impactful vulnerability in a Visual Studio Code plugin – specifically, it leveraged Python virtual environments to execute arbitrary code when a malicious project was opened in the IDE. At the time, my job involved a lot of Python developing using JetBrain’s PyCharm , so I asked myself: is PyCharm vulnerable to something similar? This post summarizes the consequences of that question, which ultimately led to the discovery of CVE-2021
I’ve been very interested in CodeQL since the moment I discovered its existence. Even though I did the tutorials back in the day, I knew I needed more knowledge and hands-on practice to be able to do something useful with it. So, as soon as it was announced, I decided I was going to participate in GitHub Security Lab CTF 4 - CodeQL and Chill . After some weeks of battling with it, I was able to deliver a solution and ended up getting the 5th position in the competition. Even though it’s not enough to get an