The vulnerable code uses attacker-controlled input (the list of changed files under documentation/rules in the PR), and interpolates it in a Bash script. In the context of our malicious PRs, this meant that line 18 of the code snippet evaluated to the following, which triggered code execution:
Путин заявил о готовности поставлять Европе нефть и газ19:01,更多细节参见新收录的资料
除了比亚迪,曾经的民营车企销冠吉利,也很清楚“快”对自己而言意味着什么。。新收录的资料对此有专业解读
// Initialize the hash to a 'random' value
Долину уличили в снижении цены на свое выступление втрое20:45