cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.8] #22125
Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, “go get” can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository’s Git checkout has a malicious code in .git/hooks/, it will execute on the system running “go get.”
The fix is to detect version control checkouts nested inside other version control checkouts and refuse to execute version control operations in those checkouts. It would be nice if Git had a --no-hooks option, and then we could use that as an additional backup step, but it does not.
Thanks to Simon Rawet for reporting this problem.
Update: This has been assigned CVE-2017-15041.
The text was updated successfully, but these errors were encountered:
Manually apply same change as CL 68110 did for cmd/go/internal/get, but for golang.org/x/tools/go/vcs, to help keep them in sync. Updates golang/go#22125. Helps golang/go#11490. Change-Id: I255f7a494d9572389fc8dc8ce96891b6fcc214a0 Reviewed-on: https://go-review.googlesource.com/68352 Reviewed-by: Russ Cox <firstname.lastname@example.org>
This change seems to break
Same goes for this mirror:
Was the intent here to disable all nested VCS except for git?