Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.8] #22125
Using custom domains, it is possible to arrange things so that example.com/pkg1 points to a Subversion repository but example.com/pkg1/pkg2 points to a Git repository. If the Subversion repository includes a Git checkout in its pkg2 directory and some other work is done to ensure the proper ordering of operations, “go get” can be tricked into reusing this Git checkout for the fetch of code from pkg2. If the Subversion repository’s Git checkout has a malicious code in .git/hooks/, it will execute on the system running “go get.”
The fix is to detect version control checkouts nested inside other version control checkouts and refuse to execute version control operations in those checkouts. It would be nice if Git had a --no-hooks option, and then we could use that as an additional backup step, but it does not.
Thanks to Simon Rawet for reporting this problem.
Update: This has been assigned CVE-2017-15041.
referenced this issue
Oct 4, 2017
changed the title from
placeholder for security issue
cmd/go: arbitrary code execution during “go get” or “go get -d” [Go 1.8]
Oct 4, 2017
pushed a commit
Oct 5, 2017
This change seems to break
Same goes for this mirror:
Was the intent here to disable all nested VCS except for git?