New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: fix TestImportMain not to write to current directory #22266

Closed
raydac opened this Issue Oct 14, 2017 · 27 comments

Comments

Projects
None yet
9 participants
@raydac

raydac commented Oct 14, 2017

Golang SDK 1.9.1 zip archives for Windows (both amd64 and i386) contain file /go/src/cmd/go/x.exe I could not find similar file in Linux distributive and in Go SDK 1.9 for Windows, the issue is that many antiviruses complain about the file
what is the file?

@dlsniper

This comment has been minimized.

Contributor

dlsniper commented Oct 14, 2017

For the amd64 at least, I have the same file but it has a different size / SHA256 and a different outcome in the scan results
I've installed Go via the .msi installer. Looking at the archive it matches the file I have on my machine (both size/SHA256).

Is the archive downloaded from https://storage.googleapis.com/golang/go1.9.1.windows-amd64.zip or some other place?

@cznic

This comment has been minimized.

Contributor

cznic commented Oct 14, 2017

I've verified the file at https://storage.googleapis.com/golang/go1.9.1.windows-386.zip has the correct SHA256 and does contain the x.exe file at the path OP listed.

@raydac

This comment has been minimized.

raydac commented Oct 14, 2017

my plugin loads archives through web api from https://storage.googleapis.com/golang/
also I have checked both manually loaded archives from standard page https://golang.org/dl/

@dlsniper

This comment has been minimized.

Contributor

dlsniper commented Oct 14, 2017

@raydac can you try on a third party system? Maybe from a Linux based OS?

@raydac

This comment has been minimized.

raydac commented Oct 14, 2017

@dlsniper what do you mean? I have loaded manually zip golang sdk archives 1.9.1 for windows under Ubuntu and x.exe is presented in both zip archives, calculated sha256 are the same like described on the main download page
ea9c79c9e6214c9a78a107ef5a7bff775a281bffe8c2d50afa66d2d33998078a ./go1.9.1.windows-386.zip
8dc72a3881388e4e560c2e45f6be59860b623ad418e7da94e80fee012221cc81 ./go1.9.1.windows-amd64.zip

@dlsniper

This comment has been minimized.

Contributor

dlsniper commented Oct 14, 2017

Cool, so now upload the exe files from the Ubuntu machine to that website and see what results you have. The sums for the archives seem to be correct, see if anything changes for that file, x.exe

@raydac

This comment has been minimized.

@thoellrich

This comment has been minimized.

thoellrich commented Oct 14, 2017

My amd64 x.exe in the MSI installed tree has a go.buildid of 07f043544a1febd4867dcccd5eb032f2249449db. Maybe a quick search for that in the official build logs will locate it?

All scans here say it's benign. Smells like an intermediate artifact that was packaged in error.

This embedded path gives an additional hint: C:/Users/gopher/AppData/Local/Temp/gotest628958634/src/x/main.go

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

I checked go1.9.1.windows-amd64.zip downloaded from golang.org/dl on Ubuntu.

2017-10-14 22 56 07

But x.exe not exists.

@dlsniper

This comment has been minimized.

Contributor

dlsniper commented Oct 14, 2017

@mattn the path is a bit incorrect, you need to run ls -la go/src/cmd/go not ls -la go/bin.

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

Sorry, I found it on go/src/cmd/go. As far as I can see, it is built by go. And C:\workdir\go\src\cmd\go is embeded in binary.

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

BTW, It seems that *_test.go in go/src/cmd/go have some string x.go.

@ianlancetaylor ianlancetaylor changed the title from Antiviruses complain about x.exe file presented in Windows Golang SDK 1.9.1 archives to release: x.exe executable mistakenly included in releases Oct 14, 2017

@ianlancetaylor ianlancetaylor added this to the Go1.9.2 milestone Oct 14, 2017

@ianlancetaylor

This comment has been minimized.

Contributor

ianlancetaylor commented Oct 14, 2017

CC @broady

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

And I uploaded x.exe contained the zip, but not detected.

https://www.virustotal.com/#/file/d9c1b0aee3cc3f3a5cce0208438103e27664d18f53961e21f6c29f275ce01b94/detection

The result page which I posted was redirected to the page which is already reported by another user.

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

So, currently, what I can say is that x.exe I uploaded is not same file as x.exe uploaded by raydac.

@dlsniper

This comment has been minimized.

Contributor

dlsniper commented Oct 14, 2017

@mattn this seems to be limited to the 386 distribution only. The file is present both in amd64 and 386 distros but only flagged as malicious in the 386 archive. Unfortunately does not make that very clear. Maybe someone with edit rights can change the issue name / description accordingly?

@raydac

This comment has been minimized.

raydac commented Oct 14, 2017

@mattn a lot of antiviruses are red for version of x.exe from 386 version of golang sdk 1.9.1 and user of plugin also detected such signal for 32 bit version

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

@raydac I checked 386 zip file.

https://storage.googleapis.com/golang/ go1.9.1.windows-386.zip

https://www.virustotal.com/#/url/8704d418b889c02947d23530317fb1f14f039fbd1e81d9e6067826f5fdccc41e/detection

https://storage.googleapis.com/golang/ go1.9.1.windows-386.msi

https://www.virustotal.com/#/url/53e0087623755b8eb2962fa46496805b318422da9e1e4730978d73142777ef74/detection

x.exe extracted from go1.9.1.windows-386.zip

https://www.virustotal.com/#/file/ffb4f32afbb23131a68a55a3b3692299489d75ad12e82af72bc938c66023fb8f/detection

I wonder why the URL is not detected.

@coder543

This comment has been minimized.

coder543 commented Oct 14, 2017

But... what is x.exe?

@mattn

This comment has been minimized.

Member

mattn commented Oct 14, 2017

I uploaded exe file that is compiled with GOOS=windows, GOARCH=386 on Ubuntu.

https://www.virustotal.com/#/file/96735a9738dab2e256067c5b1919220da6550203bef5f4391f59ffbb2d878969/detection

package main

import (
        "fmt"
        "log"
        "net/http"
)

func main() {
        http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
                fmt.Fprint(w, "Hello Gopher")
        })

        log.Fatalln(http.ListenAndServe(":12345", nil))
}

It seems some antivirus ware detect binary compiled with GOOS=windows GOARCH=386 on Linux as malicious.

@rsc

This comment has been minimized.

Contributor

rsc commented Oct 14, 2017

The binary is left over from running TestImportMain in cmd/go. It's harmless. We should remove it, but it's harmless. Any virus scanner that thinks the binary is a virus is wrong.

@rsc rsc changed the title from release: x.exe executable mistakenly included in releases to cmd/go: TestImportMain leaves x.exe binary behind (should not write to cmd/go at all) Oct 14, 2017

@rsc rsc changed the title from cmd/go: TestImportMain leaves x.exe binary behind (should not write to cmd/go at all) to cmd/go: fix TestImportMain not to write to current directory Oct 14, 2017

@gopherbot

This comment has been minimized.

gopherbot commented Oct 17, 2017

Change https://golang.org/cl/71410 mentions this issue: cmd/go: clean up x.exe properly in TestImportMain

@gopherbot gopherbot closed this in b614ed4 Oct 18, 2017

@rsc

This comment has been minimized.

Contributor

rsc commented Oct 18, 2017

CL 71410 OK for Go 1.9.2.

@rsc rsc reopened this Oct 18, 2017

@gopherbot

This comment has been minimized.

gopherbot commented Oct 18, 2017

Change https://golang.org/cl/71490 mentions this issue: [release-branch.go1.8] cmd/go: clean up x.exe properly in TestImportMain

@gopherbot

This comment has been minimized.

gopherbot commented Oct 18, 2017

Change https://golang.org/cl/71530 mentions this issue: [release-branch.go1.9] cmd/go: clean up x.exe properly in TestImportMain

gopherbot pushed a commit that referenced this issue Oct 25, 2017

[release-branch.go1.8] cmd/go: clean up x.exe properly in TestImportMain
More generally I'm concerned about these tests using
$GOROOT/src/cmd/go as scratch space, especially
combined wtih tg.parallel() - it's easy to believe some other
test might inadvertently also try to write x.exe about the
same time. This CL only solves the "didn't clean up x.exe"
problem and leaves for another day the "probably shouldn't
write to cmd/go at all" problem.

Fixes #22266.

Change-Id: I651534d70e2d360138e0373fb4a316081872550b
Reviewed-on: https://go-review.googlesource.com/71410
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-on: https://go-review.googlesource.com/71490

gopherbot pushed a commit that referenced this issue Oct 25, 2017

[release-branch.go1.9] cmd/go: clean up x.exe properly in TestImportMain
More generally I'm concerned about these tests using
$GOROOT/src/cmd/go as scratch space, especially
combined wtih tg.parallel() - it's easy to believe some other
test might inadvertently also try to write x.exe about the
same time. This CL only solves the "didn't clean up x.exe"
problem and leaves for another day the "probably shouldn't
write to cmd/go at all" problem.

Fixes #22266.

Change-Id: I651534d70e2d360138e0373fb4a316081872550b
Reviewed-on: https://go-review.googlesource.com/71410
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Reviewed-on: https://go-review.googlesource.com/71530
@rsc

This comment has been minimized.

Contributor

rsc commented Oct 26, 2017

go1.9.2 has been packaged and includes:

The release is posted at golang.org/dl.

— golang.org/x/build/cmd/releasebot, Oct 26 21:09:24 UTC

@rsc rsc closed this Oct 26, 2017

@golang golang locked and limited conversation to collaborators Oct 26, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.