While you can create and build a local package with U+FE0E in its file name, you cannot create or download a module using that character in a file name. So you could run this attack in someone's top-level repo but not in any of their dependencies. That's something at least.
A vulnerability illustrated here is that of packages having global state which is both security-critical and world-mutable. Such a vulnerability exists in the standard library, most notably (crypto/rand).Reader which is usually fed by the system CSPRNG but can be overwritten to any io.Reader value. There has been some discussion around different ways to address this issue, but fixing it has generally been rejected by the language maintainers,
e.g. https://github.com/golang/go/issues/42713, with the argument that fixing it directly just provides an illusion of security.
While you can create and build a local package with U+FE0E in its file name, you cannot create or download a module using that character in a file name. So you could run this attack in someone's top-level repo but not in any of their dependencies. That's something at least.
https://go.googlesource.com/mod/+/refs/heads/master/module/m... https://go.googlesource.com/mod/+/refs/heads/master/module/m...
Huh, that gives me a little pause.
People who clone a project and compile it manually get different output than people who `go install` it?
Is that inconsistency something that … should be fixed? Seems like it should be.
A vulnerability illustrated here is that of packages having global state which is both security-critical and world-mutable. Such a vulnerability exists in the standard library, most notably (crypto/rand).Reader which is usually fed by the system CSPRNG but can be overwritten to any io.Reader value. There has been some discussion around different ways to address this issue, but fixing it has generally been rejected by the language maintainers, e.g. https://github.com/golang/go/issues/42713, with the argument that fixing it directly just provides an illusion of security.
> I am not employed at the University of Minnesota so I don’t go around sending malicious patches just to see what would happen.
Lol, they will never live that one down.