corpus icon indicating copy to clipboard operation
corpus copied to clipboard

Published 20 hours ago verified publisher icon rsc

Potential Vulrnerability With Gopkg.in

Open robbert229 opened this issue 6 years ago • 8 comments

I noticed that this repository uses https://gopkg.in/fsnotify.v1. Recently someone created the github.com/go-fsnotify/fsnotify repository, because of how gopkg.in works requests to github.com/fsnotify/fsnotify are being routed to this new repository. I am aware of the reasons why this new repo and account was created but it could be a bad actor. Just a heads up.

robbert229 avatar Mar 20 '18 22:03 robbert229

lol nvm.

robbert229 avatar Mar 20 '18 22:03 robbert229

Obviously this doesn't matter to go-corpus, so closing the issue was fine. But as someone interested in package management in Go I would like to understand more about what you are reporting, so I reopened it.

How can requests to import github.com/fsnotify/fsnotify have anything to do with gopkg.in? Also I don't believe there's any ambiguity about what a gopkg.in URL means so I don't understand how, even if we were talking about gopkg.in import paths, creating a new repo on GitHub would redirect existing gopkg.in paths.

Thanks very much for any additional information.

/cc @niemeyer

rsc avatar Mar 21 '18 00:03 rsc

I had started to write a script to notify all repos that used gopkg.in/fsnotify.v1 (I didn't run the script beyond the first repo it found in the end), because of an issue my team encountered. Here is the long version.

github.com/fsnotify/fsnotify 2 years ago was named github.com/go-fsnotify/fsnotify. We are using a tool that utilizes fsnotify through gopkg.in/fsnotify.v1. gopkg.in/fsnotify.v1 until today redirected to github.com/fsnotify/fsnotify. (I think this is because of the redirecting github does when an organizations name changes, but don't quote me). Someone created a new go-fsnotify organization with an empty fsnotify. My team thought it was the beginnings of a bad actor exploiting gopkg and the github redirect behavior and was planning on putting some bad code in the repo similar to what happened earlier this year with npm packages. After talking to @niemeyer we ended up figuring out that it was a false positive.

TLDR github redirects due to renaming made my team worry about a potential bad actor.

robbert229 avatar Mar 21 '18 00:03 robbert229

Fascinating, thanks @robbert229. It certainly seems like a bug that GitHub lets people recreate deleted accounts.

@nathany, was that you re-creating go-fsnotify/fsnotify?

rsc avatar Mar 21 '18 01:03 rsc

Indeed the issue was created by the rename of the original project plus the fact it wasn't further reserved. But we're not entirely sure it's a false positive yet. The organization registrant hasn't spoken up, and the repository description as "Go Dependency R&D" leaves room for interpretation. If we don't resolve this soon I'll need to redirect or at least block that project internally in gopkg.in.

niemeyer avatar Mar 21 '18 01:03 niemeyer

Follow up conversation here: https://github.com/go-fsnotify/fsnotify/issues/1

niemeyer avatar Mar 21 '18 01:03 niemeyer

A security research recreated the go-fsnotify organization. My mistake for relying on the GitHub redirect and not considering the security implications.

nathany avatar Mar 22 '18 02:03 nathany

See also https://github.com/fsnotify/fsnotify/issues/108 for the original reasoning behind moving away from gopkg.in and version numbers in import paths (this happened over two years ago).

nathany avatar Mar 22 '18 18:03 nathany