Can't use v1.4.4 due to a "trojan"

gabriel-vasile / mimetype

A fast Golang library for media type and file extension detection, based on magic numbers

https://pkg.go.dev/github.com/gabriel-vasile/mimetype#pkg-overview

MIT License

1.48k stars 156 forks source link

Can't use v1.4.4 due to a "trojan" #538

Closed jerbob92 closed 1 month ago

jerbob92 commented 1 month ago

My virusscanner blocks v1.4.4 of this package due to it containing a trojan.

You can see the VirusTotal results here: https://www.virustotal.com/gui/file/f00deb54ef962ad59bae824216aa1d160133c3a3ce669db9463e1de966729a24?nocache=1

Is there any way to get around this? Is there some file in there to test against an Archbomb?

gabriel-vasile commented 1 month ago

Hi, it probably complains about one or more files from testdata folder.

VirusTotal says something about trojan.gzip, but the gzip file seems clean. I will try to work on this, but no promises. If you feel like helping, please identify the offending file/s from testdata and I will replace them.

jerbob92 commented 1 month ago

I have tried the previous version and that doesn't list the Archbomb: https://www.virustotal.com/gui/file/406883c1b971bf560f6e87960c4493835ea016c1a8275353f8c547cf815ef216?nocache=1

When comparing the two versions, only the following file has been added to testdata: testdata/tar.issue464.tar

gabriel-vasile commented 1 month ago

Ah, right... issue 464 added detection for a tarbomb.

Let me see what I can do to remove the file but still keep the testcase.

Edit: now I wonder if I've been social engineered into distributing tarbombs...

jerbob92 commented 2 days ago

@gabriel-vasile thanks for fixing! Would you mind rolling a release?