githubnemo
commented
2 years ago Fair, I will add a banner disclaiming a use in production since there are numerous reasons why you should think twice before doing something like that. However, once arbitrary files can be uploaded by an attacker, you could also overwrite the binary itself so claiming this is a RCE is a stretch :)
Hi! I think this tool is very useful during development and testing, but there might be severe consequences if used in production. In fact, if attackers would be able to upload arbitrary files, this would trigger re-building and running the malicious code just uploaded, leading to RCE (Remote Code Execution).
In practice, this would bring the same vulnerabilities affecting interpreted languages in go.
I suggest to place a banner in the README.md file, warning developers to be careful and don't use this tool in production environment.