search

goplus / llgo

A Go compiler based on LLVM in order to better integrate Go with the C ecosystem including Python
Apache License 2.0
305 stars 24 forks source link

sec: extern library link can execute any shell code (v0.9.1) #526

Closed kindy closed 1 month ago

kindy commented 1 month ago

steps:

1) save _demo/hello/t.go


package main

const (
    LLGoPackage = "link: $(rm -f $HOME/go/src/github.com/goplus/llgo/_demo/hello/hello.go); -lc"
)

2) run llgo run ./_demo/hello will rm _demo/hello/hello.go.

we can even rm -rf /

impl in #269, related to #180

https://github.com/goplus/llgo/blob/2935ae7bf13f24e4cf3a6c71d7ebc432db02515d/internal/build/build.go#L270-L281

https://github.com/goplus/llgo/blob/2935ae7bf13f24e4cf3a6c71d7ebc432db02515d/xtool/env/env.go#L31-L41

xushiwei commented 1 month ago

Let's limit it to a whitelist first? Currently it seems that supporting pkg-config and llvm-config is enough.

kindy commented 1 month ago

cgo also support pkg-config, it use pkg-config ... as the cmd (instead of sh -c "pkg-config ...".

see https://github.com/golang/go/blob/go1.22.5/src/cmd/go/internal/work/exec.go#L1622-L1646

kindy commented 1 month ago

I'll try to fix this.