For every bounty won throughout May 2021, huntr will donate half towards Indian COVID relief.
When new version
from_user prompted, it can execute OS command, since it use
fmt.Scanln (which is space-separated), the next value given will be executed automatically when the program finished.
Create Stork script & save as
"cmd/PACKAGE/version.go" version:from_user git:create_tag $VERSIONgit:changelog version:file
stork -f file.stork, it'll ask you to enter the latest version for your Go package. Fill in the payload as follows:
abc duname -sr
The value before space will define new version for program and the next one will be executed as a command.
An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious version defined for the Go package.