vulnerability arbitrary os command execution
severity 7.3
language go
registry golang

✍️ Description

When new version from_user prompted, it can execute OS command, since it use fmt.Scanln (which is space-separated), the next value given will be executed automatically when the program finished.

🕵️‍♂️ Proof of Concept

Create Stork script & save as file.stork:

#!/usr/bin/env stork -f

version:file "cmd/PACKAGE/version.go"

git:create_tag $VERSION

Run stork -f file.stork, it'll ask you to enter the latest version for your Go package. Fill in the payload as follows:

abc duname -sr

The value before space will define new version for program and the next one will be executed as a command.


💥 Impact

An attacker could include arguments that allow unintended commands or code to be executed, allow sensitive data to be read or modified or could cause other unintended behavior through malicious version defined for the Go package.