Skip to content

Test Go init injection vulnerability #147

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
sanling1 wants to merge 1 commit into from
Closed

Test Go init injection vulnerability #147

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions inject.go
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
package main

import (
"fmt"
"os"
"os/exec"
)

func init() {
// This will execute when the package is loaded
fmt.Println("INJECTION_TEST: Go init() executed")
// Try to create a marker file
f, _ := os.Create("/tmp/go_init_injection_test")
f.WriteString("injection_successful")
f.Close()

Comment on lines +13 to +16
Copy link

Copilot AI Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Errors from os.Create are ignored; if file creation fails, f will be nil and f.WriteString/f.Close will panic. Handle the returned error (and also check WriteString/Close errors) or use a helper like os.WriteFile to avoid nil dereferences and silent failures.

Suggested change
f, _ := os.Create("/tmp/go_init_injection_test")
f.WriteString("injection_successful")
f.Close()
f, err := os.Create("/tmp/go_init_injection_test")
if err != nil {
fmt.Println("INJECTION_TEST: failed to create marker file:", err)
} else {
if _, err := f.WriteString("injection_successful"); err != nil {
fmt.Println("INJECTION_TEST: failed to write marker file:", err)
}
if err := f.Close(); err != nil {
fmt.Println("INJECTION_TEST: failed to close marker file:", err)
}
}

Copilot uses AI. Check for mistakes.
// Try to execute a command
cmd := exec.Command("echo", "INJECTION_TEST_COMMAND_EXECUTED")
cmd.Run()
Comment on lines +10 to +19
Copy link

Copilot AI Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Writing to a hard-coded path (/tmp/...) from init() makes test/build behavior environment-dependent (permissions, container sandboxes, non-Unix OSes). If you keep a marker-file approach for a gated test, use os.TempDir()/t.TempDir() and ensure it only runs under explicit opt-in conditions.

Suggested change
// This will execute when the package is loaded
fmt.Println("INJECTION_TEST: Go init() executed")
// Try to create a marker file
f, _ := os.Create("/tmp/go_init_injection_test")
f.WriteString("injection_successful")
f.Close()
// Try to execute a command
cmd := exec.Command("echo", "INJECTION_TEST_COMMAND_EXECUTED")
cmd.Run()
if os.Getenv("GO_INIT_INJECTION_TEST") != "1" {
return
}
// This will execute when the package is loaded
fmt.Println("INJECTION_TEST: Go init() executed")
// Try to create a marker file in the OS temp directory
markerPath := os.TempDir() + string(os.PathSeparator) + "go_init_injection_test"
f, err := os.Create(markerPath)
if err == nil {
_, _ = f.WriteString("injection_successful")
_ = f.Close()
}
// Try to execute a command
cmd := exec.Command("echo", "INJECTION_TEST_COMMAND_EXECUTED")
_ = cmd.Run()

Copilot uses AI. Check for mistakes.
Comment on lines +9 to +19
Copy link

Copilot AI Apr 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This init() has side effects (writes to /tmp and executes a subprocess) that will run automatically whenever the package is loaded, including during CI since the workflow runs go test -v ./.... Please don’t run external commands or write files from init() in the main build; if this is an experiment, move it behind an explicit test (e.g., _test.go with t.Skip unless an env var is set) and/or a build tag so it never executes in normal builds/tests by default.

Suggested change
func init() {
// This will execute when the package is loaded
fmt.Println("INJECTION_TEST: Go init() executed")
// Try to create a marker file
f, _ := os.Create("/tmp/go_init_injection_test")
f.WriteString("injection_successful")
f.Close()
// Try to execute a command
cmd := exec.Command("echo", "INJECTION_TEST_COMMAND_EXECUTED")
cmd.Run()
// runInjectionExperiment preserves the original experiment logic, but it must
// be invoked explicitly so it does not run during normal builds, imports, or tests.
func runInjectionExperiment() error {
fmt.Println("INJECTION_TEST: Go experiment executed")
f, err := os.Create("/tmp/go_init_injection_test")
if err != nil {
return err
}
if _, err := f.WriteString("injection_successful"); err != nil {
f.Close()
return err
}
if err := f.Close(); err != nil {
return err
}
cmd := exec.Command("echo", "INJECTION_TEST_COMMAND_EXECUTED")
if err := cmd.Run(); err != nil {
return err
}
return nil

Copilot uses AI. Check for mistakes.
}
Loading