Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Worth noting is that, while go build doesn't run arbitrary code, go generate does:

    package evil

    import "fmt"
    
    // the echo is intentional, in case someone actually tries this for some reason
    //go:generate echo rm -rf /
    
    func PretendGood() {
        fmt.Println("I am good")
    }
When they say fetching and building code doesn't execute it, that's specific to go get and go build. There's no guarantee that every go subcommand is safe. This is pretty obvious if you know how go generate works and it isn't a flaw of the language, but if I were new to go, this is the kind of article I'd read but still not understand exactly what was safe and what wasn't.


Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: