2025年1月,rsync被披露了6个安全漏洞(含任意代码执行和文件泄露),本文深入探讨了用Go语言实现的最小化兼容版rsync(gokrazy/rsync)是否真正避免了整类安全问题。文章详细分析了所有12个漏洞(涵盖2025年1月和2026年5月两批),对比了上游C语言实现与Go实现的差异,并提供了判决结论、与OpenBSD openrsync(C语言编写)的对比、以及Linux上的深度防御机制建议。关键发现:Go运行时边界检查可防止堆缓冲区溢出,但最小化实现本身仍需要做好输入验证。
GitHub's commit "Verified" badge checks only the committer's key, not the author field, which can be spoofed via Git env vars. Attackers can show a verified badge next to any forged identity. The defense (Vigilant Mode) is opt-in and off by default.
The author details how their Go-based rsync implementation avoids common vulnerabilities found in the original C version (like buffer overflows and symlink races) by leveraging Go's memory safety features. They highlight design choices such as avoiding unsafe code, using bounded types, and minimizing attack surface to achieve a safer file transfer tool without sacrificing compatibility.
The article presents a memory-safe implementation of rsync in Go, designed to avoid common vulnerabilities like buffer overflows and memory corruption that plague the original C version. By leveraging Go's type safety and garbage collection, the author created a minimal rsync clone that maintains core functionality while eliminating entire classes of security bugs.