I just reported your script deleting my HOME directory as malware to github


#1

Dear FHIR,

I sent this report to github because having code written like this is unacceptable. It is 1 year old and it is amazing you still have it in a public repo.

Repository https://github.com/hl7-fhir/fhir-svn has at least a script that deletes your $HOME directory and it could potentially delete all the workstation files if it is executed as root.

The script is: https://github.com/hl7-fhir/fhir-svn/blob/master/clean.sh

It is written in a way that deletes all the $HOME content directory. SO I report it a possible abuse of Github TOS section C.8 and perhaps C.2.

#2

a batch file to clean temporary files isn’t contrary to the TOS. Follow up here: https://chat.fhir.org/#narrow/stream/9-committers/subject/clean.2Esh


#3

This is the content of clean.sh:

find -name *bak -delete
find -name *class -delete
cd temp
find . -type f -delete
cd ..
cd guides/ccda2/output
find . -type f -delete
cd ../../..
cd guides/ccda2/qa
find . -type f -delete
cd ../../..
cd guides/ccda2/temp
find . -type f -delete
cd ../../..
cd publish
find . -type f -delete
cd ..

In order to reproduce it, do this:

  • clone from repo https://github.com/hl7-fhir/fhir-svn a version that fails the build. For example 763062a19064a74bd27aacaabb7e5740d7702931. Of course it is OK if the build fails. That is not the problem here.

  • from a terminal in MacOs or Linux, run the build process by calling ./publish.sh

  • Wait while the script is running. In some moment some of the artifacts will not be built and the build process aborts. Observe the message error. This is not a problem, it just is part of the scenario.

  • Now clean you home directory by executing ./clean.sh

  • Wait while your $HOME is being deleted. This happens because the scripts cd’s to non existent directories then cd … several times through the root directory and after that find . -delete all the files.

  • When the script finish, observe how your $HOME directory is gone. This confirms the issue.

This script, written in the careless way it is written, falls in the definition of malware. Please google the definition in case of doubt.

Since I do not have commit credentials in the repository https://github.com/hl7-fhir/fhir-svn, I cannot help and fix this evil script. I suggest someone with write access does it.

PS: Please do not delete my community account again. I am working with this project because we are adopting FHIR on the company I am working now. I encourage you to behave all like professionals. Take the feedback and fix the problem.

Thanks.


#4

I have no idea wat happend to your account. We don’t delete accounts unless they are genuine spammers. And I didn’t say that we wouldn’t fix the script. See the link I provided for further discussion. Looks like we’re just going to delete it (?)


#5

I looked: your account is not deleted.


#6

Today I recovered my $HOME. I will try tomorrow to login using the old account from the recovered workstation.


#7

I confirm my work account is not deleted. Thanks for the clarification.

I observed the script clean.sh is still around? If you receive pull requests I could help with it.