Privacy issues with SponsorLink, starting from version 4.20

[GeorgDangl]

There's a related discussion on Reddit: https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/

It seems that starting from version 4.20, SponsorLink is included. This is a closed-source project, provided as a dll with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service. The scanning is provided as a .NET analyzer tool, which runs during the build. There is no option to disable this.

I can understand the reasoning behind it, but this is honestly pretty scary from a privacy standpoint.

Any chance this can be reverted?

[baynezy]

This is a nightmare. I'm going to have to swap out Moq everywhere. I'm more than happy for Open Source maintainers to get financial support, but harvesting my details underhandedly is completely unacceptable.

I can't build secure software with this embedded in the testing code.

[njannink]

Harvesting developer email addresses without any policy / UELA acceptance is against GDPR regulations. Moq won't be usable anymore within any EU company

[LarsWesselius]

I love Moq but this is a no-go for my personal projects and more importantly, most likely a no-go for the large company I work at. Thanks for the effort over the years & hope this can be reverted

[gortok]

I work with clients who (for security reasons) proxy and host their own internal repositories for packages; and disallow unauthorized communication from inside their firewalls; this is going to probably cause Moq to be pulled from some of these clients' list of trusted packages. I know for my part I will now have to caution clients I work with against using Moq, particularly because of the unauthorized communication.

[d0pare]

So I did some decompiling and found that the library spawns external git process to get your email and does some hashing and sends to https://cdn.devlooped.com/sponsorlink.

private static string \u00a0(string P_0)
{
	try
	{
		Process process = Process.Start(new ProcessStartInfo(
6FA47342-3716-4274-AF01-7A37793E0E97.\u206f(), // this is obfuscated value of "git"
6FA47342-3716-4274-AF01-7A37793E0E97.\u3000() // this is obfuscated value of "config --get user.email"
)
		{
			RedirectStandardOutput = true,
			UseShellExecute = false,
			CreateNoWindow = true,
			WorkingDirectory = P_0
		});
		process.WaitForExit();
		if (process.ExitCode != 0)
		{
			return null;
		}
		return process.StandardOutput.ReadToEnd().Trim();
	}
	catch
	{
	}
	return null;
}

[njannink]

Im actually surprised that Visual Studio analyzers support process spawning. Seems like a huge security flaw to me

[fabricioferreira]

Just came to know about that and I'm already sad. This is a serious GDPR breach, and we won't be able to continue using this lib.
Also, having an obfuscated package included means that we can't (easily) know what is happening. It could harvest any other information from a developer's machine without any user consent.
Remember that a big number of developers are still running Visual Studio and Rider in an elevated process.

[PureKrome]

Was this evil-package included "by design"? is it mentioned anywhere in readme's or summaries?

how long was this part of the system.

EDIT: I even feel like this is a massive troll -> the version number (urgh .. internet, really?) + this vomit-ware dependency...