pax_global_header00006660000000000000000000000064137525340170014521gustar00rootroot0000000000000052 comment=da4a52724cee03728ddd794f552946e2f89f2008 safeexec-1.0.0/000077500000000000000000000000001375253401700133025ustar00rootroot00000000000000safeexec-1.0.0/.github/000077500000000000000000000000001375253401700146425ustar00rootroot00000000000000safeexec-1.0.0/.github/workflows/000077500000000000000000000000001375253401700166775ustar00rootroot00000000000000safeexec-1.0.0/.github/workflows/go.yml000066400000000000000000000010321375253401700200230ustar00rootroot00000000000000name: Go on: [push, pull_request] jobs: build: name: Build strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest] go: [1.13, 1.14, 1.15] runs-on: ${{matrix.os}} steps: - name: Set up Go uses: actions/setup-go@v2 with: go-version: ^${{matrix.go}} - name: Check out code into the Go module directory uses: actions/checkout@v2 - name: Get dependencies run: go get -v -t -d ./... - name: Test run: go test -v . safeexec-1.0.0/LICENSE000066400000000000000000000024511375253401700143110ustar00rootroot00000000000000BSD 2-Clause License Copyright (c) 2020, GitHub Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. safeexec-1.0.0/README.md000066400000000000000000000032131375253401700145600ustar00rootroot00000000000000# safeexec A Go module that provides a safer alternative to `exec.LookPath()` on Windows. The following, relatively common approach to running external commands has a subtle vulnerability on Windows: ```go import "os/exec" func gitStatus() error { // On Windows, this will result in `.\git.exe` or `.\git.bat` being executed // if either were found in the current working directory. cmd := exec.Command("git", "status") return cmd.Run() } ``` Searching the current directory (surprising behavior) before searching folders listed in the PATH environment variable (expected behavior) seems to be intended in Go and unlikely to be changed: https://github.com/golang/go/issues/38736 Since Go does not provide a version of [`exec.LookPath()`](https://golang.org/pkg/os/exec/#LookPath) that only searches PATH and does not search the current working directory, this module provides a `LookPath` function that works consistently across platforms. Example use: ```go import ( "os/exec" "github.com/cli/safeexec" ) func gitStatus() error { gitBin, err := safeexec.LookPath("git") if err != nil { return err } cmd := exec.Command(gitBin, "status") return cmd.Run() } ``` ## TODO Ideally, this module would also provide `exec.Command()` and `exec.CommandContext()` equivalents that delegate to the patched version of `LookPath`. However, this doesn't seem possible since `LookPath` may return an error, while `exec.Command/CommandContext()` themselves do not return an error. In the standard library, the resulting `exec.Cmd` struct stores the LookPath error in a private field, but that functionality isn't available to us. safeexec-1.0.0/_fixtures/000077500000000000000000000000001375253401700153125ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/cwd/000077500000000000000000000000001375253401700160675ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/cwd/ls000066400000000000000000000000001375253401700164160ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/cwd/ls.bat000066400000000000000000000000001375253401700171630ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/cwd/ls.exe000066400000000000000000000000001375253401700171760ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/system/000077500000000000000000000000001375253401700166365ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/system/ls000077500000000000000000000000001375253401700171700ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/system/ls.bat000077500000000000000000000000001375253401700177350ustar00rootroot00000000000000safeexec-1.0.0/_fixtures/system/ls.exe000077500000000000000000000000001375253401700177500ustar00rootroot00000000000000safeexec-1.0.0/go.mod000066400000000000000000000000501375253401700144030ustar00rootroot00000000000000module github.com/cli/safeexec go 1.15 safeexec-1.0.0/lookpath.go000066400000000000000000000002031375253401700154450ustar00rootroot00000000000000// +build !windows package safeexec import "os/exec" func LookPath(file string) (string, error) { return exec.LookPath(file) } safeexec-1.0.0/lookpath_test.go000066400000000000000000000052541375253401700165170ustar00rootroot00000000000000package safeexec import ( "errors" "os" "os/exec" "path/filepath" "runtime" "strings" "testing" ) func TestLookPath(t *testing.T) { root, wderr := os.Getwd() if wderr != nil { t.Fatal(wderr) } paths := []string{ filepath.Join(root, "_fixtures", "nonexist"), filepath.Join(root, "_fixtures", "system"), } os.Setenv("PATH", strings.Join(paths, string(filepath.ListSeparator))) if err := os.Chdir(filepath.Join(root, "_fixtures", "cwd")); err != nil { t.Fatal(err) } testCases := []struct { desc string pathext string arg string wants string wantErr bool }{ { desc: "no extension", pathext: "", arg: "ls", wants: filepath.Join(root, "_fixtures", "system", "ls"+winonly(".exe")), wantErr: false, }, { desc: "with extension", pathext: "", arg: "ls.exe", wants: filepath.Join(root, "_fixtures", "system", "ls.exe"), wantErr: false, }, { desc: "with path", pathext: "", arg: filepath.Join("..", "system", "ls"), wants: filepath.Join("..", "system", "ls"+winonly(".exe")), wantErr: false, }, { desc: "with path+extension", pathext: "", arg: filepath.Join("..", "system", "ls.bat"), wants: filepath.Join("..", "system", "ls.bat"), wantErr: false, }, { desc: "no extension, PATHEXT", pathext: ".com;.bat", arg: "ls", wants: filepath.Join(root, "_fixtures", "system", "ls"+winonly(".bat")), wantErr: false, }, { desc: "with extension, PATHEXT", pathext: ".com;.bat", arg: "ls.exe", wants: filepath.Join(root, "_fixtures", "system", "ls.exe"), wantErr: false, }, { desc: "no extension, not found", pathext: "", arg: "cat", wants: "", wantErr: true, }, { desc: "with extension, not found", pathext: "", arg: "cat.exe", wants: "", wantErr: true, }, { desc: "no extension, PATHEXT, not found", pathext: ".com;.bat", arg: "cat", wants: "", wantErr: true, }, { desc: "with extension, PATHEXT, not found", pathext: ".com;.bat", arg: "cat.exe", wants: "", wantErr: true, }, } for _, tC := range testCases { t.Run(tC.desc, func(t *testing.T) { os.Setenv("PATHEXT", tC.pathext) got, err := LookPath(tC.arg) if tC.wantErr != (err != nil) { t.Errorf("expects error: %v, got: %v", tC.wantErr, err) } if err != nil && !errors.Is(err, exec.ErrNotFound) { t.Errorf("expected exec.ErrNotFound; got %#v", err) } if got != tC.wants { t.Errorf("expected result %q, got %q", tC.wants, got) } }) } } func winonly(s string) string { if runtime.GOOS == "windows" { return s } return "" } safeexec-1.0.0/lookpath_windows.go000066400000000000000000000071021375253401700172240ustar00rootroot00000000000000// Copyright (c) 2009 The Go Authors. All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: // // * Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following disclaimer // in the documentation and/or other materials provided with the // distribution. // * Neither the name of Google Inc. nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // Package safeexec provides alternatives for exec package functions to avoid // accidentally executing binaries found in the current working directory on // Windows. package safeexec import ( "os" "os/exec" "path/filepath" "strings" ) func chkStat(file string) error { d, err := os.Stat(file) if err != nil { return err } if d.IsDir() { return os.ErrPermission } return nil } func hasExt(file string) bool { i := strings.LastIndex(file, ".") if i < 0 { return false } return strings.LastIndexAny(file, `:\/`) < i } func findExecutable(file string, exts []string) (string, error) { if len(exts) == 0 { return file, chkStat(file) } if hasExt(file) { if chkStat(file) == nil { return file, nil } } for _, e := range exts { if f := file + e; chkStat(f) == nil { return f, nil } } return "", os.ErrNotExist } // LookPath searches for an executable named file in the // directories named by the PATH environment variable. // If file contains a slash, it is tried directly and the PATH is not consulted. // LookPath also uses PATHEXT environment variable to match // a suitable candidate. // The result may be an absolute path or a path relative to the current directory. func LookPath(file string) (string, error) { var exts []string x := os.Getenv(`PATHEXT`) if x != "" { for _, e := range strings.Split(strings.ToLower(x), `;`) { if e == "" { continue } if e[0] != '.' { e = "." + e } exts = append(exts, e) } } else { exts = []string{".com", ".exe", ".bat", ".cmd"} } if strings.ContainsAny(file, `:\/`) { if f, err := findExecutable(file, exts); err == nil { return f, nil } else { return "", &exec.Error{file, err} } } // https://github.com/golang/go/issues/38736 // if f, err := findExecutable(filepath.Join(".", file), exts); err == nil { // return f, nil // } path := os.Getenv("path") for _, dir := range filepath.SplitList(path) { if f, err := findExecutable(filepath.Join(dir, file), exts); err == nil { return f, nil } } return "", &exec.Error{file, exec.ErrNotFound} }