pax_global_header00006660000000000000000000000064143456461300014520gustar00rootroot0000000000000052 comment=df52b7a548d8476be1ec3ed3fd70d1aaeca28dbb safeexec-1.0.1/000077500000000000000000000000001434564613000133025ustar00rootroot00000000000000safeexec-1.0.1/.github/000077500000000000000000000000001434564613000146425ustar00rootroot00000000000000safeexec-1.0.1/.github/workflows/000077500000000000000000000000001434564613000166775ustar00rootroot00000000000000safeexec-1.0.1/.github/workflows/go.yml000066400000000000000000000010701434564613000200250ustar00rootroot00000000000000name: Go on: [push, pull_request] jobs: build: name: Build strategy: fail-fast: false matrix: os: [ubuntu-latest, windows-latest] go: [1.13, 1.14, 1.15, 1.16, 1.17, 1.18, 1.19, 1.20] runs-on: ${{matrix.os}} steps: - name: Set up Go uses: actions/setup-go@v2 with: go-version: ^${{matrix.go}} - name: Check out code into the Go module directory uses: actions/checkout@v2 - name: Get dependencies run: go get -v -t -d ./... - name: Test run: go test -v . safeexec-1.0.1/LICENSE000066400000000000000000000024511434564613000143110ustar00rootroot00000000000000BSD 2-Clause License Copyright (c) 2020, GitHub Inc. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. safeexec-1.0.1/README.md000066400000000000000000000042631434564613000145660ustar00rootroot00000000000000# safeexec A Go module that provides a stabler alternative to `exec.LookPath()` that: - Avoids a Windows security risk of executing commands found in the current directory; and - Allows executing commands found in PATH, even if they come from relative PATH entries. This is an alternative to [`golang.org/x/sys/execabs`](https://pkg.go.dev/golang.org/x/sys/execabs). ## Usage ```go import ( "os/exec" "github.com/cli/safeexec" ) func gitStatus() error { gitBin, err := safeexec.LookPath("git") if err != nil { return err } cmd := exec.Command(gitBin, "status") return cmd.Run() } ``` ## Background ### Windows security vulnerability with Go <= 1.18 Go 1.18 (and older) standard library has a security vulnerability when executing programs: ```go import "os/exec" func gitStatus() error { // On Windows, this will result in `.\git.exe` or `.\git.bat` being executed // if either were found in the current working directory. cmd := exec.Command("git", "status") return cmd.Run() } ``` For historic reasons, Go used to implicitly [include the current directory](https://github.com/golang/go/issues/38736) in the PATH resolution on Windows. The `safeexec` package avoids searching the current directory on Windows. ### Relative PATH entries with Go 1.19+ Go 1.19 (and newer) standard library [throws an error](https://github.com/golang/go/issues/43724) if `exec.LookPath("git")` resolved to an executable relative to the current directory. This can happen on other platforms if the PATH environment variable contains relative entries, e.g. `PATH=./bin:$PATH`. The `safeexec` package allows respecting relative PATH entries as it assumes that the responsibility for keeping PATH safe lies outside of the Go program. ## TODO Ideally, this module would also provide `exec.Command()` and `exec.CommandContext()` equivalents that delegate to the patched version of `LookPath`. However, this doesn't seem possible since `LookPath` may return an error, while `exec.Command/CommandContext()` themselves do not return an error. In the standard library, the resulting `exec.Cmd` struct stores the LookPath error in a private field, but that functionality isn't available to us. safeexec-1.0.1/_fixtures/000077500000000000000000000000001434564613000153125ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/cwd/000077500000000000000000000000001434564613000160675ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/cwd/ls000066400000000000000000000000001434564613000164160ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/cwd/ls.bat000066400000000000000000000000001434564613000171630ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/cwd/ls.exe000066400000000000000000000000001434564613000171760ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/system/000077500000000000000000000000001434564613000166365ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/system/ls000077500000000000000000000000001434564613000171700ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/system/ls.bat000077500000000000000000000000001434564613000177350ustar00rootroot00000000000000safeexec-1.0.1/_fixtures/system/ls.exe000077500000000000000000000000001434564613000177500ustar00rootroot00000000000000safeexec-1.0.1/go.mod000066400000000000000000000000501434564613000144030ustar00rootroot00000000000000module github.com/cli/safeexec go 1.15 safeexec-1.0.1/lookpath.go000066400000000000000000000004071434564613000154530ustar00rootroot00000000000000//go:build !windows && go1.19 // +build !windows,go1.19 package safeexec import ( "errors" "os/exec" ) func LookPath(file string) (string, error) { path, err := exec.LookPath(file) if errors.Is(err, exec.ErrDot) { return path, nil } return path, err } safeexec-1.0.1/lookpath_1.18.go000066400000000000000000000002521434564613000161200ustar00rootroot00000000000000//go:build !windows && !go1.19 // +build !windows,!go1.19 package safeexec import "os/exec" func LookPath(file string) (string, error) { return exec.LookPath(file) } safeexec-1.0.1/lookpath_test.go000066400000000000000000000075561434564613000165260ustar00rootroot00000000000000package safeexec import ( "errors" "os" "os/exec" "path/filepath" "runtime" "strings" "testing" ) func TestLookPath(t *testing.T) { root, wderr := os.Getwd() if wderr != nil { t.Fatal(wderr) } if err := os.Chdir(filepath.Join(root, "_fixtures", "cwd")); err != nil { t.Fatal(err) } testCases := []struct { desc string path []string pathext string arg string wants string wantErr bool }{ { desc: "no extension", path: []string{ filepath.Join(root, "_fixtures", "nonexist"), filepath.Join(root, "_fixtures", "system"), }, pathext: "", arg: "ls", wants: filepath.Join(root, "_fixtures", "system", "ls"+winonly(".exe")), wantErr: false, }, { desc: "with extension", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: "", arg: "ls.exe", wants: filepath.Join(root, "_fixtures", "system", "ls.exe"), wantErr: false, }, { desc: "with path", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: "", arg: filepath.Join("..", "system", "ls"), wants: filepath.Join("..", "system", "ls"+winonly(".exe")), wantErr: false, }, { desc: "with path+extension", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: "", arg: filepath.Join("..", "system", "ls.bat"), wants: filepath.Join("..", "system", "ls.bat"), wantErr: false, }, { desc: "no extension, PATHEXT", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: ".com;.bat", arg: "ls", wants: filepath.Join(root, "_fixtures", "system", "ls"+winonly(".bat")), wantErr: false, }, { desc: "with extension, PATHEXT", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: ".com;.bat", arg: "ls.exe", wants: filepath.Join(root, "_fixtures", "system", "ls.exe"), wantErr: false, }, { desc: "no extension, not found", path: []string{ filepath.Join(root, "_fixtures", "nonexist"), filepath.Join(root, "_fixtures", "system"), }, pathext: "", arg: "cat", wants: "", wantErr: true, }, { desc: "with extension, not found", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: "", arg: "cat.exe", wants: "", wantErr: true, }, { desc: "no extension, PATHEXT, not found", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: ".com;.bat", arg: "cat", wants: "", wantErr: true, }, { desc: "with extension, PATHEXT, not found", path: []string{filepath.Join(root, "_fixtures", "system")}, pathext: ".com;.bat", arg: "cat.exe", wants: "", wantErr: true, }, { desc: "relative path", path: []string{filepath.Join("..", "system")}, pathext: "", arg: "ls", wants: filepath.Join("..", "system", "ls"+winonly(".exe")), wantErr: false, }, } for _, tC := range testCases { t.Run(tC.desc, func(t *testing.T) { setenv(t, "PATH", strings.Join(tC.path, string(filepath.ListSeparator))) setenv(t, "PATHEXT", tC.pathext) got, err := LookPath(tC.arg) if tC.wantErr != (err != nil) { t.Errorf("expects error: %v, got: %v", tC.wantErr, err) } if err != nil && !errors.Is(err, exec.ErrNotFound) { t.Errorf("expected exec.ErrNotFound; got %#v", err) } if got != tC.wants { t.Errorf("expected result %q, got %q", tC.wants, got) } }) } } func setenv(t *testing.T, name, newValue string) { oldValue, hasOldValue := os.LookupEnv(name) if err := os.Setenv(name, newValue); err != nil { t.Errorf("error setting environment variable %s: %v", name, err) } t.Cleanup(func() { if hasOldValue { _ = os.Setenv(name, oldValue) } else { _ = os.Unsetenv(name) } }) } func winonly(s string) string { if runtime.GOOS == "windows" { return s } return "" } safeexec-1.0.1/lookpath_windows.go000066400000000000000000000071021434564613000172240ustar00rootroot00000000000000// Copyright (c) 2009 The Go Authors. All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions are // met: // // * Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // * Redistributions in binary form must reproduce the above // copyright notice, this list of conditions and the following disclaimer // in the documentation and/or other materials provided with the // distribution. // * Neither the name of Google Inc. nor the names of its // contributors may be used to endorse or promote products derived from // this software without specific prior written permission. // // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR // A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT // OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, // SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT // LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, // DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT // (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE // OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. // Package safeexec provides alternatives for exec package functions to avoid // accidentally executing binaries found in the current working directory on // Windows. package safeexec import ( "os" "os/exec" "path/filepath" "strings" ) func chkStat(file string) error { d, err := os.Stat(file) if err != nil { return err } if d.IsDir() { return os.ErrPermission } return nil } func hasExt(file string) bool { i := strings.LastIndex(file, ".") if i < 0 { return false } return strings.LastIndexAny(file, `:\/`) < i } func findExecutable(file string, exts []string) (string, error) { if len(exts) == 0 { return file, chkStat(file) } if hasExt(file) { if chkStat(file) == nil { return file, nil } } for _, e := range exts { if f := file + e; chkStat(f) == nil { return f, nil } } return "", os.ErrNotExist } // LookPath searches for an executable named file in the // directories named by the PATH environment variable. // If file contains a slash, it is tried directly and the PATH is not consulted. // LookPath also uses PATHEXT environment variable to match // a suitable candidate. // The result may be an absolute path or a path relative to the current directory. func LookPath(file string) (string, error) { var exts []string x := os.Getenv(`PATHEXT`) if x != "" { for _, e := range strings.Split(strings.ToLower(x), `;`) { if e == "" { continue } if e[0] != '.' { e = "." + e } exts = append(exts, e) } } else { exts = []string{".com", ".exe", ".bat", ".cmd"} } if strings.ContainsAny(file, `:\/`) { if f, err := findExecutable(file, exts); err == nil { return f, nil } else { return "", &exec.Error{file, err} } } // https://github.com/golang/go/issues/38736 // if f, err := findExecutable(filepath.Join(".", file), exts); err == nil { // return f, nil // } path := os.Getenv("path") for _, dir := range filepath.SplitList(path) { if f, err := findExecutable(filepath.Join(dir, file), exts); err == nil { return f, nil } } return "", &exec.Error{file, exec.ErrNotFound} }