safeexec
A Go module that provides a safer alternative to exec.LookPath()
on Windows.
The following, relatively common approach to running external commands has a subtle vulnerability on Windows:
import "os/exec"
func gitStatus() error {
// On Windows, this will result in `.\git.exe` or `.\git.bat` being executed
// if either were found in the current working directory.
cmd := exec.Command("git", "status")
return cmd.Run()
}
Searching the current directory (surprising behavior) before searching folders listed in the PATH environment variable (expected behavior) seems to be intended in Go and unlikely to be changed: https://github.com/golang/go/issues/38736
Since Go does not provide a version of exec.LookPath()
that only searches PATH and does not search the current working directory, this module provides a LookPath
function that works consistently across platforms.
Example use:
import (
"os/exec"
"github.com/cli/safeexec"
)
func gitStatus() error {
gitBin, err := safeexec.LookPath("git")
if err != nil {
return err
}
cmd := exec.Command(gitBin, "status")
return cmd.Run()
}
TODO
Ideally, this module would also provide exec.Command()
and exec.CommandContext()
equivalents that delegate to the patched version of LookPath
. However, this doesn't seem possible since LookPath
may return an error, while exec.Command/CommandContext()
themselves do not return an error. In the standard library, the resulting exec.Cmd
struct stores the LookPath error in a private field, but that functionality isn't available to us.