Skip to content

Commit

Permalink
Use golang.org/x/sys/execabs instead of os/exec
Browse files Browse the repository at this point in the history 
On Windows, the os/exec.{Command,CommandContext,LookPath} functions resolve command
names that have neither path separators nor file extension (e.g., "git") by first
looking in the current working directory before looking in the PATH environment
variable.
Go maintainers intended to match cmd.exe's historical behavior.

However, this is pretty much never the intended behavior and as an abundance of
precaution this patch prevents that when executing commands.

This patch was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security).

Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
  • Loading branch information
@thaJeztah
thaJeztah committed Feb 10, 2021
1 parent a38e1dc commit f2a5645
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion pkg/security/grantvmgroupaccess_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,11 +3,12 @@ package security
import (
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"regexp"
"strings"
"testing"

exec "golang.org/x/sys/execabs"
)

// TestGrantVmGroupAccess verifies for the three case of a file, a directory,
Expand Down

0 comments on commit f2a5645

Please sign in to comment.