aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Muré <batolettre@gmail.com>2021-03-21 22:41:50 +0100
committerGitHub <noreply@github.com>2021-03-21 22:41:50 +0100
commit01b949091290a3bfd5870c6457c941db1abf3d67 (patch)
treee4e34fab94fbad2fc54290d1da490b84a4ba9932
parent52df5a1f1199d085b2bb10fb7ed5599dcb8307c4 (diff)
parent9434d2ea5c6da5e856d0bbb02046a5886dfaa600 (diff)
downloadgit-bug-01b949091290a3bfd5870c6457c941db1abf3d67.tar.gz
Merge pull request #604 from MichaelMure/sec-issue
repo: fix security issue that could lead to arbitrary code execution
-rw-r--r--go.mod2
-rw-r--r--go.sum2
-rw-r--r--repository/git_cli.go5
-rw-r--r--repository/gogit.go4
4 files changed, 8 insertions, 5 deletions
diff --git a/go.mod b/go.mod
index 1f8ea230..8f3d418e 100644
--- a/go.mod
+++ b/go.mod
@@ -37,7 +37,7 @@ require (
golang.org/x/net v0.0.0-20201024042810-be3efd7ff127 // indirect
golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43
golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208
- golang.org/x/sys v0.0.0-20201020230747-6e5568b54d1a // indirect
+ golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4
golang.org/x/text v0.3.5
golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect
google.golang.org/appengine v1.6.7 // indirect
diff --git a/go.sum b/go.sum
index 96040929..57d1a0a3 100644
--- a/go.sum
+++ b/go.sum
@@ -628,6 +628,8 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201020230747-6e5568b54d1a h1:e3IU37lwO4aq3uoRKINC7JikojFmE5gO7xhfxs8VC34=
golang.org/x/sys v0.0.0-20201020230747-6e5568b54d1a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 h1:EZ2mChiOa8udjfp6rRmswTbtZN/QzUQp4ptM4rnjHvc=
+golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
diff --git a/repository/git_cli.go b/repository/git_cli.go
index 085b1cda..21cc40e2 100644
--- a/repository/git_cli.go
+++ b/repository/git_cli.go
@@ -4,8 +4,9 @@ import (
"bytes"
"fmt"
"io"
- "os/exec"
"strings"
+
+ "golang.org/x/sys/execabs"
)
// gitCli is a helper to launch CLI git commands
@@ -21,7 +22,7 @@ func (cli gitCli) runGitCommandWithIO(stdin io.Reader, stdout, stderr io.Writer,
// fmt.Printf("[%s] Running git %s\n", path, strings.Join(args, " "))
- cmd := exec.Command("git", args...)
+ cmd := execabs.Command("git", args...)
cmd.Dir = path
cmd.Stdin = stdin
cmd.Stdout = stdout
diff --git a/repository/gogit.go b/repository/gogit.go
index bdac259d..f2d2b57e 100644
--- a/repository/gogit.go
+++ b/repository/gogit.go
@@ -5,7 +5,6 @@ import (
"fmt"
"io/ioutil"
"os"
- "os/exec"
"path/filepath"
"sort"
"strings"
@@ -20,6 +19,7 @@ import (
"github.com/go-git/go-git/v5/plumbing"
"github.com/go-git/go-git/v5/plumbing/filemode"
"github.com/go-git/go-git/v5/plumbing/object"
+ "golang.org/x/sys/execabs"
"github.com/MichaelMure/git-bug/util/lamport"
)
@@ -261,7 +261,7 @@ func (repo *GoGitRepo) GetCoreEditor() (string, error) {
}
for _, cmd := range priorities {
- if _, err = exec.LookPath(cmd); err == nil {
+ if _, err = execabs.LookPath(cmd); err == nil {
return cmd, nil
}