diff options
| author | Michael Muré <batolettre@gmail.com> | 2021-03-21 22:37:19 +0100 |
|---|---|---|
| committer | Michael Muré <batolettre@gmail.com> | 2021-03-21 22:37:19 +0100 |
| commit | 9434d2ea5c6da5e856d0bbb02046a5886dfaa600 (patch) | |
| tree | e4e34fab94fbad2fc54290d1da490b84a4ba9932 | |
| parent | 52df5a1f1199d085b2bb10fb7ed5599dcb8307c4 (diff) | |
| download | git-bug-9434d2ea5c6da5e856d0bbb02046a5886dfaa600.tar.gz | |
repo: fix security issue that could lead to arbitrary code execution
see https://blog.golang.org/path-security for details
| -rw-r--r-- | go.mod | 2 | ||||
| -rw-r--r-- | go.sum | 2 | ||||
| -rw-r--r-- | repository/git_cli.go | 5 | ||||
| -rw-r--r-- | repository/gogit.go | 4 |
4 files changed, 8 insertions, 5 deletions
@@ -37,7 +37,7 @@ require ( golang.org/x/net v0.0.0-20201024042810-be3efd7ff127 // indirect golang.org/x/oauth2 v0.0.0-20200902213428-5d25da1a8d43 golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 - golang.org/x/sys v0.0.0-20201020230747-6e5568b54d1a // indirect + golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 golang.org/x/text v0.3.5 golang.org/x/time v0.0.0-20200630173020-3af7569d3a1e // indirect google.golang.org/appengine v1.6.7 // indirect @@ -628,6 +628,8 @@ golang.org/x/sys v0.0.0-20200803210538-64077c9b5642/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201020230747-6e5568b54d1a h1:e3IU37lwO4aq3uoRKINC7JikojFmE5gO7xhfxs8VC34= golang.org/x/sys v0.0.0-20201020230747-6e5568b54d1a/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4 h1:EZ2mChiOa8udjfp6rRmswTbtZN/QzUQp4ptM4rnjHvc= +golang.org/x/sys v0.0.0-20210320140829-1e4c9ba3b0c4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/repository/git_cli.go b/repository/git_cli.go index 085b1cda..21cc40e2 100644 --- a/repository/git_cli.go +++ b/repository/git_cli.go @@ -4,8 +4,9 @@ import ( "bytes" "fmt" "io" - "os/exec" "strings" + + "golang.org/x/sys/execabs" ) // gitCli is a helper to launch CLI git commands @@ -21,7 +22,7 @@ func (cli gitCli) runGitCommandWithIO(stdin io.Reader, stdout, stderr io.Writer, // fmt.Printf("[%s] Running git %s\n", path, strings.Join(args, " ")) - cmd := exec.Command("git", args...) + cmd := execabs.Command("git", args...) cmd.Dir = path cmd.Stdin = stdin cmd.Stdout = stdout diff --git a/repository/gogit.go b/repository/gogit.go index bdac259d..f2d2b57e 100644 --- a/repository/gogit.go +++ b/repository/gogit.go @@ -5,7 +5,6 @@ import ( "fmt" "io/ioutil" "os" - "os/exec" "path/filepath" "sort" "strings" @@ -20,6 +19,7 @@ import ( "github.com/go-git/go-git/v5/plumbing" "github.com/go-git/go-git/v5/plumbing/filemode" "github.com/go-git/go-git/v5/plumbing/object" + "golang.org/x/sys/execabs" "github.com/MichaelMure/git-bug/util/lamport" ) @@ -261,7 +261,7 @@ func (repo *GoGitRepo) GetCoreEditor() (string, error) { } for _, cmd := range priorities { - if _, err = exec.LookPath(cmd); err == nil { + if _, err = execabs.LookPath(cmd); err == nil { return cmd, nil } |