runtime: nash look for paths is unsafe

Question

runtime: nash look for paths is unsafe

i4ki opened this issue 8 years ago · 3 comments

Nash is using os/exec.LookPath of Go to look for paths of commands, but this implementation interprets "" (empty path) as "." in the variable $PATH and this could lead to unexpected behaviours and/or malicious code execution.

Better to create our own LookPath implementation being explicit about path names (ignoring empty paths on it).

Answer 1 · 2017-02-21T13:39:17.000Z

Would it not be easier to just remove any "" before calling LookPath ? I agree with removing this oddity x_x

Answer 2 · 2017-02-21T14:10:38.000Z

There's more oddities that I just found... The LookPath implementation for windows uses the "." implicitly also (but there's no way to avoid in this case). This is weird and make nash works differently across operating systems.
When I saw os/exec.LookPath in godoc for the first time I thought it had the same semantics in all OS.. but no.

https://github.com/golang/go/blob/master/src/os/exec/lp_windows.go#L83
https://golang.org/pkg/os/exec/#LookPath

Answer 3 · 2017-02-21T17:22:58.000Z

@tiago4orion well, given these last facts I agree with not using LookPath 👍