Skip to content

Commit

Permalink
Submitting review 6a274cc
Browse files Browse the repository at this point in the history 
Require `git` to be run from a trusted path

On Windows, the current working directory is searched for a matching executable before the rest of the user's path.

This causes a potential issue where running `git appraise` from within a directory that has an executable file matching the command `git` will cause that (untrusted) file to be invoked instead of the expected `git` executable when `git-appraise` attempts to shell out to `git`.

This change prevents that by using the new `execabs` package instead of `os/exec`. With this change, that scenario would cause `git appraise` to report an error rather than invoking the wrong `git` binary.

More background on the related issue [here](https://blog.golang.org/path-security)
  • Loading branch information
@ojarjur
ojarjur committed Apr 22, 2021
2 parents d586caf + 6a274cc commit 4705473
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion repository/git.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
"fmt"
"io"
"os"
"os/exec"
exec "golang.org/x/sys/execabs"
"sort"
"strconv"
"strings"
Expand Down

0 comments on commit 4705473

Please sign in to comment.