Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: CompileCommand may return extraneous files #281

Merged
merged 9 commits into from
Sep 19, 2024

Conversation

RomainMuller
Copy link
Contributor

In cases where an argument that is not positional ends with .go, the CompileCommand.GoFiles function might erroneously return that value as a source file to be compiled. This is for example the case when compiling the github.com/nats-io/nats.go package, as the -p argument has a value ending in .go.

To address this, this PR introduces a more reliable arguments parser that uses a generated parser (built using the standard flag package) based on the usage documentation found in the output of go tool <compile|link>, so that the flags are more clearly identified.

This replaces the old arguments parser, which is no longer used.

In cases where an argument that is not positional ends with `.go`, the
`CompileCommand.GoFiles` function might erroneously return that value
as a source file to be compiled. This is for example the case when
compiling the `github.com/nats-io/nats.go` package, as the `-p` argument
has a value ending in `.go`.

To address this, this PR introduces a more reliable arguments parser
that uses a generated parser (built using the standard `flag` package)
based on the usage documentation found in the output of
`go tool <compile|link>`, so that the flags are more clearly identified.

This replaces the old arguments parser, which is no longer used.
@RomainMuller RomainMuller requested a review from a team as a code owner September 18, 2024 14:34
log.Fatalln("Missing value for required -command flag")
}

cmd := exec.Command("go", "tool", command)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `command` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

  1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
  2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
  3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
  4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
  5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

View in Datadog  Leave us feedback  Documentation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This particular case should be fine ^^

@RomainMuller RomainMuller force-pushed the romain.marcadier/fix-bad-gofiles branch from 14a6359 to eff6079 Compare September 18, 2024 14:48
Copy link
Contributor

@eliottness eliottness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have 2 concerns:

  • Are we sure we can trash the unknown arguments just like that?
  • I would expect at least 1 unit test of the code generated by the generator, on each go version in our matrix

internal/toolexec/proxy/generator/main.go Outdated Show resolved Hide resolved
internal/toolexec/proxy/generator/main.go Outdated Show resolved Hide resolved
internal/toolexec/proxy/generator/main.go Show resolved Hide resolved
internal/toolexec/proxy/generator/main.go Show resolved Hide resolved
internal/toolexec/proxy/generator/main.go Show resolved Hide resolved
internal/toolexec/proxy/generator/main.go Show resolved Hide resolved
internal/toolexec/proxy/link.go Outdated Show resolved Hide resolved
@eliottness
Copy link
Contributor

For examples things have already changes on my computer:
image

@eliottness
Copy link
Contributor

eliottness commented Sep 19, 2024

Same diff after I upgraded from go 1.22.6 to 1.23.1:
image

Which basically correspond to the number of cores on the PC who ran it so I am not surprised

@RomainMuller
Copy link
Contributor Author

The generation should be done only with the latest version of the compiler, as this could have more options than a previous one... I'm gonna look at having some meta somewhere that allows to make sure we don't "roll back" to an older compiler version.

The defaults being different based on the machine hardware/limits is a little annoying... I wonder what should be done (maybe special-case the known ones that are machine-dependent and just ignore them?)

log.Fatalln(err)
}

cmd = exec.Command("go", "tool", command)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `command` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

  1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
  2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
  3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
  4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
  5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

View in Datadog  Leave us feedback  Documentation

goPackage = requireEnv("GOPACKAGE")
)

cmd := exec.Command("go", "tool", command, "-V=full")

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Code Vulnerability

Check command call and ensure there is no unsanitized data used. The variable `command` may need to be validated (...read more)

In Go, the exec.Command function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.

Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.

To prevent command injection vulnerabilities when using exec.Command in Go, follow these coding best practices:

  1. Sanitize User Input: Always validate and sanitize user inputs before passing them to exec.Command. Avoid executing commands constructed using user-provided data.
  2. Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to exec.Command. This prevents the shell from interpreting special characters in a potentially malicious way.
  3. Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
  4. Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the arg ...string parameter of exec.Command to pass arguments safely.
  5. Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.

By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command in Go and enhance the security of your application.

View in Datadog  Leave us feedback  Documentation

Copy link
Contributor

@eliottness eliottness left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(let's fix the CI but) LGTM

@RomainMuller RomainMuller added this pull request to the merge queue Sep 19, 2024
Merged via the queue into main with commit c70a739 Sep 19, 2024
22 checks passed
@RomainMuller RomainMuller deleted the romain.marcadier/fix-bad-gofiles branch September 19, 2024 16:07
Copy link

codecov bot commented Sep 19, 2024

Codecov Report

Attention: Patch coverage is 84.12256% with 57 lines in your changes missing coverage. Please review.

Project coverage is 73.48%. Comparing base (7dac678) to head (c1e743e).
Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
internal/toolexec/proxy/generator/main.go 75.74% 30 Missing and 19 partials ⚠️
internal/toolexec/proxy/compile.go 70.00% 2 Missing and 1 partial ⚠️
internal/toolexec/proxy/link.go 40.00% 2 Missing and 1 partial ⚠️
internal/toolexec/proxy/proxy.go 0.00% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #281      +/-   ##
==========================================
- Coverage   78.53%   73.48%   -5.05%     
==========================================
  Files         140      144       +4     
  Lines        6359     7861    +1502     
==========================================
+ Hits         4994     5777     +783     
- Misses        955     1655     +700     
- Partials      410      429      +19     
Components Coverage Δ
Generators 76.69% <75.74%> (-2.65%) ⬇️
Instruments 88.05% <ø> (ø)
Go Driver 72.81% <ø> (-7.44%) ⬇️
Toolexec Driver 70.88% <84.07%> (+0.97%) ⬆️
Aspects 71.79% <ø> (-7.36%) ⬇️
Injector 73.24% <ø> (-5.33%) ⬇️
Job Server 63.20% <ø> (-5.63%) ⬇️
Integration Test Suite 87.64% <ø> (-4.70%) ⬇️
Other 73.48% <84.12%> (-5.05%) ⬇️
Files with missing lines Coverage Δ
internal/cmd/toolexec.go 59.45% <100.00%> (-2.08%) ⬇️
internal/toolexec/aspect/oncompile.go 74.21% <100.00%> (-4.00%) ⬇️
internal/toolexec/proxy/compile.flags.go 100.00% <100.00%> (ø)
internal/toolexec/proxy/link.flags.go 100.00% <100.00%> (ø)
internal/toolexec/proxy/proxy.go 64.51% <0.00%> (-10.03%) ⬇️
internal/toolexec/proxy/compile.go 75.75% <70.00%> (-14.72%) ⬇️
internal/toolexec/proxy/link.go 52.94% <40.00%> (-28.88%) ⬇️
internal/toolexec/proxy/generator/main.go 75.74% <75.74%> (ø)

... and 118 files with indirect coverage changes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants