Skip to content

Commit

Permalink
Use golang.org/x/sys/execabs
Browse files Browse the repository at this point in the history
On Windows, the os/exec.{Command,CommandContext,LookPath} functions
resolve command names that have neither path separators nor file extension
(e.g., "git") by first looking in the current working directory before
looking in the PATH environment variable.
Go maintainers intended to match cmd.exe's historical behavior.

However, this is pretty much never the intended behavior and as an abundance of precaution
this patch prevents that when executing commands.
Example of commands that docker.exe may execute: `git`, `docker-buildx` (or other cli plugin), `docker-credential-wincred`, `docker`.

Note that this was prompted by the [Go 1.15.7 security fixes](https://blog.golang.org/path-security), but unlike in `go.exe`,
the windows path lookups in docker are not in a code path allowing remote code execution, thus there is no security impact on docker.

Signed-off-by: Tibor Vass <[email protected]>
  • Loading branch information
Tibor Vass committed Jan 26, 2021
1 parent 98fab0b commit e05c3ce
Show file tree
Hide file tree
Showing 5 changed files with 5 additions and 5 deletions.
2 changes: 1 addition & 1 deletion cli-plugins/manager/candidate.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package manager

import (
"os/exec"
exec "golang.org/x/sys/execabs"
)

// Candidate represents a possible plugin candidate, for mocking purposes
Expand Down
2 changes: 1 addition & 1 deletion cli-plugins/manager/manager.go
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@ package manager
import (
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"sort"
"strings"
Expand All @@ -12,6 +11,7 @@ import (
"github.com/docker/cli/cli/config"
"github.com/fvbommel/sortorder"
"github.com/spf13/cobra"
exec "golang.org/x/sys/execabs"
)

// ReexecEnvvar is the name of an ennvar which is set to the command
Expand Down
2 changes: 1 addition & 1 deletion cli/command/image/build/context.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,6 @@ import (
"io/ioutil"
"net/http"
"os"
"os/exec"
"path/filepath"
"runtime"
"strings"
Expand All @@ -24,6 +23,7 @@ import (
"github.com/docker/docker/pkg/streamformatter"
"github.com/docker/docker/pkg/stringid"
"github.com/pkg/errors"
exec "golang.org/x/sys/execabs"
)

const (
Expand Down
2 changes: 1 addition & 1 deletion cli/config/credentials/default_store.go
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
package credentials

import (
"os/exec"
exec "golang.org/x/sys/execabs"
)

// DetectDefaultStore return the default credentials store for the platform if
Expand Down
2 changes: 1 addition & 1 deletion cli/connhelper/commandconn/commandconn.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"io"
"net"
"os"
"os/exec"
"runtime"
"strings"
"sync"
Expand All @@ -29,6 +28,7 @@ import (

"github.com/pkg/errors"
"github.com/sirupsen/logrus"
exec "golang.org/x/sys/execabs"
)

// New returns net.Conn
Expand Down

0 comments on commit e05c3ce

Please sign in to comment.