Merge pull request from GHSA-57q7-rxqq-7vgp

Use a safer method to locate the `git` executable (a simpler approach)

git/git.go

@@ -61,6 +61,10 @@ func (oid OID) MarshalJSON() ([]byte, error) {
 
 type Repository struct {
 	path string
+
+	// gitBin is the path of the `git` executable that should be used
+	// when running commands in this repository.
+	gitBin string
 }
 
 // smartJoin returns the path that can be described as `relPath`
@@ -73,28 +77,36 @@ func smartJoin(path, relPath string) string {
 	return filepath.Join(path, relPath)
 }
 
+// NewRepository creates a new repository object that can be used for
+// running `git` commands within that repository.
 func NewRepository(path string) (*Repository, error) {
-	cmd := exec.Command("git", "-C", path, "rev-parse", "--git-dir")
+	// Find the `git` executable to be used:
+	gitBin, err := findGitBin()
+	if err != nil {
+		return nil, fmt.Errorf(
+			"could not find 'git' executable (is it in your PATH?): %v", err,
+		)
+	}
+
+	cmd := exec.Command(gitBin, "-C", path, "rev-parse", "--git-dir")
 	out, err := cmd.Output()
 	if err != nil {
 		switch err := err.(type) {
 		case *exec.Error:
 			return nil, fmt.Errorf(
-				"could not run git (is it in your PATH?): %s",
-				err.Err,
+				"could not run '%s': %v", gitBin, err.Err,
 			)
 		case *exec.ExitError:
 			return nil, fmt.Errorf(
-				"git rev-parse failed: %s",
-				err.Stderr,
+				"git rev-parse failed: %s", err.Stderr,
 			)
 		default:
 			return nil, err
 		}
 	}
 	gitDir := smartJoin(path, string(bytes.TrimSpace(out)))
 
-	cmd = exec.Command("git", "rev-parse", "--git-path", "shallow")
+	cmd = exec.Command(gitBin, "rev-parse", "--git-path", "shallow")
 	cmd.Dir = gitDir
 	out, err = cmd.Output()
 	if err != nil {
@@ -108,7 +120,10 @@ func NewRepository(path string) (*Repository, error) {
 		return nil, errors.New("this appears to be a shallow clone; full clone required")
 	}
 
-	return &Repository{path: gitDir}, nil
+	return &Repository{
+		path:   gitDir,
+		gitBin: gitBin,
+	}, nil
 }
 
 func (repo *Repository) gitCommand(callerArgs ...string) *exec.Cmd {
@@ -124,7 +139,7 @@ func (repo *Repository) gitCommand(callerArgs ...string) *exec.Cmd {
 
 	args = append(args, callerArgs...)
 
-	cmd := exec.Command("git", args...)
+	cmd := exec.Command(repo.gitBin, args...)
 
 	cmd.Env = append(
 		os.Environ(),

git/git_bin.go

@@ -0,0 +1,27 @@
+package git
+
+import (
+	"path/filepath"
+
+	"github.com/cli/safeexec"
+)
+
+// findGitBin finds the `git` binary in PATH that should be used by
+// the rest of `git-sizer`. It uses `safeexec` to find the executable,
+// because on Windows, `exec.Cmd` looks not only in PATH, but also in
+// the current directory. This is a potential risk if the repository
+// being scanned is hostile and non-bare because it might possibly
+// contain an executable file named `git`.
+func findGitBin() (string, error) {
+	gitBin, err := safeexec.LookPath("git")
+	if err != nil {
+		return "", err
+	}
+
+	gitBin, err = filepath.Abs(gitBin)
+	if err != nil {
+		return "", err
+	}
+
+	return gitBin, nil
+}

go.mod

@@ -3,6 +3,7 @@ module github.com/github/git-sizer
 go 1.16
 
 require (
+	github.com/cli/safeexec v1.0.0
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.4.0

go.sum

@@ -1,3 +1,5 @@
+github.com/cli/safeexec v1.0.0 h1:0VngyaIyqACHdcMNWfo6+KdUYnqEr2Sg+bSP1pdF+dI=
+github.com/cli/safeexec v1.0.0/go.mod h1:Z/D4tTN8Vs5gXYHDCbaM1S/anmEDnJb1iW0+EJ5zx3Q=
 github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=