security: fix vulnerability on Windows where an exe in a malicious re…

…pository could run arbitrary code Special thanks to RyotaK - https://github.com/Ry0taK for identifying this vulnerability
chriswalz · Mar 20, 2021 · dc4715d · dc4715d
1 parent 83f458c
commit dc4715d
Show file tree

Hide file tree

Showing 7 changed files with 8 additions and 6 deletions.
diff --git a/cmd/gh.go b/cmd/gh.go
@@ -1,7 +1,7 @@
 package cmd
 
 import (
-	"os/exec"
+	exec "golang.org/x/sys/execabs"
 	"strconv"
 	"strings"
 

diff --git a/cmd/git.go b/cmd/git.go
@@ -2,8 +2,8 @@ package cmd
 
 import (
 	"fmt"
+	exec "golang.org/x/sys/execabs"
 	"os"
-	"os/exec"
 	"strings"
 
 	"github.com/rs/zerolog/log"

diff --git a/cmd/release.go b/cmd/release.go
@@ -2,7 +2,7 @@ package cmd
 
 import (
 	"fmt"
-	"os/exec"
+	exec "golang.org/x/sys/execabs"
 
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"

diff --git a/cmd/update.go b/cmd/update.go
@@ -2,8 +2,8 @@ package cmd
 
 import (
 	"fmt"
+	exec "golang.org/x/sys/execabs"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"

diff --git a/cmd/util.go b/cmd/util.go
@@ -4,8 +4,8 @@ import (
 	"errors"
 	"fmt"
 	"github.com/chriswalz/complete/v3"
+	exec "golang.org/x/sys/execabs"
 	"os"
-	"os/exec"
 	"regexp"
 	"runtime"
 	"runtime/debug"

diff --git a/go.mod b/go.mod
@@ -25,5 +25,6 @@ require (
 	github.com/thoas/go-funk v0.7.0
 	github.com/tj/go-update v2.2.4+incompatible
 	github.com/ulikunitz/xz v0.5.8 // indirect
+	golang.org/x/sys v0.0.0-20210319071255-635bc2c9138d
 
 )
diff --git a/go.sum b/go.sum
@@ -352,8 +352,9 @@ golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200223170610-d5e6a3e2c0ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200918174421-af09f7315aff h1:1CPUrky56AcgSpxz/KfgzQWzfG09u5YOL8MvPYBlrL8=
 golang.org/x/sys v0.0.0-20200918174421-af09f7315aff/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210319071255-635bc2c9138d h1:jbzgAvDZn8aEnytae+4ou0J0GwFZoHR0hOrTg4qH8GA=
+golang.org/x/sys v0.0.0-20210319071255-635bc2c9138d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=