Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: "go env" output does not sanitize values #58508

Open
neild opened this issue Feb 13, 2023 · 1 comment
Open

cmd/go: "go env" output does not sanitize values #58508

neild opened this issue Feb 13, 2023 · 1 comment
Assignees
Labels
GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone

Comments

@neild
Copy link
Contributor

neild commented Feb 13, 2023

go env is documented as outputting a shell script containing Go the environment:

$ go help env
By default env prints information as a shell script
(on Windows, a batch file). If one or more variable
names is given as arguments, env prints the value of
each named variable on its own line.

However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands:

$ CC='$(echo shell expansion 1>&2)' go env | source /dev/stdin
shell expansion

Or inserting new environment variables:

$ CC=$(echo 'cc"'; echo 'OOPS="oops') go env
...
CC="cc"
OOPS="oops"
...

In general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making go env print them out, but we still should be sanitizing the output here. Treating this as a PUBLIC track vulnerability because the scenarios where this results in a vulnerability are fairly artificial, and the correct fix is not immediately obvious. (Properly quoting values seems like an obvious fix, but shell quoting is subtle.)

This is CVE-2023-24531.

Thanks to Hunter Wittenborn (https://hunterwittenborn.com/) for reporting this issue.

@neild neild self-assigned this Feb 13, 2023
@bcmills bcmills added NeedsFix The path to resolution is known, but the work has not been done. GoCommand cmd/go Security labels Feb 14, 2023
@bcmills bcmills added this to the Go1.21 milestone Feb 14, 2023
@gopherbot
Copy link

Change https://go.dev/cl/473895 mentions this issue: cmd/go: fix incorrect quoting for values with double quotes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Development

No branches or pull requests

3 participants