mirror of
https://github.com/golang/go.git
synced 2025-12-08 06:10:04 +00:00
953d1feca9
Introduces a wrapper around os/exec, internal/execabs, for use in all commands. This wrapper prevents exec.LookPath and exec.Command from running executables in the current directory. All imports of os/exec in non-test files in cmd/ are replaced with imports of internal/execabs. This issue was reported by RyotaK. Fixes CVE-2021-3115 Fixes #43783 Change-Id: I0423451a6e27ec1e1d6f3fe929ab1ef69145c08f Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955304 Reviewed-by: Russ Cox <rsc@google.com> Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/284783 Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Katie Hockman <katie@golang.org> Trust: Roland Shoemaker <roland@golang.org>
72 lines
1.6 KiB
Go
72 lines
1.6 KiB
Go
// Copyright 2013 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// +build ignore
|
|
|
|
// The run program is invoked via the dist tool.
|
|
// To invoke manually: go tool dist test -run api --no-rebuild
|
|
package main
|
|
|
|
import (
|
|
"fmt"
|
|
exec "internal/execabs"
|
|
"log"
|
|
"os"
|
|
"path/filepath"
|
|
"runtime"
|
|
"strings"
|
|
)
|
|
|
|
func goCmd() string {
|
|
var exeSuffix string
|
|
if runtime.GOOS == "windows" {
|
|
exeSuffix = ".exe"
|
|
}
|
|
path := filepath.Join(runtime.GOROOT(), "bin", "go"+exeSuffix)
|
|
if _, err := os.Stat(path); err == nil {
|
|
return path
|
|
}
|
|
return "go"
|
|
}
|
|
|
|
var goroot string
|
|
|
|
func main() {
|
|
log.SetFlags(0)
|
|
goroot = os.Getenv("GOROOT") // should be set by run.{bash,bat}
|
|
if goroot == "" {
|
|
log.Fatal("No $GOROOT set.")
|
|
}
|
|
|
|
apiDir := filepath.Join(goroot, "api")
|
|
out, err := exec.Command(goCmd(), "tool", "api",
|
|
"-c", findAPIDirFiles(apiDir),
|
|
"-next", filepath.Join(apiDir, "next.txt"),
|
|
"-except", filepath.Join(apiDir, "except.txt")).CombinedOutput()
|
|
if err != nil {
|
|
log.Fatalf("Error running API checker: %v\n%s", err, out)
|
|
}
|
|
fmt.Print(string(out))
|
|
}
|
|
|
|
// findAPIDirFiles returns a comma-separated list of Go API files
|
|
// (go1.txt, go1.1.txt, etc.) located in apiDir.
|
|
func findAPIDirFiles(apiDir string) string {
|
|
dir, err := os.Open(apiDir)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
defer dir.Close()
|
|
fs, err := dir.Readdirnames(-1)
|
|
if err != nil {
|
|
log.Fatal(err)
|
|
}
|
|
var apiFiles []string
|
|
for _, fn := range fs {
|
|
if strings.HasPrefix(fn, "go1") {
|
|
apiFiles = append(apiFiles, filepath.Join(apiDir, fn))
|
|
}
|
|
}
|
|
return strings.Join(apiFiles, ",")
|
|
}
|