From 92c1f57e85f76259978f6aadbaa5324854dfa2c8 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Mon, 22 Apr 2024 20:31:03 +0200 Subject: [PATCH] switch back from golang.org/x/sys/execabs to os/exec (go1.19) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This reverts commit f2a56450f4feb316514aa0f5978a989fe6b1a328, which switched from os/exec to the golang.org/x/sys/execabs package to mitigate security issues (mainly on Windows) with lookups resolving to binaries in the current directory. from the go1.19 release notes https://go.dev/doc/go1.19#os-exec-path > ## PATH lookups > > Command and LookPath no longer allow results from a PATH search to be found > relative to the current directory. This removes a common source of security > problems but may also break existing programs that depend on using, say, > exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe) in > the current directory. See the os/exec package documentation for information > about how best to update such programs. > > On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath > environment variable, making it possible to disable the default implicit search > of “.” in PATH lookups on Windows systems. Signed-off-by: Sebastiaan van Stijn --- pkg/security/grantvmgroupaccess_test.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/security/grantvmgroupaccess_test.go b/pkg/security/grantvmgroupaccess_test.go index 16df6441..6e275309 100644 --- a/pkg/security/grantvmgroupaccess_test.go +++ b/pkg/security/grantvmgroupaccess_test.go @@ -5,12 +5,11 @@ package security import ( "os" + "os/exec" "path/filepath" "regexp" "strings" "testing" - - exec "golang.org/x/sys/execabs" ) const (