From 7c1b0c2deb737e696a72bd44bc610223d62b7d0e Mon Sep 17 00:00:00 2001 From: Chris Cotter Date: Thu, 21 Jan 2021 15:42:02 -0500 Subject: [PATCH] fix(bigtable): replace unsafe exec in cbt (#3591) Replace exec with execabs in this cbt command due to a vulnerability on Windows. See https://blog.golang.org/path-security for more information. --- bigtable/go.mod | 1 + bigtable/internal/cbtconfig/cbtconfig.go | 4 ++-- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/bigtable/go.mod b/bigtable/go.mod index 404d621bb0b..23a538471fa 100644 --- a/bigtable/go.mod +++ b/bigtable/go.mod @@ -10,6 +10,7 @@ require ( github.com/googleapis/gax-go/v2 v2.0.5 golang.org/x/mod v0.4.1 // indirect golang.org/x/oauth2 v0.0.0-20210113160501-8b1d76fa0423 + golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 golang.org/x/tools v0.1.0 // indirect google.golang.org/api v0.36.0 google.golang.org/genproto v0.0.0-20210120162456-f5e8c5e2aaf2 diff --git a/bigtable/internal/cbtconfig/cbtconfig.go b/bigtable/internal/cbtconfig/cbtconfig.go index 0e0cf2de867..7508c0ce64e 100644 --- a/bigtable/internal/cbtconfig/cbtconfig.go +++ b/bigtable/internal/cbtconfig/cbtconfig.go @@ -28,13 +28,13 @@ import ( "io/ioutil" "log" "os" - "os/exec" "path/filepath" "runtime" "strings" "time" "golang.org/x/oauth2" + "golang.org/x/sys/execabs" "google.golang.org/grpc/credentials" ) @@ -211,7 +211,7 @@ func (g *GcloudCmdTokenSource) Token() (*oauth2.Token, error) { // LoadGcloudConfig retrieves the gcloud configuration values we need use via the // 'config-helper' command func LoadGcloudConfig(gcloudCmd string, gcloudCmdArgs []string) (*GcloudConfig, error) { - out, err := exec.Command(gcloudCmd, gcloudCmdArgs...).Output() + out, err := execabs.Command(gcloudCmd, gcloudCmdArgs...).Output() if err != nil { return nil, fmt.Errorf("Could not retrieve gcloud configuration") }