add secureexec file for getting around windows checking for a binary first in the current dir

2 files changed, 41 insertions, 0 deletions

diff --git a/pkg/secureexec/secureexec_default.go b/pkg/secureexec/secureexec_default.go
new file mode 100644
index 000000000..1992358ce
--- /dev/null
+++ b/pkg/secureexec/secureexec_default.go
@@ -0,0 +1,11 @@
+// +build !windows
+
+package secureexec
+
+import (
+	"os/exec"
+)
+
+func Command(name string, args ...string) *exec.Cmd {
+	return exec.Command(name, args...)
+}
diff --git a/pkg/secureexec/secureexec_windows.go b/pkg/secureexec/secureexec_windows.go
new file mode 100644
index 000000000..537e0bfc1
--- /dev/null
+++ b/pkg/secureexec/secureexec_windows.go
@@ -0,0 +1,30 @@
+// +build windows
+
+package secureexec
+
+import (
+	"os/exec"
+
+	"github.com/cli/safeexec"
+)
+
+// calling exec.Command directly on a windows machine poses a security risk due to
+// the current directory being searched first before any directories in the PATH
+// variable, meaning you might clone a repo that contains a program called 'git'
+// which does something malicious when executed.
+
+// see https://github.com/golang/go/issues/38736 for more context. We'll likely
+// be able to just throw out this code and switch to the official solution when it exists.
+
+// I consider this a minor security concern because you're just as vulnerable if
+// you call `git status` from the command line directly but no harm in playing it
+// safe.
+
+func Command(name string, args ...string) *exec.Cmd {
+	bin, err := safeexec.LookPath(name)
+	if err != nil {
+		bin = name
+	}
+
+	return exec.Command(bin, args...)
+}