A Go module that provides a safer alternative to exec.LookPath() on Windows.

The following, relatively common approach to running external commands has a subtle vulnerability on Windows:

import "os/exec"

func gitStatus() error {
    // On Windows, this will result in `.\git.exe` or `.\git.bat` being executed
    // if either were found in the current working directory.
    cmd := exec.Command("git", "status")
    return cmd.Run()
}

Searching the current directory (surprising behavior) before searching folders listed in the PATH environment variable (expected behavior) seems to be intended in Go and unlikely to be changed: golang/go#38736

Since Go does not provide a version of exec.LookPath() that only searches PATH and does not search the current working directory, this module provides a LookPath function that works consistently across platforms.

Example use:

import (
    "os/exec"
    "github.com/cli/safeexec"
)

func gitStatus() error {
    gitBin, err := safeexec.LookPath("git")
    if err != nil {
        return err
    }
    cmd := exec.Command(gitBin, "status")
    return cmd.Run()
}

Ideally, this module would also provide exec.Command() and exec.CommandContext() equivalents that delegate to the patched version of LookPath. However, this doesn't seem possible since LookPath may return an error, while exec.Command/CommandContext() themselves do not return an error. In the standard library, the resulting exec.Cmd struct stores the LookPath error in a private field, but that functionality isn't available to us.