MCPcopy Index your code
hub / github.com/cli/safeexec

github.com/cli/safeexec @v1.0.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v1.0.1 ↗ · + Follow
9 symbols 22 edges 4 files 1 documented · 11% 18 cross-repo links updated 2y ago★ 105
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

safeexec

A Go module that provides a stabler alternative to exec.LookPath() that: - Avoids a Windows security risk of executing commands found in the current directory; and - Allows executing commands found in PATH, even if they come from relative PATH entries.

This is an alternative to golang.org/x/sys/execabs.

Usage

import (
    "os/exec"
    "github.com/cli/safeexec"
)

func gitStatus() error {
    gitBin, err := safeexec.LookPath("git")
    if err != nil {
        return err
    }
    cmd := exec.Command(gitBin, "status")
    return cmd.Run()
}

Background

Windows security vulnerability with Go <= 1.18

Go 1.18 (and older) standard library has a security vulnerability when executing programs:

import "os/exec"

func gitStatus() error {
    // On Windows, this will result in `.\git.exe` or `.\git.bat` being executed
    // if either were found in the current working directory.
    cmd := exec.Command("git", "status")
    return cmd.Run()
}

For historic reasons, Go used to implicitly include the current directory in the PATH resolution on Windows. The safeexec package avoids searching the current directory on Windows.

Relative PATH entries with Go 1.19+

Go 1.19 (and newer) standard library throws an error if exec.LookPath("git") resolved to an executable relative to the current directory. This can happen on other platforms if the PATH environment variable contains relative entries, e.g. PATH=./bin:$PATH. The safeexec package allows respecting relative PATH entries as it assumes that the responsibility for keeping PATH safe lies outside of the Go program.

TODO

Ideally, this module would also provide exec.Command() and exec.CommandContext() equivalents that delegate to the patched version of LookPath. However, this doesn't seem possible since LookPath may return an error, while exec.Command/CommandContext() themselves do not return an error. In the standard library, the resulting exec.Cmd struct stores the LookPath error in a private field, but that functionality isn't available to us.

Core symbols most depended-on inside this repo

chkStat
called by 3
lookpath_windows.go
findExecutable
called by 2
lookpath_windows.go
LookPath
called by 1
lookpath.go
hasExt
called by 1
lookpath_windows.go
LookPath
called by 0
lookpath_1.18.go
LookPath
called by 0
lookpath_windows.go

Shape

Function 9

Languages

Go100%

Modules by API surface

lookpath_windows.go4 symbols
lookpath_test.go3 symbols
lookpath_1.18.go1 symbols
lookpath.go1 symbols

For agents

$ claude mcp add safeexec \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact