Source: golang-github-cli-safeexec
Section: golang
Priority: optional
Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
Uploaders: Anthony Fok <foka@debian.org>
Rules-Requires-Root: no
Build-Depends: debhelper-compat (= 13),
               dh-sequence-golang,
               golang-any
Testsuite: autopkgtest-pkg-go
Standards-Version: 4.6.2
Vcs-Browser: https://salsa.debian.org/go-team/packages/golang-github-cli-safeexec
Vcs-Git: https://salsa.debian.org/go-team/packages/golang-github-cli-safeexec.git
Homepage: https://github.com/cli/safeexec
XS-Go-Import-Path: github.com/cli/safeexec

Package: golang-github-cli-safeexec-dev
Architecture: all
Depends: ${misc:Depends}
Multi-Arch: foreign
Description: safer version of exec.LookPath on Windows
 safeexec is a Go module that provides a safer alternative to exec.LookPath()
 on Windows.
 .
 The following, relatively common approach to running external commands
 has a subtle vulnerability on Windows:
 .
   import "os/exec"
 .
   func gitStatus() error {
       // On Windows, this will result in .\git.exe or .\git.bat being executed
       // if either were found in the current working directory.
       cmd := exec.Command("git", "status") return cmd.Run()
   }
 .
 Searching the current directory (surprising behavior) before searching
 folders listed in the PATH environment variable (expected behavior)
 seems to be intended in Go and unlikely to be changed:
 https://github.com/golang/go/issues/38736
 .
 Since Go does not provide a version of exec.LookPath() that only searches
 PATH and does not search the current working directory, this module provides
 a LookPath function that works consistently across platforms.
 .
 Example use:
 .
   import (
       "os/exec" "github.com/cli/safeexec"
   )
 .
   func gitStatus() error {
       gitBin, err := safeexec.LookPath("git")
       if err != nil {
           return err
       }
       cmd := exec.Command(gitBin, "status")
       return cmd.Run()
   }