Switch to execabs for os/exec in connect cmd (#873)

* Switch to execabs for os/exec in connect cmd This is more of an abundance-of-caution change (e.g. defense in depth) but it doesn't seem like we should be using binaries from the current directory for `boundary connect` executions (unless given an explicit path). * Update changelog
5 years ago · 46644300d9
parent dcb15cffbd
commit 46644300d9
4 changed files with 13 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,12 +4,19 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.

 ## Next

+### Security
+
+* Boundary now uses Go's execabs package for execution of binaries in `boundary
+  connect`. This is for defense-in-depth rather than a specific issue. See the
+  [Go blog post](https://blog.golang.org/path-security) for more details.
+  ([PR](https://github.com/hashicorp/boundary/pull/873))
+
 ### New and Improved

 * api/cli: On listing/reading, return a list of actions the user is authorized
  to perform on the identified resources
  ([PR](https://github.com/hashicorp/boundary/pull/870))
-  
+
 ### Bug Fixes

 * cli: When `output-curl-string` is used with `update` or `add-/remove-/set-`
@ -39,7 +46,7 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
  setup when running the binary
  ([Issue](https://github.com/hashicorp/boundary/issues/830))
  ([PR](https://github.com/hashicorp/boundary/pull/846))
-  
+
 ## 0.1.3 (2020/12/18)

 ### Changes/Deprecations
--- a/go.mod
+++ b/go.mod
@ -54,6 +54,7 @@ require (
 	github.com/zalando/go-keyring v0.1.0
 	go.uber.org/atomic v1.7.0
 	golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9
+	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
 	golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c
 	google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d
 	google.golang.org/grpc v1.34.0
--- a/go.sum
+++ b/go.sum
@ -1328,6 +1328,8 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201029080932-201ba4db2418/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201211090839-8ad439b19e0f h1:QdHQnPce6K4XQewki9WNbG5KOROuDzqO3NaYjI1cXJ0=
 golang.org/x/sys v0.0.0-20201211090839-8ad439b19e0f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k=
+golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
--- a/internal/cmd/commands/connect/connect.go
+++ b/internal/cmd/commands/connect/connect.go
@ -13,13 +13,13 @@ import (
 	"net"
 	"net/http"
 	"os"
-	"os/exec"
 	"strconv"
 	"strings"
 	"sync"
 	"syscall"
 	"time"

+	exec "golang.org/x/sys/execabs"
 	"github.com/hashicorp/boundary/api"
 	"github.com/hashicorp/boundary/api/targets"
 	"github.com/hashicorp/boundary/globals"