diff --git a/CHANGELOG.md b/CHANGELOG.md index 34ec119f92..8c83c7c24f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -4,12 +4,19 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. ## Next +### Security + +* Boundary now uses Go's execabs package for execution of binaries in `boundary + connect`. This is for defense-in-depth rather than a specific issue. See the + [Go blog post](https://blog.golang.org/path-security) for more details. + ([PR](https://github.com/hashicorp/boundary/pull/873)) + ### New and Improved * api/cli: On listing/reading, return a list of actions the user is authorized to perform on the identified resources ([PR](https://github.com/hashicorp/boundary/pull/870)) - + ### Bug Fixes * cli: When `output-curl-string` is used with `update` or `add-/remove-/set-` @@ -39,7 +46,7 @@ Canonical reference for changes, improvements, and bugfixes for Boundary. setup when running the binary ([Issue](https://github.com/hashicorp/boundary/issues/830)) ([PR](https://github.com/hashicorp/boundary/pull/846)) - + ## 0.1.3 (2020/12/18) ### Changes/Deprecations diff --git a/go.mod b/go.mod index 4ab6fbc445..9756907715 100644 --- a/go.mod +++ b/go.mod @@ -54,6 +54,7 @@ require ( github.com/zalando/go-keyring v0.1.0 go.uber.org/atomic v1.7.0 golang.org/x/crypto v0.0.0-20201208171446-5f87f3452ae9 + golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 golang.org/x/tools v0.0.0-20210101214203-2dba1e4ea05c google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d google.golang.org/grpc v1.34.0 diff --git a/go.sum b/go.sum index 4445855f70..bef74841cc 100644 --- a/go.sum +++ b/go.sum @@ -1328,6 +1328,8 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20201029080932-201ba4db2418/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201211090839-8ad439b19e0f h1:QdHQnPce6K4XQewki9WNbG5KOROuDzqO3NaYjI1cXJ0= golang.org/x/sys v0.0.0-20201211090839-8ad439b19e0f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221 h1:/ZHdbVpdR/jk3g30/d4yUL0JU9kksj8+F/bnQUVLGDM= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= diff --git a/internal/cmd/commands/connect/connect.go b/internal/cmd/commands/connect/connect.go index 17be537897..6b31e54bf3 100644 --- a/internal/cmd/commands/connect/connect.go +++ b/internal/cmd/commands/connect/connect.go @@ -13,13 +13,13 @@ import ( "net" "net/http" "os" - "os/exec" "strconv" "strings" "sync" "syscall" "time" + exec "golang.org/x/sys/execabs" "github.com/hashicorp/boundary/api" "github.com/hashicorp/boundary/api/targets" "github.com/hashicorp/boundary/globals"