Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: "go env" output does not sanitize values #58508

Closed
neild opened this issue Feb 13, 2023 · 4 comments
Closed

cmd/go: "go env" output does not sanitize values #58508

neild opened this issue Feb 13, 2023 · 4 comments
Assignees
@matloob
Labels
GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.21

Comments

@neild
Copy link
Contributor

neild commented Feb 13, 2023

go env is documented as outputting a shell script containing Go the environment:

$ go help env
By default env prints information as a shell script
(on Windows, a batch file). If one or more variable
names is given as arguments, env prints the value of
each named variable on its own line.

However, go env doesn't sanitize values, so executing its output as a shell script can cause various bad bahaviors, including executing arbitrary commands:

$ CC='$(echo shell expansion 1>&2)' go env | source /dev/stdin
shell expansion

Or inserting new environment variables:

$ CC=$(echo 'cc"'; echo 'OOPS="oops') go env
...
CC="cc"
OOPS="oops"
...

In general, if an attacker can set arbitrary environment variables on a system, they have better attack vectors than making go env print them out, but we still should be sanitizing the output here. Treating this as a PUBLIC track vulnerability because the scenarios where this results in a vulnerability are fairly artificial, and the correct fix is not immediately obvious. (Properly quoting values seems like an obvious fix, but shell quoting is subtle.)

This is CVE-2023-24531.

Thanks to Hunter Wittenborn (https://hunterwittenborn.com/) for reporting this issue.
@neild neild self-assigned this Feb 13, 2023
@bcmills bcmills added NeedsFix The path to resolution is known, but the work has not been done. GoCommand cmd/go Security labels Feb 14, 2023
@bcmills bcmills added this to the Go1.21 milestone Feb 14, 2023
@gopherbot
Copy link

Change https://go.dev/cl/473895 mentions this issue: cmd/go: fix incorrect quoting for values with double quotes

@gopherbot
Copy link

Change https://go.dev/cl/488375 mentions this issue: cmd/go: sanitize go env outputs

@bcmills bcmills mentioned this issue May 4, 2023
Open
@gopherbot
Copy link

Change https://go.dev/cl/493535 mentions this issue: cmd/go: quote entries in list-valued variables for go env in plan9

@matloob matloob assigned matloob and unassigned neild May 11, 2023
gopherbot pushed a commit that referenced this issue May 24, 2023
@millerresearch @gopherbot
cmd/go: quote entries in list-valued variables for go env in plan9
05cc9e5 
When 'go env' without an argument prints environment variables as
a script which can be executed by the shell, variables with a
list value in Plan 9 (such as GOPATH) need to be printed with each
element enclosed in single quotes in case it contains characters
significant to the Plan 9 shell (such as ' ' or '=').

For #58508

Change-Id: Ia30f51307cc6d07a7e3ada6bf9d60bf9951982ff
Reviewed-on: https://go-review.googlesource.com/c/go/+/493535
Run-TryBot: Cherry Mui <cherryyz@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
@tangxi666
Copy link
Contributor

Hello, may I ask why this CVE is only merged into master and not the old version?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matloob matloob

Labels
GoCommand cmd/go NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Go1.21
Development

No branches or pull requests
5 participants
@neild @bcmills @gopherbot @matloob @tangxi666