[release-branch.go1.15-security] all: introduce and use internal/execabs

Introduces a wrapper around os/exec, internal/execabs, for use in
all commands. This wrapper prevents exec.LookPath and exec.Command from
running executables in the current directory.

All imports of os/exec in non-test files in cmd/ are replaced with
imports of internal/execabs.

This issue was reported by RyotaK.

Fixes CVE-2021-3115

Change-Id: I0423451a6e27ec1e1d6f3fe929ab1ef69145c08f
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955304
Reviewed-by: Russ Cox <[email protected]>
Reviewed-by: Katie Hockman <[email protected]>
(cherry picked from commit 44f09a6990ccf4db601cbf8208c89ac4e888f884)
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/955308

Author: rolandshoemaker

src/cmd/api/goapi.go

@@ -16,11 +16,11 @@ import (
 	"go/parser"
 	"go/token"
 	"go/types"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"

src/cmd/api/run.go

@@ -10,9 +10,9 @@ package main
 
 import (
 	"fmt"
+	exec "internal/execabs"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"

src/cmd/cgo/out.go

@@ -13,11 +13,11 @@ import (
 	"go/ast"
 	"go/printer"
 	"go/token"
+	exec "internal/execabs"
 	"internal/xcoff"
 	"io"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"sort"

src/cmd/cgo/util.go

@@ -8,9 +8,9 @@ import (
 	"bytes"
 	"fmt"
 	"go/token"
+	exec "internal/execabs"
 	"io/ioutil"
 	"os"
-	"os/exec"
 )
 
 // run runs the command argv, feeding in stdin on standard input.

src/cmd/compile/internal/ssa/html.go

@@ -9,9 +9,9 @@ import (
 	"cmd/internal/src"
 	"fmt"
 	"html"
+	exec "internal/execabs"
 	"io"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"

src/cmd/cover/func.go

@@ -15,9 +15,9 @@ import (
 	"go/ast"
 	"go/parser"
 	"go/token"
+	exec "internal/execabs"
 	"io"
 	"os"
-	"os/exec"
 	"path"
 	"path/filepath"
 	"runtime"

src/cmd/cover/testdata/toolexec.go

@@ -16,7 +16,7 @@ package main
 
 import (
 	"os"
-	"os/exec"
+	exec "internal/execabs"
 	"strings"
 )
 

src/cmd/dist/buildtool.go

@@ -302,8 +302,10 @@ func bootstrapFixImports(srcFile string) string {
 			continue
 		}
 		if strings.HasPrefix(line, `import "`) || strings.HasPrefix(line, `import . "`) ||
-			inBlock && (strings.HasPrefix(line, "\t\"") || strings.HasPrefix(line, "\t. \"")) {
+			inBlock && (strings.HasPrefix(line, "\t\"") || strings.HasPrefix(line, "\t. \"") || strings.HasPrefix(line, "\texec \"")) {
 			line = strings.Replace(line, `"cmd/`, `"bootstrap/cmd/`, -1)
+			// During bootstrap, must use plain os/exec.
+			line = strings.Replace(line, `exec "internal/execabs"`, `"os/exec"`, -1)
 			for _, dir := range bootstrapDirs {
 				if strings.HasPrefix(dir, "cmd/") {
 					continue

src/cmd/doc/dirs.go

@@ -7,9 +7,9 @@ package main
 import (
 	"bytes"
 	"fmt"
+	exec "internal/execabs"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strings"

src/cmd/fix/typecheck.go

@@ -9,9 +9,9 @@ import (
 	"go/ast"
 	"go/parser"
 	"go/token"
+	exec "internal/execabs"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"reflect"
 	"runtime"

src/cmd/go/internal/base/base.go

@@ -9,9 +9,9 @@ package base
 import (
 	"flag"
 	"fmt"
+	exec "internal/execabs"
 	"log"
 	"os"
-	"os/exec"
 	"strings"
 	"sync"
 

src/cmd/go/internal/bug/bug.go

@@ -8,11 +8,11 @@ package bug
 import (
 	"bytes"
 	"fmt"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	urlpkg "net/url"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"

src/cmd/go/internal/generate/generate.go

@@ -11,11 +11,11 @@ import (
 	"fmt"
 	"go/parser"
 	"go/token"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"strconv"

src/cmd/go/internal/modfetch/codehost/codehost.go

@@ -10,10 +10,10 @@ import (
 	"bytes"
 	"crypto/sha256"
 	"fmt"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 	"sync"

src/cmd/go/internal/modfetch/codehost/git.go

@@ -8,11 +8,11 @@ import (
 	"bytes"
 	"errors"
 	"fmt"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	"net/url"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"sort"
 	"strconv"

src/cmd/go/internal/test/genflags.go

@@ -9,9 +9,9 @@ package main
 import (
 	"bytes"
 	"flag"
+	exec "internal/execabs"
 	"log"
 	"os"
-	"os/exec"
 	"strings"
 	"testing"
 	"text/template"

src/cmd/go/internal/test/test.go

@@ -10,10 +10,10 @@ import (
 	"errors"
 	"fmt"
 	"go/build"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path"
 	"path/filepath"
 	"regexp"

src/cmd/go/internal/tool/tool.go

@@ -7,8 +7,8 @@ package tool
 
 import (
 	"fmt"
+	exec "internal/execabs"
 	"os"
-	"os/exec"
 	"sort"
 	"strings"
 

src/cmd/go/internal/vet/vetflag.go

@@ -10,9 +10,9 @@ import (
 	"errors"
 	"flag"
 	"fmt"
+	exec "internal/execabs"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 

src/cmd/go/internal/work/build.go

@@ -8,8 +8,8 @@ import (
 	"errors"
 	"fmt"
 	"go/build"
+	exec "internal/execabs"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strings"

src/cmd/go/internal/work/buildid.go

@@ -7,9 +7,9 @@ package work
 import (
 	"bytes"
 	"fmt"
+	exec "internal/execabs"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"strings"
 
 	"cmd/go/internal/base"

src/cmd/go/internal/work/exec.go

@@ -11,13 +11,13 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	exec "internal/execabs"
 	"internal/lazyregexp"
 	"io"
 	"io/ioutil"
 	"log"
 	"math/rand"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"regexp"
 	"runtime"

src/cmd/go/internal/work/gccgo.go

@@ -6,9 +6,9 @@ package work
 
 import (
 	"fmt"
+	exec "internal/execabs"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 

src/cmd/go/testdata/addmod.go

@@ -25,7 +25,7 @@ import (
 	"io/ioutil"
 	"log"
 	"os"
-	"os/exec"
+	exec "internal/execabs"
 	"path/filepath"
 	"strings"
 

src/cmd/internal/browser/browser.go

@@ -6,8 +6,8 @@
 package browser
 
 import (
+	exec "internal/execabs"
 	"os"
-	"os/exec"
 	"runtime"
 	"time"
 )

src/cmd/internal/diff/diff.go

@@ -7,9 +7,9 @@
 package diff
 
 import (
+	exec "internal/execabs"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	"runtime"
 )
 

src/cmd/internal/dwarf/dwarf.go

@@ -12,7 +12,7 @@ import (
 	"cmd/internal/objabi"
 	"errors"
 	"fmt"
-	"os/exec"
+	exec "internal/execabs"
 	"sort"
 	"strconv"
 	"strings"

src/cmd/link/internal/ld/execarchive.go

@@ -7,8 +7,8 @@
 package ld
 
 import (
+	exec "internal/execabs"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"syscall"
 )

src/cmd/link/internal/ld/lib.go

@@ -50,11 +50,11 @@ import (
 	"encoding/binary"
 	"encoding/hex"
 	"fmt"
+	exec "internal/execabs"
 	"io"
 	"io/ioutil"
 	"log"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"sort"

src/cmd/test2json/main.go

@@ -82,9 +82,9 @@ package main
 import (
 	"flag"
 	"fmt"
+	exec "internal/execabs"
 	"io"
 	"os"
-	"os/exec"
 
 	"cmd/internal/test2json"
 )

src/cmd/trace/pprof.go

@@ -9,12 +9,12 @@ package main
 import (
 	"bufio"
 	"fmt"
+	exec "internal/execabs"
 	"internal/trace"
 	"io"
 	"io/ioutil"
 	"net/http"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"runtime"
 	"sort"

src/go/build/build.go

@@ -12,12 +12,12 @@ import (
 	"go/doc"
 	"go/parser"
 	"go/token"
+	exec "internal/execabs"
 	"internal/goroot"
 	"internal/goversion"
 	"io"
 	"io/ioutil"
 	"os"
-	"os/exec"
 	pathpkg "path"
 	"path/filepath"
 	"runtime"

src/go/build/deps_test.go

@@ -161,7 +161,7 @@ var depsRules = `
 	reflect !< OS;
 
 	OS
-	< golang.org/x/sys/cpu, internal/goroot;
+	< golang.org/x/sys/cpu;
 
 	# FMT is OS (which includes string routines) plus reflect and fmt.
 	# It does not include package log, which should be avoided in core packages.
@@ -177,6 +177,12 @@ var depsRules = `
 
 	log !< FMT;
 
+	OS, FMT
+	< internal/execabs;
+
+	OS, internal/execabs
+	< internal/goroot;
+
 	# Misc packages needing only FMT.
 	FMT
 	< flag,

src/go/internal/gccgoimporter/gccgoinstallation.go

@@ -7,8 +7,8 @@ package gccgoimporter
 import (
 	"bufio"
 	"go/types"
+	exec "internal/execabs"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 )