Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security: Move $GOPATH/bin to end of $PATH #99

Closed
stevegt opened this issue Oct 8, 2019 · 3 comments · Fixed by #100
Closed

Security: Move $GOPATH/bin to end of $PATH #99

stevegt opened this issue Oct 8, 2019 · 3 comments · Fixed by #100

Comments

@stevegt
Copy link
Contributor

stevegt commented Oct 8, 2019
edited
Loading

This one's related to the INSTALL.md refactoring in #98, but I'm entering it as a separate issue because it's a pretty bad security vulnerability that probably needs to be dealt with sooner.

We ought to be telling users to put $GOPATH/bin at the end of $PATH, not the beginning. Right now, in text inherited from the pyenv INSTALL.md, we're telling users to put $GOPATH/bin at the beginning. By doing that, we're potentially allowing anyone with a github ID to silently supersede any standard UNIX/Linux utility on machines using goenv.

In my case, I recently installed an innocent package, and noticed a while later that goenv init - was failing. After a very confusing afternoon of troubleshooting, I finally realized, with some disbelief, that this sort at the bottom of goenv-commands was returning empty stdout regardless of stdin: https://github.com/syndbg/goenv/blob/256f7c85e56dde3ee64aa268737bc07f1484ac1f/libexec/goenv-commands#L44 It turned out that the package I'd earlier installed had dropped a binary named sort into $GOPATH/bin. The whole saga is described in gory detail over in emirpasic/gods#123. Thankfully, @emirpasic responded quickly and accepted my pull request, but many packages aren't going to be that well-maintained.

In retrospect, this vulnerability is pretty obvious, but it didn't hit me until now just what Go's decentralized package distribution means when coupled with the way go get silently adds things to your $PATH. A malicious package could do quite a lot of damage and/or go undetected for a long time.

For reference, the Go docs have $GOPATH/bin at the end of $PATH: https://tip.golang.org/doc/code.html#GOPATH
stevegt added a commit to stevegt/goenv that referenced this issue Oct 8, 2019
@stevegt
move $GOPATH/bin to end of $PATH
b7872e7 
Closes go-nv#99.
stevegt added a commit to stevegt/goenv that referenced this issue Oct 8, 2019
@stevegt
move $GOPATH/bin to end of $PATH
12d512c 
Closes go-nv#99.
@stevegt stevegt mentioned this issue Oct 8, 2019
Merged
@gagepost gagepost mentioned this issue Oct 10, 2019
Closed
@mattes
Copy link

mattes commented Apr 30, 2021
edited
Loading

goenv init - will set export PATH="$GOENV_ROOT/shims:$PATH" (shims at the beginning of path). Isn't that a problem, too?

@stevegt
Copy link
Contributor Author

stevegt commented Jun 11, 2021

I just noticed that myself recently, and I'm wondering if that's a recent change or if I somehow missed it when writing #100.

@stevegt stevegt mentioned this issue Sep 30, 2022
Closed
@stevegt
Copy link
Contributor Author

stevegt commented Sep 30, 2022

@mattes Wow, you nailed it and then I dropped it. Just now opened #247 regarding shims location in $PATH.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

move $GOPATH/bin to end of $PATH stevegt/goenv
2 participants
@stevegt @mattes