[release-branch.go1.21] cmd/go: reject toolchain directives containing path separators

If GOTOOLCHAIN="path" or "auto", the go command uses exec.LookPath to search for it in order to allow toolchains to refer to local-only toolchain variants (such as toolchains built from enterprise- or distro-patched source). However, those toolchains should only be resolved from $PATH, not relative to the working directory of the command. Thanks to Juho Nurminen of Mattermost for reporting this issue. Fixes #62198. Fixes #62394. Fixes CVE-2023-39320. Change-Id: I247c7acea95d737362dd0475e9fc8515430d0fcc Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/1996318 Run-TryBot: Roland Shoemaker <bracewell@google.com> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> (cherry picked from commit e41c0a55d45e9a9acbc5d7c1143ea4fff8fb9283) Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/2014013 Reviewed-by: Bryan Mills <bcmills@google.com> Reviewed-by: Tatiana Bradley <tatianabradley@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/526095 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Run-TryBot: Cherry Mui <cherryyz@google.com>
2023-08-17 17:12:44 -04:00 · 2023-08-17 17:12:44 -04:00 · d25a935574
parent e3ba569c78
commit d25a935574
2 changed files with 39 additions and 0 deletions
--- a/src/cmd/go/internal/gover/toolchain.go
+++ b/src/cmd/go/internal/gover/toolchain.go
@ -22,6 +22,13 @@ import (
 //	FromToolchain("go1.2.3-bigcorp") == "1.2.3"
 //	FromToolchain("invalid") == ""
 func FromToolchain(name string) string {
+	if strings.ContainsAny(name, "\\/") {
+		// The suffix must not include a path separator, since that would cause
+		// exec.LookPath to resolve it from a relative directory instead of from
+		// $PATH.
+		return ""
+	}
+
 	var v string
 	if strings.HasPrefix(name, "go") {
 		v = name[2:]
--- a/src/cmd/go/testdata/script/mod_toolchain_slash.txt
+++ b/src/cmd/go/testdata/script/mod_toolchain_slash.txt
@ -0,0 +1,32 @@
+[!exec:/bin/sh] skip
+
+chmod 0777 go1.999999-/run.sh
+chmod 0777 run.sh
+
+! go list all
+! stdout 'RAN SCRIPT'
+
+cd subdir
+! go list all
+! stdout 'RAN SCRIPT'
+
+-- go.mod --
+module exploit
+
+go 1.21
+toolchain go1.999999-/run.sh
+-- go1.999999-/run.sh --
+#!/bin/sh
+printf 'RAN SCRIPT\n'
+exit 1
+-- run.sh --
+#!/bin/sh
+printf 'RAN SCRIPT\n'
+exit 1
+-- subdir/go.mod --
+module exploit
+
+go 1.21
+toolchain go1.999999-/../../run.sh
+-- subdir/go1.999999-/README.txt --
+heh heh heh