-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: orchestrion pin
can track enabled integrations
#376
Conversation
} | ||
|
||
func runGoMod(command string, modfile string, stdout io.Writer, args ...string) error { | ||
cmd := exec.Command("go", "mod", command, "-modfile", modfile) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🟠 Code Vulnerability
Check command call and ensure there is no unsanitized data used. The variable `command` may need to be validated (...read more)
In Go, the exec.Command
function is used to run external commands. Using this function carelessly can lead to command injection vulnerabilities.
Command injection occurs when untrusted input is passed directly to a system shell, allowing an attacker to execute arbitrary commands. This can result in unauthorized access to the system, data leaks, or other security breaches.
To prevent command injection vulnerabilities when using exec.Command
in Go, follow these coding best practices:
- Sanitize User Input: Always validate and sanitize user inputs before passing them to
exec.Command
. Avoid executing commands constructed using user-provided data. - Avoid using Shell Expansion: If possible, pass the command and arguments as separate strings to
exec.Command
. This prevents the shell from interpreting special characters in a potentially malicious way. - Use Absolute Paths: When specifying the command to be executed, use absolute paths for executables whenever possible. This reduces the risk of inadvertently running a similarly named malicious command from the system's PATH.
- Avoid String Concatenation: Refrain from dynamically constructing commands by concatenating strings. Instead, use the
arg ...string
parameter ofexec.Command
to pass arguments safely. - Limit Privileges: Run commands with the least privilege required to carry out the task. Avoid running commands with elevated privileges unnecessarily.
By following these practices, you can reduce the risk of command injection vulnerabilities when using exec.Command
in Go and enhance the security of your application.
…EC-55160/enhance-pin # Conflicts: # samples/go.mod # samples/go.sum
…EC-55160/enhance-pin # Conflicts: # internal/pin/pin.go
7ed5c27
to
058d70a
Compare
Signed-off-by: Eliott Bouhana <[email protected]>
Signed-off-by: Eliott Bouhana <[email protected]>
Signed-off-by: Eliott Bouhana <[email protected]>
&cli.StringFlag{ | ||
Category: "Advanced", | ||
Name: "C", | ||
Usage: "Change to the specified directory before proceeding with the rest of the command.", | ||
Hidden: true, // Users don't normally need to use this. | ||
Action: func(_ *cli.Context, dir string) error { | ||
return os.Chdir(dir) | ||
}, | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fix #161 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure that bug still reproduces today (before this change).
Signed-off-by: Eliott Bouhana <[email protected]>
Signed-off-by: Eliott Bouhana <[email protected]>
Signed-off-by: Eliott Bouhana <[email protected]>
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #376 +/- ##
==========================================
+ Coverage 60.28% 60.81% +0.52%
==========================================
Files 166 174 +8
Lines 11973 12302 +329
==========================================
+ Hits 7218 7481 +263
- Misses 4280 4340 +60
- Partials 475 481 +6
|
Initial changes to how
orchestrion pin
works to support incremental edits to the file. This is in preparation to moving the aspects/integration definitions from orchestrion itself to the tracer library.