commit a13ff50017 simplified the handling of
env-vars in getPassDir(), but moved interpolation of env-vars to the end
of the function.
As a result, a custom path passed through `$PASSWORD_STORE_DIR` would now
be interpolated, instead of taken as-is. For example;
PASSWORD_STORE_DIR=$PWD/world
Would now interpolate `$PWD`, instead of using a literal `$PWD`.
This patch changes the logic to only expand env-vars for the default location.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- renamed the "key" variable, which was slightly confusing
- include the name of the binary in the error
Before this change:
docker-credential-osxkeychain nosuchaction
Unknown credential action `nosuchaction`
After this change:
docker-credential-osxkeychain nosuchaction
docker-credential-osxkeychain: unknown action: nosuchaction
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
GNU guidelines describes; https://www.gnu.org/prep/standards/html_node/_002d_002dversion.html#g_t_002d_002dversion
The program’s name should be a constant string; don’t compute it from argv[0].
The idea is to state the standard or canonical name for the program, not its
file name.
Although the above recommendation is for `--version` output, it probably makes
sense to do the same for the "usage" output.
Before this change:
/usr/local/bin/docker-credential-osxkeychain invalid command
Usage: /usr/local/bin/docker-credential-osxkeychain <store|get|erase|list|version>
/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain invalid command
Usage: /Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain <store|get|erase|list|version>
With this patch:
/usr/local/bin/docker-credential-osxkeychain invalid command
Usage: docker-credential-osxkeychain <store|get|erase|list|version>
/Applications/Docker.app/Contents/Resources/bin/docker-credential-osxkeychain invalid command
Usage: docker-credential-osxkeychain <store|get|erase|list|version>
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
- Explicitly suppress some unhandled errors
- Use "pass" credentials helper in examples, which is available
on more platforms than "secretservice" (only supporte on Linux)
- Update domain and username in examples.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Don't set Env if not set; the default is already handled if it's nil; from
the documentation: https://pkg.go.dev/os/exec@go1.20.4#Cmd.Env
// If Env is nil, the new process uses the current process's
// environment.
Use `os/exec/Cmd.Environ()` instead of `os.Environ()`, which was added in
go1.19, and handles additional environment variables, such as `PWD` on POSIX
systems, and `SYSTEMROOT` on Windows. https://pkg.go.dev/os/exec@go1.20.4#Cmd.Environ
Also remove a redundant `fmt.Sprintf()`, as we're only concatenating strings.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
go1.20.4 (released 2023-05-02) includes three security fixes to the html/template
package, as well as bug fixes to the compiler, the runtime, and the crypto/subtle,
crypto/tls, net/http, and syscall packages. See the Go 1.20.4 milestone on our
issue tracker for details:
https://github.com/golang/go/issues?q=milestone%3AGo1.20.4+label%3ACherryPickApproved
release notes: https://go.dev/doc/devel/release#go1.20.4
full diff: https://github.com/golang/go/compare/go1.20.3...go1.20.4
from the announcement:
> These minor releases include 3 security fixes following the security policy:
>
> - html/template: improper sanitization of CSS values
>
> Angle brackets (`<>`) were not considered dangerous characters when inserted
> into CSS contexts. Templates containing multiple actions separated by a '/'
> character could result in unexpectedly closing the CSS context and allowing
> for injection of unexpected HMTL, if executed with untrusted input.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24539 and Go issue https://go.dev/issue/59720.
>
> - html/template: improper handling of JavaScript whitespace
>
> Not all valid JavaScript whitespace characters were considered to be
> whitespace. Templates containing whitespace characters outside of the character
> set "\t\n\f\r\u0020\u2028\u2029" in JavaScript contexts that also contain
> actions may not be properly sanitized during execution.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-24540 and Go issue https://go.dev/issue/59721.
>
> - html/template: improper handling of empty HTML attributes
>
> Templates containing actions in unquoted HTML attributes (e.g. "attr={{.}}")
> executed with empty input could result in output that would have unexpected
> results when parsed due to HTML normalization rules. This may allow injection
> of arbitrary attributes into tags.
>
> Thanks to Juho Nurminen of Mattermost for reporting this issue.
>
> This is CVE-2023-29400 and Go issue https://go.dev/issue/59722.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Mostly for my own sanity; just about every repository we have
started to converge to using "tc" as variable name for this, so
updating this repository as well to help reduce cognitive load.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
full diff: https://github.com/danieljoos/wincred/compare/v1.1.2...v1.2.0
- Calling SyscallN directly when dealing with pointer-pointers to try to address
"Unexpected (nil, nil) result from wincred.GetGenericCredential".
- Bumped required Go version to 1.18.
- Bumped dependency to golang.org/x/sys to version 0.8.0.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
the "golang.org/x/sys/execabs" package was introduced to address a security
issue on Windows, and changing the default behavior of os/exec was considered
a breaking change. go1.19 applied the behavior that was previously implemented
in the execabs package;
from the release notes: https://go.dev/doc/go1.19#os-exec-path
> Command and LookPath no longer allow results from a PATH search to be found
> relative to the current directory. This removes a common source of security
> problems but may also break existing programs that depend on using, say,
> exec.Command("prog") to run a binary named prog (or, on Windows, prog.exe)
> in the current directory. See the os/exec package documentation for information
> about how best to update such programs.
>
> On Windows, Command and LookPath now respect the NoDefaultCurrentDirectoryInExePath
> environment variable, making it possible to disable the default implicit search
> of “.” in PATH lookups on Windows systems.
With those changes, we no longer need to use the execabs package, and we can
switch back to os/exec.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
Linters 'deadcode', 'structcheck', 'varcheck' are deprecated
since v1.49.0 and had been replaced by 'unused'.
Signed-off-by: CrazyMax <crazy-max@users.noreply.github.com>
Sebastiaan van Stijn