On Linux, using the
std::process::Command API resolves commands using the
$PATH environment variable. This represents a security decision, as by default only protected locations are included in this search path (
/usr/bin, etc). It is possible for a user to change this behaviour and include additional search paths.
On Windows, at least with the current implementation, this security safeguard is overridden. Instead of only searching for the executable in
@PATH@, the implementation looks for the binaries in the current path of the process first. This allows an attacker to hijack a Rust tool by placing a suitably named executable in the current working directory of a program that uses this API.
This has lead to CVE-2021-3013 (see cli: fix arbitrary execution of program bug · BurntSushi/ripgrep@229d1a8 · GitHub for the fix). In the fixing commit, basically the logic that UNIX (well, bash) uses to locate the binary is replicated, by parsing the
PATH environment variable and looking for suitable matches in the directories, see the
Should some method be added to std::process::Command that resolves the name of an executable to an absolute path in a safe way by parsing the
@PATH@ environment variable, in order to offer a simple way for code to be safe on Windows as well? Having some way to circumvent Window's defaults here and having this in the documentation will probably help everyone in writing safer, cross-platform code. Or maybe is there already something that does this and I was just not able to locate it?