Merged PR 585167: [Security] Enumerate the PATH environment variable to locate programs on Windows

Enumerate the PATH environment variable to manually locate executables/programs rather than shell out to where.exe on Windows locate these for us. The where.exe utility first checks the current working directory before the PATH for the executable, which we do not want for various security reasons.

The which utility on UNIX/POSIX systems does _NOT_ include the current working directory in the search; only the PATH, which is exactly what we want - leave this in place on those platforms.

Additionally for locating `git(.exe)` we first check in the `GIT_EXEC_PATH` directory for the executable, if that environment variable was set.

Author: mjcheetham

src/shared/Microsoft.Git.CredentialManager.Tests/EnvironmentTests.cs

@@ -0,0 +1,71 @@
+using System.Collections.Generic;
+using Microsoft.Git.CredentialManager.Interop.Windows;
+using Microsoft.Git.CredentialManager.Tests.Objects;
+using Xunit;
+
+namespace Microsoft.Git.CredentialManager.Tests
+{
+    public class EnvironmentTests
+    {
+        [PlatformFact(Platforms.Windows)]
+        public void WindowsEnvironment_TryLocateExecutable_NotExists_ReturnFalse()
+        {
+            string pathVar = @"C:\Users\john.doe\bin;C:\Windows\system32;C:\Windows";
+            string execName = "foo.exe";
+            var fs = new TestFileSystem();
+            var envars = new Dictionary<string, string> {["PATH"] = pathVar};
+            var env = new WindowsEnvironment(fs, envars);
+
+            bool actualResult = env.TryLocateExecutable(execName, out string actualPath);
+
+            Assert.False(actualResult);
+            Assert.Null(actualPath);
+        }
+
+        [PlatformFact(Platforms.Windows)]
+        public void WindowsEnvironment_TryLocateExecutable_Windows_Exists_ReturnTrueAndPath()
+        {
+            string pathVar = @"C:\Users\john.doe\bin;C:\Windows\system32;C:\Windows";
+            string execName = "foo.exe";
+            string expectedPath = @"C:\Windows\system32\foo.exe";
+            var fs = new TestFileSystem
+            {
+                Files = new Dictionary<string, byte[]>
+                {
+                    [@"C:\Windows\system32\foo.exe"] = new byte[0],
+                }
+            };
+            var envars = new Dictionary<string, string> {["PATH"] = pathVar};
+            var env = new WindowsEnvironment(fs, envars);
+
+            bool actualResult = env.TryLocateExecutable(execName, out string actualPath);
+
+            Assert.True(actualResult);
+            Assert.Equal(expectedPath, actualPath);
+        }
+
+        [PlatformFact(Platforms.Windows)]
+        public void WindowsEnvironment_TryLocateExecutable_Windows_ExistsMultiple_ReturnTrueAndFirstPath()
+        {
+            string pathVar = @"C:\Users\john.doe\bin;C:\Windows\system32;C:\Windows";
+            string execName = "foo.exe";
+            string expectedPath = @"C:\Users\john.doe\bin\foo.exe";
+            var fs = new TestFileSystem
+            {
+                Files = new Dictionary<string, byte[]>
+                {
+                    [@"C:\Users\john.doe\bin\foo.exe"] = new byte[0],
+                    [@"C:\Windows\system32\foo.exe"] = new byte[0],
+                    [@"C:\Windows\foo.exe"] = new byte[0],
+                }
+            };
+            var envars = new Dictionary<string, string> {["PATH"] = pathVar};
+            var env = new WindowsEnvironment(fs, envars);
+
+            bool actualResult = env.TryLocateExecutable(execName, out string actualPath);
+
+            Assert.True(actualResult);
+            Assert.Equal(expectedPath, actualPath);
+        }
+    }
+}

src/shared/Microsoft.Git.CredentialManager/CommandContext.cs

@@ -1,6 +1,7 @@
 // Copyright (c) Microsoft Corporation. All rights reserved.
 // Licensed under the MIT license.
 using System;
+using System.IO;
 using Microsoft.Git.CredentialManager.Interop.Linux;
 using Microsoft.Git.CredentialManager.Interop.MacOS;
 using Microsoft.Git.CredentialManager.Interop.Posix;
@@ -86,9 +87,10 @@ public CommandContext()
                 SystemPrompts     = new WindowsSystemPrompts();
                 Environment       = new WindowsEnvironment(FileSystem);
                 Terminal          = new WindowsTerminal(Trace);
+                string gitPath    = GetGitPath(Environment, FileSystem);
                 Git               = new GitProcess(
                                             Trace,
-                                            Environment.LocateExecutable("git.exe"),
+                                            gitPath,
                                             FileSystem.GetCurrentDirectory()
                                         );
                 Settings          = new Settings(Environment, Git);
@@ -101,9 +103,10 @@ public CommandContext()
                 SystemPrompts     = new MacOSSystemPrompts();
                 Environment       = new PosixEnvironment(FileSystem);
                 Terminal          = new PosixTerminal(Trace);
+                string gitPath    = GetGitPath(Environment, FileSystem);
                 Git               = new GitProcess(
                                             Trace,
-                                            Environment.LocateExecutable("git"),
+                                            gitPath,
                                             FileSystem.GetCurrentDirectory()
                                         );
                 Settings          = new Settings(Environment, Git);
@@ -117,9 +120,10 @@ public CommandContext()
                 SystemPrompts     = new LinuxSystemPrompts();
                 Environment       = new PosixEnvironment(FileSystem);
                 Terminal          = new PosixTerminal(Trace);
+                string gitPath    = GetGitPath(Environment, FileSystem);
                 Git               = new GitProcess(
                                             Trace,
-                                            Environment.LocateExecutable("git"),
+                                            gitPath,
                                             FileSystem.GetCurrentDirectory()
                                         );
                 Settings          = new Settings(Environment, Git);
@@ -140,6 +144,25 @@ public CommandContext()
             SystemPrompts.ParentWindowId = Settings.ParentWindowId;
         }
 
+        private static string GetGitPath(IEnvironment environment, IFileSystem fileSystem)
+        {
+            string programName = PlatformUtils.IsWindows() ? "git.exe" : "git";
+
+            // Use the GIT_EXEC_PATH environment variable if set
+            if (environment.Variables.TryGetValue(Constants.EnvironmentVariables.GitExecutablePath,
+                out string gitExecPath))
+            {
+                string candidatePath = Path.Combine(gitExecPath, programName);
+                if (fileSystem.FileExists(candidatePath))
+                {
+                    return candidatePath;
+                }
+            }
+
+            // Otherwise try to locate the git(.exe) on the current PATH
+            return environment.LocateExecutable(programName);
+        }
+
         #region ICommandContext
 
         public ISettings Settings { get; }

src/shared/Microsoft.Git.CredentialManager/Constants.cs

@@ -56,6 +56,7 @@ public static class EnvironmentVariables
             public const string GcmCredNamespace      = "GCM_NAMESPACE";
             public const string GcmCredentialStore    = "GCM_CREDENTIAL_STORE";
             public const string GcmPlaintextStorePath = "GCM_PLAINTEXT_STORE_PATH";
+            public const string GitExecutablePath     = "GIT_EXEC_PATH";
         }
 
         public static class Http

src/shared/Microsoft.Git.CredentialManager/EnvironmentBase.cs

@@ -2,6 +2,7 @@
 // Licensed under the MIT license.
 using System;
 using System.Collections.Generic;
+using System.IO;
 using System.Linq;
 
 namespace Microsoft.Git.CredentialManager

src/shared/Microsoft.Git.CredentialManager/InternalsVisibleTo.cs

@@ -0,0 +1,4 @@
+using System.Runtime.CompilerServices;
+
+[assembly: InternalsVisibleTo("Microsoft.Git.CredentialManager.Tests")]
+

src/shared/Microsoft.Git.CredentialManager/Interop/Posix/PosixEnvironment.cs

@@ -33,6 +33,8 @@ protected override string[] SplitPathVariable(string value)
 
         public override bool TryLocateExecutable(string program, out string path)
         {
+            // The "which" utility scans over the PATH and does not include the current working directory
+            // (unlike the equivalent "where.exe" on Windows), which is exactly what we want. Let's use it.
             const string whichPath = "/usr/bin/which";
             var psi = new ProcessStartInfo(whichPath, program)
             {

src/shared/Microsoft.Git.CredentialManager/Interop/Windows/WindowsEnvironment.cs

@@ -11,9 +11,14 @@ namespace Microsoft.Git.CredentialManager.Interop.Windows
 {
     public class WindowsEnvironment : EnvironmentBase
     {
-        public WindowsEnvironment(IFileSystem fileSystem) : base(fileSystem)
+        public WindowsEnvironment(IFileSystem fileSystem)
+            : this(fileSystem, GetCurrentVariables()) { }
+
+        internal WindowsEnvironment(IFileSystem fileSystem, IReadOnlyDictionary<string, string> variables)
+            : base(fileSystem)
         {
-            Variables = GetCurrentVariables();
+            EnsureArgument.NotNull(variables, nameof(variables));
+            Variables = variables;
         }
 
         #region EnvironmentBase
@@ -67,34 +72,24 @@ public override void RemoveDirectoryFromPath(string directoryPath, EnvironmentVa
 
         public override bool TryLocateExecutable(string program, out string path)
         {
-            string wherePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.System), "where.exe");
-            var psi = new ProcessStartInfo(wherePath, program)
-            {
-                UseShellExecute = false,
-                RedirectStandardOutput = true
-            };
-
-            using (var where = new Process {StartInfo = psi})
+            // Don't use "where.exe" on Windows as this includes the current working directory
+            // and we don't want to enumerate this location; only the PATH.
+            if (Variables.TryGetValue("PATH", out string pathValue))
             {
-                where.Start();
-                where.WaitForExit();
-
-                switch (where.ExitCode)
+                string[] paths = SplitPathVariable(pathValue);
+                foreach (var basePath in paths)
                 {
-                    case 0: // found
-                        string stdout = where.StandardOutput.ReadToEnd();
-                        string[] results = stdout.Split(new[] {'\r', '\n'}, StringSplitOptions.RemoveEmptyEntries);
-                        path = results.First();
+                    string candidatePath = Path.Combine(basePath, program);
+                    if (FileSystem.FileExists(candidatePath))
+                    {
+                        path = candidatePath;
                         return true;
-
-                    case 1: // not found
-                        path = null;
-                        return false;
-
-                    default:
-                        throw new Exception($"Unknown error locating '{program}' using where.exe. Exit code: {where.ExitCode}.");
+                    }
                 }
             }
+
+            path = null;
+            return false;
         }
 
         #endregion

src/shared/TestInfrastructure/Objects/TestCommandContext.cs

@@ -20,7 +20,7 @@ public TestCommandContext()
             CredentialStore = new TestCredentialStore();
             HttpClientFactory = new TestHttpClientFactory();
             Git = new TestGit();
-            Environment = new TestEnvironment();
+            Environment = new TestEnvironment(FileSystem);
             SystemPrompts = new TestSystemPrompts();
 
             Settings = new TestSettings {Environment = Environment, GitConfiguration = Git.GlobalConfiguration};

src/shared/TestInfrastructure/Objects/TestEnvironment.cs

@@ -9,12 +9,15 @@ namespace Microsoft.Git.CredentialManager.Tests.Objects
 {
     public class TestEnvironment : IEnvironment
     {
+        private readonly IFileSystem _fileSystem;
         private readonly IEqualityComparer<string> _pathComparer;
         private readonly IEqualityComparer<string> _envarComparer;
         private readonly string _envPathSeparator;
 
-        public TestEnvironment(string envPathSeparator = null, IEqualityComparer<string> pathComparer = null, IEqualityComparer<string> envarComparer = null)
+        public TestEnvironment(IFileSystem fileSystem = null, string envPathSeparator = null, IEqualityComparer<string> pathComparer = null, IEqualityComparer<string> envarComparer = null)
         {
+            _fileSystem = fileSystem ?? new TestFileSystem();
+
             // Use the current platform separators and comparison types by default
             _envPathSeparator = envPathSeparator ?? (PlatformUtils.IsWindows() ? ";" : ":");
 
@@ -28,16 +31,12 @@ public TestEnvironment(string envPathSeparator = null, IEqualityComparer<string>
                                 ? StringComparer.Ordinal
                                 : StringComparer.OrdinalIgnoreCase);
 
-            _envPathSeparator = envPathSeparator;
             Variables = new Dictionary<string, string>(_envarComparer);
-            WhichFiles = new Dictionary<string, ICollection<string>>(_pathComparer);
             Symlinks = new Dictionary<string, string>(_pathComparer);
         }
 
         public IDictionary<string, string> Variables { get; set; }
 
-        public IDictionary<string, ICollection<string>> WhichFiles { get; set; }
-
         public IDictionary<string, string> Symlinks { get; set; }
 
         public IList<string> Path
@@ -82,18 +81,18 @@ public void RemoveDirectoryFromPath(string directoryPath, EnvironmentVariableTar
 
         public bool TryLocateExecutable(string program, out string path)
         {
-            if (WhichFiles.TryGetValue(program, out ICollection<string> paths))
+            if (Variables.TryGetValue("PATH", out string pathValue))
             {
-                path = paths.First();
-                return true;
-            }
-
-            if (!System.IO.Path.HasExtension(program) && PlatformUtils.IsWindows())
-            {
-                // If we're testing on a Windows platform, don't have a file extension, and were unable to locate
-                // the executable file.. try appending .exe.
-                path = WhichFiles.TryGetValue($"{program}.exe", out paths) ? paths.First() : null;
-                return !(path is null);
+                string[] paths = pathValue.Split(new[]{_envPathSeparator}, StringSplitOptions.None);
+                foreach (var basePath in paths)
+                {
+                    string candidatePath = System.IO.Path.Combine(basePath, program);
+                    if (_fileSystem.FileExists(candidatePath))
+                    {
+                        path = candidatePath;
+                        return true;
+                    }
+                }
             }
 
             path = null;