Security: GOFLAGS env bypasses toolexec check in gobuild.go #1620
Description
Summary
The toolexec security check at pkg/build/gobuild.go:925-931 only inspects the flags/ldflags args slice. It does not inspect the build environment. The .ko.yaml env field passes environment variables directly to go build via buildEnv() at lines 570-571 with no filtering.
Setting GOFLAGS=-toolexec=/path/to/script in the env field bypasses the check because Go's toolchain reads GOFLAGS from the environment.
Additionally, -overlay and -modfile are not blocked in either path (args or env), enabling source file substitution during build.
Reproduce
.ko.yaml:
builds:
- env:
- GOFLAGS=-toolexec=/tmp/test.shWhere /tmp/test.sh is #!/bin/sh\nexec "$@". The script executes on every compiler/linker invocation during ko build.
Impact
A PR modifying .ko.yaml to add GOFLAGS=-toolexec=... in the env field can achieve code execution on CI runners, bypassing the existing toolexec mitigation.
Suggested fix
Filter GOFLAGS from the build environment in buildEnv(), or extend the args check to also inspect env entries for toolexec, overlay, and modfile.
cc @imjasonh @jonjohnsonjr -- I could not find a private disclosure channel for this project. Happy to discuss privately if preferred.