From a679ee785ad19f2c206965ada8856b1e56a787da Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 17 Apr 2026 19:25:43 +0200 Subject: [PATCH 1/2] Improve error handling. Signed-off-by: Felix Fontein --- cmd/sops/subcommand/exec/exec.go | 24 +++++++++++++++--------- cmd/sops/subcommand/exec/exec_unix.go | 6 +++--- cmd/sops/subcommand/exec/exec_windows.go | 6 +++--- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go index 3ac7cfd63..18d08c495 100644 --- a/cmd/sops/subcommand/exec/exec.go +++ b/cmd/sops/subcommand/exec/exec.go @@ -35,25 +35,25 @@ type ExecOpts struct { Env []string } -func GetFile(dir, filename string) *os.File { +func GetFile(dir, filename string) (*os.File, error) { // If no filename is provided, create a random one based on FallbackFilename if filename == "" { handle, err := os.CreateTemp(dir, FallbackFilename) if err != nil { - log.Fatal(err) + return nil, err } - return handle + return handle, nil } // If a filename is provided, use that one handle, err := os.Create(filepath.Join(dir, filename)) if err != nil { - log.Fatal(err) + return nil, err } // read+write for owner only if err = handle.Chmod(0600); err != nil { - log.Fatal(err) + return nil, err } - return handle + return handle, nil } func ExecWithFile(opts ExecOpts) error { @@ -68,7 +68,7 @@ func ExecWithFile(opts ExecOpts) error { dir, err := os.MkdirTemp("", ".sops") if err != nil { - log.Fatal(err) + return err } defer os.RemoveAll(dir) @@ -80,12 +80,18 @@ func ExecWithFile(opts ExecOpts) error { if filename == "" { filename = FallbackFilename } - filename = GetPipe(dir, filename) + filename, err = GetPipe(dir, filename) + if err != nil { + return err + } go WritePipe(filename, opts.Plaintext) } else { // GetFile handles opts.Filename == "" specially, that's why we have // to pass in opts.Filename without handling the fallback here - handle := GetFile(dir, opts.Filename) + handle, err := GetFile(dir, opts.Filename) + if err != nil { + return err + } handle.Write(opts.Plaintext) handle.Close() filename = handle.Name() diff --git a/cmd/sops/subcommand/exec/exec_unix.go b/cmd/sops/subcommand/exec/exec_unix.go index e8ea7729e..f36d6326a 100644 --- a/cmd/sops/subcommand/exec/exec_unix.go +++ b/cmd/sops/subcommand/exec/exec_unix.go @@ -32,14 +32,14 @@ func WritePipe(pipe string, contents []byte) { handle.Close() } -func GetPipe(dir, filename string) string { +func GetPipe(dir, filename string) (string, error) { tmpfn := filepath.Join(dir, filename) err := syscall.Mkfifo(tmpfn, 0600) if err != nil { - log.Fatal(err) + return "", err } - return tmpfn + return tmpfn, nil } func SwitchUser(username string) { diff --git a/cmd/sops/subcommand/exec/exec_windows.go b/cmd/sops/subcommand/exec/exec_windows.go index a510f2826..c4870ba62 100644 --- a/cmd/sops/subcommand/exec/exec_windows.go +++ b/cmd/sops/subcommand/exec/exec_windows.go @@ -1,6 +1,7 @@ package exec import ( + "fmt" "os/exec" ) @@ -17,9 +18,8 @@ func WritePipe(pipe string, contents []byte) { log.Fatal("fifos are not available on windows") } -func GetPipe(dir, filename string) string { - log.Fatal("fifos are not available on windows") - return "" +func GetPipe(dir, filename string) (string, error) { + return "", fmt.Errorf("fifos are not available on windows") } func SwitchUser(username string) { From 7c41164eba235d25f8c069b1f1b3b92d11d3297f Mon Sep 17 00:00:00 2001 From: Felix Fontein Date: Fri, 17 Apr 2026 19:25:50 +0200 Subject: [PATCH 2/2] Reject non-local paths. Signed-off-by: Felix Fontein --- cmd/sops/subcommand/exec/exec.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/cmd/sops/subcommand/exec/exec.go b/cmd/sops/subcommand/exec/exec.go index 18d08c495..35f519c3c 100644 --- a/cmd/sops/subcommand/exec/exec.go +++ b/cmd/sops/subcommand/exec/exec.go @@ -72,6 +72,12 @@ func ExecWithFile(opts ExecOpts) error { } defer os.RemoveAll(dir) + if opts.Filename != "" { + if filepath.IsAbs(opts.Filename) || !filepath.IsLocal(opts.Filename) { + return fmt.Errorf("The provided filename is not a local path.") + } + } + var filename string if opts.Fifo { // fifo handling needs to be async, even opening to write