security: reject -toolexec in GOFLAGS environment variable

[mohammadmseet-hue]

Summary

The existing -toolexec blocklist in createBuildArgs() only inspects the args slice (flags/ldflags from .ko.yaml). However, a malicious .ko.yaml can set GOFLAGS=-toolexec=<cmd> in the env or defaultEnv field, which flows through buildEnv() to cmd.Env without any -toolexec check.

This allows arbitrary command execution during go build, bypassing the security control.

Changes

• Added -toolexec detection in buildEnv() for GOFLAGS environment variables
• Added 5 test cases covering the new validation (positive and negative)

Reproduction

# .ko.yaml
defaultEnv:
  - "GOFLAGS=-toolexec=id"

Running ko build with this config executes id as the toolexec program.

Test results

--- PASS: TestBuildEnvRejectsToolexecInGOFLAGS (0.00s)
    --- PASS: GOFLAGS_with_-toolexec_should_be_rejected (0.00s)
    --- PASS: GOFLAGS_with_--toolexec_should_be_rejected (0.00s)
    --- PASS: GOFLAGS_with_-toolexec_and_other_flags_should_be_rejected (0.00s)
    --- PASS: GOFLAGS_without_toolexec_should_be_allowed (0.00s)
    --- PASS: non-GOFLAGS_env_vars_should_be_allowed (0.00s)

[Copilot]

Pull request overview

This PR closes a security bypass where -toolexec could be injected via GOFLAGS set in .ko.yaml (env / defaultEnv) and reach go build without being blocked.

Changes:

• Added validation in buildEnv() to reject GOFLAGS values that include -toolexec / --toolexec.
• Added new unit tests covering acceptance/rejection of GOFLAGS values.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File	Description
pkg/build/gobuild.go	Adds GOFLAGS scanning in buildEnv() to block -toolexec via environment variables.
pkg/build/gobuild_test.go	Adds table-driven tests for the new GOFLAGS validation behavior.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[mohammadmseet-hue]

Nice