runtime: nash look for paths is unsafe

[i4ki]

Nash is using os/exec.LookPath of Go to look for paths of commands, but this implementation interprets "" (empty path) as "." in the variable $PATH and this could lead to unexpected behaviours and/or malicious code execution.

Better to create our own LookPath implementation being explicit about path names (ignoring empty paths on it).

[katcipis]

Would it not be easier to just remove any "" before calling LookPath ? I agree with removing this oddity x_x

[i4ki]

There's more oddities that I just found... The LookPath implementation for windows uses the "." implicitly also (but there's no way to avoid in this case). This is weird and make nash works differently across operating systems.
When I saw os/exec.LookPath in godoc for the first time I thought it had the same semantics in all OS.. but no.

https://github.com/golang/go/blob/master/src/os/exec/lp_windows.go#L83
https://golang.org/pkg/os/exec/#LookPath

[katcipis]

@tiago4orion well, given these last facts I agree with not using LookPath 👍