From 40e70a5010a4844b4c1030a31cebdd52b2e96589 Mon Sep 17 00:00:00 2001
From: Chris Waldon <christopher.waldon.dev@gmail.com>
Date: Thu, 9 Jan 2025 17:02:32 -0500
Subject: [PATCH] [Windows] harden system DLL loading

Technically loading system DLLs from relative paths with NewLazyDLL is vulnerable to DLL preloading attacks. See the warning on NewLazyDLL here [0].

[0] https://pkg.go.dev/golang.org/x/sys/windows?GOOS=windows#NewLazyDLL
---
 colorable_windows.go | 4 ++--
 go.mod               | 5 ++++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/colorable_windows.go b/colorable_windows.go
index 76f4aa3..2df7b85 100644
--- a/colorable_windows.go
+++ b/colorable_windows.go
@@ -11,7 +11,7 @@ import (
 	"strconv"
 	"strings"
 	"sync"
-	"syscall"
+	syscall "golang.org/x/sys/windows"
 	"unsafe"
 
 	"github.com/mattn/go-isatty"
@@ -73,7 +73,7 @@ type consoleCursorInfo struct {
 }
 
 var (
-	kernel32                       = syscall.NewLazyDLL("kernel32.dll")
+	kernel32                       = syscall.NewLazySystemDLL("kernel32.dll")
 	procGetConsoleScreenBufferInfo = kernel32.NewProc("GetConsoleScreenBufferInfo")
 	procSetConsoleTextAttribute    = kernel32.NewProc("SetConsoleTextAttribute")
 	procSetConsoleCursorPosition   = kernel32.NewProc("SetConsoleCursorPosition")
diff --git a/go.mod b/go.mod
index 914c6b0..3421fb0 100644
--- a/go.mod
+++ b/go.mod
@@ -1,5 +1,8 @@
 module github.com/mattn/go-colorable
 
-require github.com/mattn/go-isatty v0.0.16
+require (
+	github.com/mattn/go-isatty v0.0.16
+	golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab
+)
 
 go 1.15