From: Roland Shoemaker Date: Wed, 10 Dec 2025 13:13:07 +0000 (-0500) Subject: [release-branch.go1.25] cmd/go: update VCS commands to use safer flag/argument syntax X-Git-Tag: go1.25.6~4 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=082365aa552a7e2186f79110d5311dce70749cc0;p=gostls13.git [release-branch.go1.25] cmd/go: update VCS commands to use safer flag/argument syntax In various situations, the toolchain invokes VCS commands. Some of these commands take arbitrary input, either provided by users or fetched from external sources. To prevent potential command injection vulnerabilities or misinterpretation of arguments as flags, this change updates the VCS commands to use various techniques to separate flags from positional arguments, and to directly associate flags with their values. Additionally, we update the environment variable for Mercurial to use `HGPLAIN=+strictflags`, which is the more explicit way to disable user configurations (intended or otherwise) that might interfere with command execution. We also now disallow version strings from being prefixed with '-' or '/', as doing so opens us up to making the same mistake again in the future. As far as we know there are currently ~0 public modules affected by this. While I was working on cmd/go/internal/vcs, I also noticed that a significant portion of the commands being implemented were dead code. In order to reduce the maintenance burden and surface area for potential issues, I removed the dead code for unused commands. We should probably follow up with a more structured change to make it harder to accidentally re-introduce these issues in the future, but for now this addresses the issue at hand. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. Fixes CVE-2025-68119 Fixes #77099 Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260 Reviewed-by: Damien Neil Reviewed-by: Nicholas Husin Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3342 Reviewed-by: Michael Matloob Reviewed-on: https://go-review.googlesource.com/c/go/+/736721 Reviewed-by: Junyang Shao Auto-Submit: Michael Pratt TryBot-Bypass: Michael Pratt --- diff --git a/src/cmd/go/internal/modcmd/edit.go b/src/cmd/go/internal/modcmd/edit.go index f73269378a..7bc9299029 100644 --- a/src/cmd/go/internal/modcmd/edit.go +++ b/src/cmd/go/internal/modcmd/edit.go @@ -321,7 +321,10 @@ func runEdit(ctx context.Context, cmd *base.Command, args []string) { // parsePathVersion parses -flag=arg expecting arg to be path@version. func parsePathVersion(flag, arg string) (path, version string) { - before, after, found := strings.Cut(arg, "@") + before, after, found, err := modload.ParsePathVersion(arg) + if err != nil { + base.Fatalf("go: -%s=%s: %v", flag, arg, err) + } if !found { base.Fatalf("go: -%s=%s: need path@version", flag, arg) } @@ -355,7 +358,10 @@ func parsePathVersionOptional(adj, arg string, allowDirPath bool) (path, version if allowDirPath && modfile.IsDirectoryPath(arg) { return arg, "", nil } - before, after, found := strings.Cut(arg, "@") + before, after, found, err := modload.ParsePathVersion(arg) + if err != nil { + return "", "", err + } if !found { path = arg } else { diff --git a/src/cmd/go/internal/modfetch/codehost/git.go b/src/cmd/go/internal/modfetch/codehost/git.go index b445ac2486..89a4cbffd7 100644 --- a/src/cmd/go/internal/modfetch/codehost/git.go +++ b/src/cmd/go/internal/modfetch/codehost/git.go @@ -248,7 +248,7 @@ func (r *gitRepo) loadRefs(ctx context.Context) (map[string]string, error) { r.refsErr = err return } - out, gitErr := r.runGit(ctx, "git", "ls-remote", "-q", r.remote) + out, gitErr := r.runGit(ctx, "git", "ls-remote", "-q", "--end-of-options", r.remote) release() if gitErr != nil { @@ -534,7 +534,7 @@ func (r *gitRepo) stat(ctx context.Context, rev string) (info *RevInfo, err erro if fromTag && !slices.Contains(info.Tags, tag) { // The local repo includes the commit hash we want, but it is missing // the corresponding tag. Add that tag and try again. - _, err := r.runGit(ctx, "git", "tag", tag, hash) + _, err := r.runGit(ctx, "git", "tag", "--end-of-options", tag, hash) if err != nil { return nil, err } @@ -583,7 +583,7 @@ func (r *gitRepo) stat(ctx context.Context, rev string) (info *RevInfo, err erro // an apparent Git bug introduced in Git 2.21 (commit 61c771), // which causes the handler for protocol version 1 to sometimes miss // tags that point to the requested commit (see https://go.dev/issue/56881). - _, err = r.runGit(ctx, "git", "-c", "protocol.version=2", "fetch", "-f", "--depth=1", r.remote, refspec) + _, err = r.runGit(ctx, "git", "-c", "protocol.version=2", "fetch", "-f", "--depth=1", "--end-of-options", r.remote, refspec) release() if err == nil { @@ -629,12 +629,12 @@ func (r *gitRepo) fetchRefsLocked(ctx context.Context) error { } defer release() - if _, err := r.runGit(ctx, "git", "fetch", "-f", r.remote, "refs/heads/*:refs/heads/*", "refs/tags/*:refs/tags/*"); err != nil { + if _, err := r.runGit(ctx, "git", "fetch", "-f", "--end-of-options", r.remote, "refs/heads/*:refs/heads/*", "refs/tags/*:refs/tags/*"); err != nil { return err } if _, err := os.Stat(filepath.Join(r.dir, "shallow")); err == nil { - if _, err := r.runGit(ctx, "git", "fetch", "--unshallow", "-f", r.remote); err != nil { + if _, err := r.runGit(ctx, "git", "fetch", "--unshallow", "-f", "--end-of-options", r.remote); err != nil { return err } } @@ -647,7 +647,7 @@ func (r *gitRepo) fetchRefsLocked(ctx context.Context) error { // statLocal returns a new RevInfo describing rev in the local git repository. // It uses version as info.Version. func (r *gitRepo) statLocal(ctx context.Context, version, rev string) (*RevInfo, error) { - out, err := r.runGit(ctx, "git", "-c", "log.showsignature=false", "log", "--no-decorate", "-n1", "--format=format:%H %ct %D", rev, "--") + out, err := r.runGit(ctx, "git", "-c", "log.showsignature=false", "log", "--no-decorate", "-n1", "--format=format:%H %ct %D", "--end-of-options", rev, "--") if err != nil { // Return info with Origin.RepoSum if possible to allow caching of negative lookup. var info *RevInfo @@ -737,7 +737,7 @@ func (r *gitRepo) ReadFile(ctx context.Context, rev, file string, maxSize int64) if err != nil { return nil, err } - out, err := r.runGit(ctx, "git", "cat-file", "blob", info.Name+":"+file) + out, err := r.runGit(ctx, "git", "cat-file", "--end-of-options", "blob", info.Name+":"+file) if err != nil { return nil, fs.ErrNotExist } @@ -755,7 +755,7 @@ func (r *gitRepo) RecentTag(ctx context.Context, rev, prefix string, allowed fun // result is definitive. describe := func() (definitive bool) { var out []byte - out, err = r.runGit(ctx, "git", "for-each-ref", "--format", "%(refname)", "refs/tags", "--merged", rev) + out, err = r.runGit(ctx, "git", "for-each-ref", "--format=%(refname)", "--merged="+rev) if err != nil { return true } @@ -904,7 +904,7 @@ func (r *gitRepo) ReadZip(ctx context.Context, rev, subdir string, maxSize int64 // TODO: Use maxSize or drop it. args := []string{} if subdir != "" { - args = append(args, "--", subdir) + args = append(args, subdir) } info, err := r.Stat(ctx, rev) // download rev into local git repo if err != nil { @@ -926,7 +926,7 @@ func (r *gitRepo) ReadZip(ctx context.Context, rev, subdir string, maxSize int64 // text file line endings. Setting -c core.autocrlf=input means only // translate files on the way into the repo, not on the way out (archive). // The -c core.eol=lf should be unnecessary but set it anyway. - archive, err := r.runGit(ctx, "git", "-c", "core.autocrlf=input", "-c", "core.eol=lf", "archive", "--format=zip", "--prefix=prefix/", info.Name, args) + archive, err := r.runGit(ctx, "git", "-c", "core.autocrlf=input", "-c", "core.eol=lf", "archive", "--format=zip", "--prefix=prefix/", "--end-of-options", info.Name, args) if err != nil { if bytes.Contains(err.(*RunError).Stderr, []byte("did not match any files")) { return nil, fs.ErrNotExist diff --git a/src/cmd/go/internal/modfetch/codehost/vcs.go b/src/cmd/go/internal/modfetch/codehost/vcs.go index 8e59479339..4e45243950 100644 --- a/src/cmd/go/internal/modfetch/codehost/vcs.go +++ b/src/cmd/go/internal/modfetch/codehost/vcs.go @@ -176,20 +176,20 @@ var vcsCmds = map[string]*vcsCmd{ branchRE: re(`(?m)^[^\n]+$`), badLocalRevRE: re(`(?m)^(tip)$`), statLocal: func(rev, remote string) []string { - return []string{"hg", "log", "-l1", "-r", rev, "--template", "{node} {date|hgdate} {tags}"} + return []string{"hg", "log", "-l1", fmt.Sprintf("--rev=%s", rev), "--template", "{node} {date|hgdate} {tags}"} }, parseStat: hgParseStat, fetch: []string{"hg", "pull", "-f"}, latest: "tip", readFile: func(rev, file, remote string) []string { - return []string{"hg", "cat", "-r", rev, file} + return []string{"hg", "cat", fmt.Sprintf("--rev=%s", rev), "--", file} }, readZip: func(rev, subdir, remote, target string) []string { pattern := []string{} if subdir != "" { - pattern = []string{"-I", subdir + "/**"} + pattern = []string{fmt.Sprintf("--include=%s", subdir+"/**")} } - return str.StringList("hg", "archive", "-t", "zip", "--no-decode", "-r", rev, "--prefix=prefix/", pattern, "--", target) + return str.StringList("hg", "archive", "-t", "zip", "--no-decode", fmt.Sprintf("--rev=%s", rev), "--prefix=prefix/", pattern, "--", target) }, }, @@ -229,19 +229,19 @@ var vcsCmds = map[string]*vcsCmd{ tagRE: re(`(?m)^\S+`), badLocalRevRE: re(`^revno:-`), statLocal: func(rev, remote string) []string { - return []string{"bzr", "log", "-l1", "--long", "--show-ids", "-r", rev} + return []string{"bzr", "log", "-l1", "--long", "--show-ids", fmt.Sprintf("--revision=%s", rev)} }, parseStat: bzrParseStat, latest: "revno:-1", readFile: func(rev, file, remote string) []string { - return []string{"bzr", "cat", "-r", rev, file} + return []string{"bzr", "cat", fmt.Sprintf("--revision=%s", rev), "--", file} }, readZip: func(rev, subdir, remote, target string) []string { extra := []string{} if subdir != "" { extra = []string{"./" + subdir} } - return str.StringList("bzr", "export", "--format=zip", "-r", rev, "--root=prefix/", "--", target, extra) + return str.StringList("bzr", "export", "--format=zip", fmt.Sprintf("--revision=%s", rev), "--root=prefix/", "--", target, extra) }, }, @@ -256,17 +256,17 @@ var vcsCmds = map[string]*vcsCmd{ }, tagRE: re(`XXXTODO`), statLocal: func(rev, remote string) []string { - return []string{"fossil", "info", "-R", ".fossil", rev} + return []string{"fossil", "info", "-R", ".fossil", "--", rev} }, parseStat: fossilParseStat, latest: "trunk", readFile: func(rev, file, remote string) []string { - return []string{"fossil", "cat", "-R", ".fossil", "-r", rev, file} + return []string{"fossil", "cat", "-R", ".fossil", fmt.Sprintf("-r=%s", rev), "--", file} }, readZip: func(rev, subdir, remote, target string) []string { extra := []string{} if subdir != "" && !strings.ContainsAny(subdir, "*?[],") { - extra = []string{"--include", subdir} + extra = []string{fmt.Sprintf("--include=%s", subdir)} } // Note that vcsRepo.ReadZip below rewrites this command // to run in a different directory, to work around a fossil bug. diff --git a/src/cmd/go/internal/modget/query.go b/src/cmd/go/internal/modget/query.go index f95b503d8f..0f275bd0ad 100644 --- a/src/cmd/go/internal/modget/query.go +++ b/src/cmd/go/internal/modget/query.go @@ -139,7 +139,10 @@ func errSet(err error) pathSet { return pathSet{err: err} } // newQuery returns a new query parsed from the raw argument, // which must be either path or path@version. func newQuery(raw string) (*query, error) { - pattern, rawVers, found := strings.Cut(raw, "@") + pattern, rawVers, found, err := modload.ParsePathVersion(raw) + if err != nil { + return nil, err + } if found && (strings.Contains(rawVers, "@") || rawVers == "") { return nil, fmt.Errorf("invalid module version syntax %q", raw) } diff --git a/src/cmd/go/internal/modload/build.go b/src/cmd/go/internal/modload/build.go index 6e30afd524..b04575ee8c 100644 --- a/src/cmd/go/internal/modload/build.go +++ b/src/cmd/go/internal/modload/build.go @@ -12,7 +12,6 @@ import ( "io/fs" "os" "path/filepath" - "strings" "cmd/go/internal/base" "cmd/go/internal/cfg" @@ -88,7 +87,16 @@ func ModuleInfo(ctx context.Context, path string) *modinfo.ModulePublic { return nil } - if path, vers, found := strings.Cut(path, "@"); found { + path, vers, found, err := ParsePathVersion(path) + if err != nil { + return &modinfo.ModulePublic{ + Path: path, + Error: &modinfo.ModuleError{ + Err: err.Error(), + }, + } + } + if found { m := module.Version{Path: path, Version: vers} return moduleInfo(ctx, nil, m, 0, nil) } diff --git a/src/cmd/go/internal/modload/list.go b/src/cmd/go/internal/modload/list.go index 53cb6c2ffe..32c7847bd3 100644 --- a/src/cmd/go/internal/modload/list.go +++ b/src/cmd/go/internal/modload/list.go @@ -150,7 +150,11 @@ func listModules(ctx context.Context, rs *Requirements, args []string, mode List } continue } - if path, vers, found := strings.Cut(arg, "@"); found { + path, vers, found, err := ParsePathVersion(arg) + if err != nil { + base.Fatalf("go: %v", err) + } + if found { if vers == "upgrade" || vers == "patch" { if _, ok := rs.rootSelected(path); !ok || rs.pruning == unpruned { needFullGraph = true @@ -176,7 +180,11 @@ func listModules(ctx context.Context, rs *Requirements, args []string, mode List matchedModule := map[module.Version]bool{} for _, arg := range args { - if path, vers, found := strings.Cut(arg, "@"); found { + path, vers, found, err := ParsePathVersion(arg) + if err != nil { + base.Fatalf("go: %v", err) + } + if found { var current string if mg == nil { current, _ = rs.rootSelected(path) @@ -319,3 +327,21 @@ func modinfoError(path, vers string, err error) *modinfo.ModuleError { return &modinfo.ModuleError{Err: err.Error()} } + +// ParsePathVersion parses arg expecting arg to be path@version. If there is no +// '@' in arg, found is false, vers is "", and path is arg. This mirrors the +// typical usage of strings.Cut. ParsePathVersion is meant to be a general +// replacement for strings.Cut in module version parsing. If the version is +// invalid, an error is returned. The version is considered invalid if it is +// prefixed with '-' or '/', which can cause security problems when constructing +// commands to execute that use the version. +func ParsePathVersion(arg string) (path, vers string, found bool, err error) { + path, vers, found = strings.Cut(arg, "@") + if !found { + return arg, "", false, nil + } + if len(vers) > 0 && (vers[0] == '-' || vers[0] == '/') { + return "", "", false, fmt.Errorf("invalid module version %q", vers) + } + return path, vers, true, nil +} diff --git a/src/cmd/go/internal/toolchain/select.go b/src/cmd/go/internal/toolchain/select.go index e871261336..198cdc706f 100644 --- a/src/cmd/go/internal/toolchain/select.go +++ b/src/cmd/go/internal/toolchain/select.go @@ -670,7 +670,10 @@ func maybeSwitchForGoInstallVersion(minVers string) { if !strings.Contains(pkgArg, "@") || build.IsLocalImport(pkgArg) || filepath.IsAbs(pkgArg) { return } - path, version, _ := strings.Cut(pkgArg, "@") + path, version, _, err := modload.ParsePathVersion(pkgArg) + if err != nil { + base.Fatalf("go: %v", err) + } if path == "" || version == "" || gover.IsToolchain(path) { return } @@ -705,7 +708,7 @@ func maybeSwitchForGoInstallVersion(minVers string) { allowed = nil } noneSelected := func(path string) (version string) { return "none" } - _, err := modload.QueryPackages(ctx, path, version, noneSelected, allowed) + _, err = modload.QueryPackages(ctx, path, version, noneSelected, allowed) if errors.Is(err, gover.ErrTooNew) { // Run early switch, same one go install or go run would eventually do, // if it understood all the command-line flags. diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go index 7e081eb41a..b8204c7619 100644 --- a/src/cmd/go/internal/vcs/vcs.go +++ b/src/cmd/go/internal/vcs/vcs.go @@ -17,7 +17,6 @@ import ( "os" "os/exec" "path/filepath" - "regexp" "strconv" "strings" "sync" @@ -41,20 +40,10 @@ type Cmd struct { Env []string // any environment values to set/override RootNames []rootName // filename and mode indicating the root of a checkout directory - CreateCmd []string // commands to download a fresh copy of a repository - DownloadCmd []string // commands to download updates into an existing repository - - TagCmd []tagCmd // commands to list tags - TagLookupCmd []tagCmd // commands to lookup tags before running tagSyncCmd - TagSyncCmd []string // commands to sync to specific tag - TagSyncDefault []string // commands to sync to default tag - Scheme []string PingCmd string - RemoteRepo func(v *Cmd, rootDir string) (remoteRepo string, err error) - ResolveRepo func(v *Cmd, rootDir, remoteRepo string) (realRepo string, err error) - Status func(v *Cmd, rootDir string) (Status, error) + Status func(v *Cmd, rootDir string) (Status, error) } // Status is the current state of a local repository. @@ -157,40 +146,16 @@ var vcsHg = &Cmd{ Name: "Mercurial", Cmd: "hg", - // HGPLAIN=1 turns off additional output that a user may have enabled via - // config options or certain extensions. - Env: []string{"HGPLAIN=1"}, + // HGPLAIN=+strictflags turns off additional output that a user may have + // enabled via config options or certain extensions. + Env: []string{"HGPLAIN=+strictflags"}, RootNames: []rootName{ {filename: ".hg", isDir: true}, }, - CreateCmd: []string{"clone -U -- {repo} {dir}"}, - DownloadCmd: []string{"pull"}, - - // We allow both tag and branch names as 'tags' - // for selecting a version. This lets people have - // a go.release.r60 branch and a go1 branch - // and make changes in both, without constantly - // editing .hgtags. - TagCmd: []tagCmd{ - {"tags", `^(\S+)`}, - {"branches", `^(\S+)`}, - }, - TagSyncCmd: []string{"update -r {tag}"}, - TagSyncDefault: []string{"update default"}, - - Scheme: []string{"https", "http", "ssh"}, - PingCmd: "identify -- {scheme}://{repo}", - RemoteRepo: hgRemoteRepo, - Status: hgStatus, -} - -func hgRemoteRepo(vcsHg *Cmd, rootDir string) (remoteRepo string, err error) { - out, err := vcsHg.runOutput(rootDir, "paths default") - if err != nil { - return "", err - } - return strings.TrimSpace(string(out)), nil + Scheme: []string{"https", "http", "ssh"}, + PingCmd: "identify -- {scheme}://{repo}", + Status: hgStatus, } func hgStatus(vcsHg *Cmd, rootDir string) (Status, error) { @@ -253,25 +218,6 @@ var vcsGit = &Cmd{ {filename: ".git", isDir: true}, }, - CreateCmd: []string{"clone -- {repo} {dir}", "-go-internal-cd {dir} submodule update --init --recursive"}, - DownloadCmd: []string{"pull --ff-only", "submodule update --init --recursive"}, - - TagCmd: []tagCmd{ - // tags/xxx matches a git tag named xxx - // origin/xxx matches a git branch named xxx on the default remote repository - {"show-ref", `(?:tags|origin)/(\S+)$`}, - }, - TagLookupCmd: []tagCmd{ - {"show-ref tags/{tag} origin/{tag}", `((?:tags|origin)/\S+)$`}, - }, - TagSyncCmd: []string{"checkout {tag}", "submodule update --init --recursive"}, - // both createCmd and downloadCmd update the working dir. - // No need to do more here. We used to 'checkout master' - // but that doesn't work if the default branch is not named master. - // DO NOT add 'checkout master' here. - // See golang.org/issue/9032. - TagSyncDefault: []string{"submodule update --init --recursive"}, - Scheme: []string{"git", "https", "http", "git+ssh", "ssh"}, // Leave out the '--' separator in the ls-remote command: git 2.7.4 does not @@ -280,54 +226,7 @@ var vcsGit = &Cmd{ // See golang.org/issue/33836. PingCmd: "ls-remote {scheme}://{repo}", - RemoteRepo: gitRemoteRepo, - Status: gitStatus, -} - -// scpSyntaxRe matches the SCP-like addresses used by Git to access -// repositories by SSH. -var scpSyntaxRe = lazyregexp.New(`^(\w+)@([\w.-]+):(.*)$`) - -func gitRemoteRepo(vcsGit *Cmd, rootDir string) (remoteRepo string, err error) { - const cmd = "config remote.origin.url" - outb, err := vcsGit.run1(rootDir, cmd, nil, false) - if err != nil { - // if it doesn't output any message, it means the config argument is correct, - // but the config value itself doesn't exist - if outb != nil && len(outb) == 0 { - return "", errors.New("remote origin not found") - } - return "", err - } - out := strings.TrimSpace(string(outb)) - - var repoURL *urlpkg.URL - if m := scpSyntaxRe.FindStringSubmatch(out); m != nil { - // Match SCP-like syntax and convert it to a URL. - // Eg, "git@github.com:user/repo" becomes - // "ssh://git@github.com/user/repo". - repoURL = &urlpkg.URL{ - Scheme: "ssh", - User: urlpkg.User(m[1]), - Host: m[2], - Path: m[3], - } - } else { - repoURL, err = urlpkg.Parse(out) - if err != nil { - return "", err - } - } - - // Iterate over insecure schemes too, because this function simply - // reports the state of the repo. If we can't see insecure schemes then - // we can't report the actual repo URL. - for _, s := range vcsGit.Scheme { - if repoURL.Scheme == s { - return repoURL.String(), nil - } - } - return "", errors.New("unable to parse output of git " + cmd) + Status: gitStatus, } func gitStatus(vcsGit *Cmd, rootDir string) (Status, error) { @@ -367,62 +266,9 @@ var vcsBzr = &Cmd{ {filename: ".bzr", isDir: true}, }, - CreateCmd: []string{"branch -- {repo} {dir}"}, - - // Without --overwrite bzr will not pull tags that changed. - // Replace by --overwrite-tags after http://pad.lv/681792 goes in. - DownloadCmd: []string{"pull --overwrite"}, - - TagCmd: []tagCmd{{"tags", `^(\S+)`}}, - TagSyncCmd: []string{"update -r {tag}"}, - TagSyncDefault: []string{"update -r revno:-1"}, - - Scheme: []string{"https", "http", "bzr", "bzr+ssh"}, - PingCmd: "info -- {scheme}://{repo}", - RemoteRepo: bzrRemoteRepo, - ResolveRepo: bzrResolveRepo, - Status: bzrStatus, -} - -func bzrRemoteRepo(vcsBzr *Cmd, rootDir string) (remoteRepo string, err error) { - outb, err := vcsBzr.runOutput(rootDir, "config parent_location") - if err != nil { - return "", err - } - return strings.TrimSpace(string(outb)), nil -} - -func bzrResolveRepo(vcsBzr *Cmd, rootDir, remoteRepo string) (realRepo string, err error) { - outb, err := vcsBzr.runOutput(rootDir, "info "+remoteRepo) - if err != nil { - return "", err - } - out := string(outb) - - // Expect: - // ... - // (branch root|repository branch): - // ... - - found := false - for _, prefix := range []string{"\n branch root: ", "\n repository branch: "} { - i := strings.Index(out, prefix) - if i >= 0 { - out = out[i+len(prefix):] - found = true - break - } - } - if !found { - return "", fmt.Errorf("unable to parse output of bzr info") - } - - i := strings.Index(out, "\n") - if i < 0 { - return "", fmt.Errorf("unable to parse output of bzr info") - } - out = out[:i] - return strings.TrimSpace(out), nil + Scheme: []string{"https", "http", "bzr", "bzr+ssh"}, + PingCmd: "info -- {scheme}://{repo}", + Status: bzrStatus, } func bzrStatus(vcsBzr *Cmd, rootDir string) (Status, error) { @@ -490,46 +336,12 @@ var vcsSvn = &Cmd{ {filename: ".svn", isDir: true}, }, - CreateCmd: []string{"checkout -- {repo} {dir}"}, - DownloadCmd: []string{"update"}, - // There is no tag command in subversion. // The branch information is all in the path names. - Scheme: []string{"https", "http", "svn", "svn+ssh"}, - PingCmd: "info -- {scheme}://{repo}", - RemoteRepo: svnRemoteRepo, - Status: svnStatus, -} - -func svnRemoteRepo(vcsSvn *Cmd, rootDir string) (remoteRepo string, err error) { - outb, err := vcsSvn.runOutput(rootDir, "info") - if err != nil { - return "", err - } - out := string(outb) - - // Expect: - // - // ... - // URL: - // ... - // - // Note that we're not using the Repository Root line, - // because svn allows checking out subtrees. - // The URL will be the URL of the subtree (what we used with 'svn co') - // while the Repository Root may be a much higher parent. - i := strings.Index(out, "\nURL: ") - if i < 0 { - return "", fmt.Errorf("unable to parse output of svn info") - } - out = out[i+len("\nURL: "):] - i = strings.Index(out, "\n") - if i < 0 { - return "", fmt.Errorf("unable to parse output of svn info") - } - out = out[:i] - return strings.TrimSpace(out), nil + Scheme: []string{"https", "http", "svn", "svn+ssh"}, + PingCmd: "info -- {scheme}://{repo}", + Status: svnStatus, } func svnStatus(vcsSvn *Cmd, rootDir string) (Status, error) { @@ -574,24 +386,8 @@ var vcsFossil = &Cmd{ {filename: "_FOSSIL_", isDir: false}, }, - CreateCmd: []string{"-go-internal-mkdir {dir} clone -- {repo} " + filepath.Join("{dir}", fossilRepoName), "-go-internal-cd {dir} open .fossil"}, - DownloadCmd: []string{"up"}, - - TagCmd: []tagCmd{{"tag ls", `(.*)`}}, - TagSyncCmd: []string{"up tag:{tag}"}, - TagSyncDefault: []string{"up trunk"}, - - Scheme: []string{"https", "http"}, - RemoteRepo: fossilRemoteRepo, - Status: fossilStatus, -} - -func fossilRemoteRepo(vcsFossil *Cmd, rootDir string) (remoteRepo string, err error) { - out, err := vcsFossil.runOutput(rootDir, "remote-url") - if err != nil { - return "", err - } - return strings.TrimSpace(string(out)), nil + Scheme: []string{"https", "http"}, + Status: fossilStatus, } var errFossilInfo = errors.New("unable to parse output of fossil info") @@ -692,7 +488,7 @@ func (v *Cmd) run1(dir string, cmdline string, keyval []string, verbose bool) ([ args[i] = expand(m, arg) } - if len(args) >= 2 && args[0] == "-go-internal-mkdir" { + if len(args) >= 2 && args[0] == "--go-internal-mkdir" { var err error if filepath.IsAbs(args[1]) { err = os.Mkdir(args[1], fs.ModePerm) @@ -705,7 +501,7 @@ func (v *Cmd) run1(dir string, cmdline string, keyval []string, verbose bool) ([ args = args[2:] } - if len(args) >= 2 && args[0] == "-go-internal-cd" { + if len(args) >= 2 && args[0] == "--go-internal-cd" { if filepath.IsAbs(args[1]) { dir = args[1] } else { @@ -766,99 +562,6 @@ func (v *Cmd) Ping(scheme, repo string) error { return v.runVerboseOnly(dir, v.PingCmd, "scheme", scheme, "repo", repo) } -// Create creates a new copy of repo in dir. -// The parent of dir must exist; dir must not. -func (v *Cmd) Create(dir, repo string) error { - release, err := base.AcquireNet() - if err != nil { - return err - } - defer release() - - for _, cmd := range v.CreateCmd { - if err := v.run(filepath.Dir(dir), cmd, "dir", dir, "repo", repo); err != nil { - return err - } - } - return nil -} - -// Download downloads any new changes for the repo in dir. -func (v *Cmd) Download(dir string) error { - release, err := base.AcquireNet() - if err != nil { - return err - } - defer release() - - for _, cmd := range v.DownloadCmd { - if err := v.run(dir, cmd); err != nil { - return err - } - } - return nil -} - -// Tags returns the list of available tags for the repo in dir. -func (v *Cmd) Tags(dir string) ([]string, error) { - var tags []string - for _, tc := range v.TagCmd { - out, err := v.runOutput(dir, tc.cmd) - if err != nil { - return nil, err - } - re := regexp.MustCompile(`(?m-s)` + tc.pattern) - for _, m := range re.FindAllStringSubmatch(string(out), -1) { - tags = append(tags, m[1]) - } - } - return tags, nil -} - -// TagSync syncs the repo in dir to the named tag, -// which either is a tag returned by tags or is v.tagDefault. -func (v *Cmd) TagSync(dir, tag string) error { - if v.TagSyncCmd == nil { - return nil - } - if tag != "" { - for _, tc := range v.TagLookupCmd { - out, err := v.runOutput(dir, tc.cmd, "tag", tag) - if err != nil { - return err - } - re := regexp.MustCompile(`(?m-s)` + tc.pattern) - m := re.FindStringSubmatch(string(out)) - if len(m) > 1 { - tag = m[1] - break - } - } - } - - release, err := base.AcquireNet() - if err != nil { - return err - } - defer release() - - if tag == "" && v.TagSyncDefault != nil { - for _, cmd := range v.TagSyncDefault { - if err := v.run(dir, cmd); err != nil { - return err - } - } - return nil - } - - for _, cmd := range v.TagSyncCmd { - if err := v.run(dir, cmd, "tag", tag); err != nil { - return err - } - } - return nil -} - // A vcsPath describes how to convert an import path into a // version control system and repository name. type vcsPath struct { @@ -1385,6 +1088,10 @@ func repoRootForImportDynamic(importPath string, mod ModuleMode, security web.Se } } + if err := validateRepoSubDir(mmi.SubDir); err != nil { + return nil, fmt.Errorf("%s: invalid subdirectory %q: %v", resp.URL, mmi.SubDir, err) + } + if err := validateRepoRoot(mmi.RepoRoot); err != nil { return nil, fmt.Errorf("%s: invalid repo root %q: %v", resp.URL, mmi.RepoRoot, err) } @@ -1416,6 +1123,22 @@ func repoRootForImportDynamic(importPath string, mod ModuleMode, security web.Se return rr, nil } +// validateRepoSubDir returns an error if subdir is not a valid subdirectory path. +// We consider a subdirectory path to be valid as long as it doesn't have a leading +// slash (/) or hyphen (-). +func validateRepoSubDir(subdir string) error { + if subdir == "" { + return nil + } + if subdir[0] == '/' { + return errors.New("leading slash") + } + if subdir[0] == '-' { + return errors.New("leading hyphen") + } + return nil +} + // validateRepoRoot returns an error if repoRoot does not seem to be // a valid URL with scheme. func validateRepoRoot(repoRoot string) error { diff --git a/src/cmd/go/internal/vcs/vcs_test.go b/src/cmd/go/internal/vcs/vcs_test.go index 361d85bcfb..ab70e517e2 100644 --- a/src/cmd/go/internal/vcs/vcs_test.go +++ b/src/cmd/go/internal/vcs/vcs_test.go @@ -507,6 +507,42 @@ func TestValidateRepoRoot(t *testing.T) { } } +func TestValidateRepoSubDir(t *testing.T) { + tests := []struct { + subdir string + ok bool + }{ + { + subdir: "", + ok: true, + }, + { + subdir: "sub/dir", + ok: true, + }, + { + subdir: "/leading/slash", + ok: false, + }, + { + subdir: "-leading/hyphen", + ok: false, + }, + } + + for _, test := range tests { + err := validateRepoSubDir(test.subdir) + ok := err == nil + if ok != test.ok { + want := "error" + if test.ok { + want = "nil" + } + t.Errorf("validateRepoSubDir(%q) = %q, want %s", test.subdir, err, want) + } + } +} + var govcsTests = []struct { govcs string path string diff --git a/src/cmd/go/internal/workcmd/edit.go b/src/cmd/go/internal/workcmd/edit.go index 18730436ca..fa2f018aba 100644 --- a/src/cmd/go/internal/workcmd/edit.go +++ b/src/cmd/go/internal/workcmd/edit.go @@ -278,7 +278,10 @@ func allowedVersionArg(arg string) bool { // parsePathVersionOptional parses path[@version], using adj to // describe any errors. func parsePathVersionOptional(adj, arg string, allowDirPath bool) (path, version string, err error) { - before, after, found := strings.Cut(arg, "@") + before, after, found, err := modload.ParsePathVersion(arg) + if err != nil { + return "", "", err + } if !found { path = arg } else {