cmd/go/internal/modload: ignore disallowed errors when checking for updates

addUpdate calls Query with the query "upgrade". Normally, this returns
the highest release version (or prerelease, etc.) that is higher than
the current version and is not retracted or excluded. If there is no
such version, Query should return the current version. If the current
version is retracted or excluded, then Query currently returns an error.

addUpdate should ignore this error, as it ignores ErrNotExist and
NoMatchingVersionError. For 'go list -m -u', addRetraction is also
called, and that will detect the retraction.

Fixes #53594

Change-Id: I90a2872cdeabf03894acad9e0cbdd7db4a4e269e
Reviewed-on: https://go-review.googlesource.com/c/go/+/414825
Run-TryBot: Bryan Mills <bcmills@google.com>
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Michael Knyszek <mknyszek@google.com>

diff --git a/src/cmd/go/internal/modload/build.go b/src/cmd/go/internal/modload/build.go
index e983e0ae0cf61783dbf3ff393dfedccb3a7fe2bb..555d4b3c631e54f643603ce9e63c309f50aa31d0 100644 (file)
--- a/src/cmd/go/internal/modload/build.go
+++ b/src/cmd/go/internal/modload/build.go
@@ -131,10 +131,15 @@ func addUpdate(ctx context.Context, m *modinfo.ModulePublic) {
 
        info, err := Query(ctx, m.Path, "upgrade", m.Version, CheckAllowed)
        var noVersionErr *NoMatchingVersionError
-       if errors.Is(err, fs.ErrNotExist) || errors.As(err, &noVersionErr) {
+       if errors.Is(err, ErrDisallowed) ||
+               errors.Is(err, fs.ErrNotExist) ||
+               errors.As(err, &noVersionErr) {
                // Ignore "not found" and "no matching version" errors.
                // This means the proxy has no matching version or no versions at all.
                //
+               // Ignore "disallowed" errors. This means the current version is
+               // excluded or retracted and there are no higher allowed versions.
+               //
                // We should report other errors though. An attacker that controls the
                // network shouldn't be able to hide versions by interfering with
                // the HTTPS connection. An attacker that controls the proxy may still

diff --git a/src/cmd/go/testdata/mod/example.com_retract_noupgrade_v1.0.0.txt b/src/cmd/go/testdata/mod/example.com_retract_noupgrade_v1.0.0.txt
new file mode 100644 (file)
index 0000000..466afc5
--- /dev/null
+++ b/src/cmd/go/testdata/mod/example.com_retract_noupgrade_v1.0.0.txt
@@ -0,0 +1,9 @@
+-- .mod --
+module example.com/retract/noupgrade
+
+go 1.19
+
+retract v1.0.0 // bad
+
+-- .info --
+{"Version":"v1.0.0"}

diff --git a/src/cmd/go/testdata/script/mod_retract_noupgrade.txt b/src/cmd/go/testdata/script/mod_retract_noupgrade.txt
new file mode 100644 (file)
index 0000000..67de79f
--- /dev/null
+++ b/src/cmd/go/testdata/script/mod_retract_noupgrade.txt
@@ -0,0 +1,11 @@
+go list -m -u example.com/retract/noupgrade
+stdout '^example.com/retract/noupgrade v1.0.0 \(retracted\)$'
+
+-- go.mod --
+module use
+
+go 1.19
+
+require example.com/retract/noupgrade v1.0.0
+-- go.sum --
+example.com/retract/noupgrade v1.0.0/go.mod h1:q2/HnBejUQ83RcUo4stf2U++/Zr9R/Ky3BsodjKBkQ4=