cmd/go/internal/modfetch/codehost: explicitly specify GIT_DIR

When Git has safe.bareRepository=explicit set, operations on bare Git
repositories will fail unless --git-dir or GIT_DIR is set. The rest of
the time, specifying the gitdir makes repository discovery at the
beginning of a Git command ever-so-slightly faster. So, there is no
downside to ensuring that users with this stricter security config set
can still use 'go mod' commands easily.

See
https://lore.kernel.org/git/pull.1261.v8.git.git.1657834081.gitgitgadget@gmail.com/
for a more detailed description of security concerns around embedded
bare repositories without an explicitly specified GIT_DIR.

Change-Id: I01c1d97a79fdab12c2b5532caf84eb7760f96b18
Reviewed-on: https://go-review.googlesource.com/c/go/+/489915
Reviewed-by: Bryan Mills <bcmills@google.com>
Auto-Submit: Bryan Mills <bcmills@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Run-TryBot: Bryan Mills <bcmills@google.com>

diff --git a/src/cmd/go/internal/modfetch/codehost/codehost.go b/src/cmd/go/internal/modfetch/codehost/codehost.go
index 3a6e55e9a36f60136a5d31b74d7dad455be5bdc4..7e763bee99f7a7fab7035002c69ad2d18fe38a2c 100644 (file)
--- a/src/cmd/go/internal/modfetch/codehost/codehost.go
+++ b/src/cmd/go/internal/modfetch/codehost/codehost.go
@@ -377,6 +377,8 @@ func RunWithStdin(dir string, stdin io.Reader, cmdline ...any) ([]byte, error) {
        c.Stdin = stdin
        c.Stderr = &stderr
        c.Stdout = &stdout
+       // For Git commands, manually supply GIT_DIR so Git works with safe.bareRepository=explicit set. Noop for other commands.
+       c.Env = append(c.Environ(), "GIT_DIR="+dir)
        err := c.Run()
        if err != nil {
                err = &RunError{Cmd: strings.Join(cmd, " ") + " in " + dir, Stderr: stderr.Bytes(), Err: err}