diff options
| author | Bryan C. Mills <bcmills@google.com> | 2023-11-02 15:06:35 -0400 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2023-11-27 21:12:17 +0000 |
| commit | 23c943e5296c6fa3a6f9433bd929306c4dbf2aa3 (patch) | |
| tree | 5fc9743644736b435b641efd410ca6e0c3ddbfba | |
| parent | 4952f41180715a260e566a89557c780ac2ab5fc4 (diff) | |
| download | go-23c943e5296c6fa3a6f9433bd929306c4dbf2aa3.tar.gz go-23c943e5296c6fa3a6f9433bd929306c4dbf2aa3.zip | |
[release-branch.go1.21] cmd/go/internal/vcs: error out if the requested repo does not support a secure protocol
Updates #63845.
Fixes #63973.
Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit be26ae18caf7ddffca4073333f80d0d9e76483c3)
Reviewed-on: https://go-review.googlesource.com/c/go/+/540257
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
| -rw-r--r-- | src/cmd/go/internal/vcs/vcs.go | 25 | ||||
| -rw-r--r-- | src/cmd/go/testdata/script/mod_insecure_issue63845.txt | 28 |
2 files changed, 47 insertions, 6 deletions
diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go index c65dd0f624a..dbf16d1de7f 100644 --- a/src/cmd/go/internal/vcs/vcs.go +++ b/src/cmd/go/internal/vcs/vcs.go @@ -1204,18 +1204,31 @@ func repoRootFromVCSPaths(importPath string, security web.SecurityMode, vcsPaths var ok bool repoURL, ok = interceptVCSTest(repo, vcs, security) if !ok { - scheme := vcs.Scheme[0] // default to first scheme - if vcs.PingCmd != "" { - // If we know how to test schemes, scan to find one. + scheme, err := func() (string, error) { for _, s := range vcs.Scheme { if security == web.SecureOnly && !vcs.isSecureScheme(s) { continue } - if vcs.Ping(s, repo) == nil { - scheme = s - break + + // If we know how to ping URL schemes for this VCS, + // check that this repo works. + // Otherwise, default to the first scheme + // that meets the requested security level. + if vcs.PingCmd == "" { + return s, nil + } + if err := vcs.Ping(s, repo); err == nil { + return s, nil } } + securityFrag := "" + if security == web.SecureOnly { + securityFrag = "secure " + } + return "", fmt.Errorf("no %sprotocol found for repository", securityFrag) + }() + if err != nil { + return nil, err } repoURL = scheme + "://" + repo } diff --git a/src/cmd/go/testdata/script/mod_insecure_issue63845.txt b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt new file mode 100644 index 00000000000..c051c05f539 --- /dev/null +++ b/src/cmd/go/testdata/script/mod_insecure_issue63845.txt @@ -0,0 +1,28 @@ +# Regression test for https://go.dev/issue/63845: +# If 'git ls-remote' fails for all secure protocols, +# we should fail instead of falling back to an arbitrary protocol. +# +# Note that this test does not use the local vcweb test server +# (vcs-test.golang.org), because the hook for redirecting to that +# server bypasses the "ping to determine protocol" logic +# in cmd/go/internal/vcs. + +[!net:golang.org] skip +[!git] skip +[short] skip 'tries to access a nonexistent external Git repo' + +env GOPRIVATE=golang.org +env CURLOPT_TIMEOUT_MS=100 +env GIT_SSH_COMMAND=false + +! go get -x golang.org/nonexist.git@latest +stderr '^git ls-remote https://golang.org/nonexist$' +stderr '^git ls-remote git\+ssh://golang.org/nonexist' +stderr '^git ls-remote ssh://golang.org/nonexist$' +! stderr 'git://' +stderr '^go: golang.org/nonexist.git@latest: no secure protocol found for repository$' + +-- go.mod -- +module example + +go 1.19 |