Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/go: git VCS qualifier in module path uses git:// scheme #63845

Closed
dgl opened this issue Oct 31, 2023 · 6 comments
Closed

cmd/go: git VCS qualifier in module path uses git:// scheme #63845

dgl opened this issue Oct 31, 2023 · 6 comments
Assignees
@bcmills
Labels
GoCommand cmd/go modules NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Go1.22

Comments

@dgl
Copy link

dgl commented Oct 31, 2023

What version of Go are you using (go version)?

$ go version
go version go1.21.3 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/root/.cache/go-build'
GOENV='/root/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='local'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.3'
GCCGO='gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/src/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build2460490683=/tmp/go-build -gno-record-gcc-switches'

What did you do?

In a clean docker env:

docker run -it golang:1.21.3
mkdir /src
cd /src

I tried to get a URL containing ".git":

go mod init foo
go get dgl.cx/foo.git

What did you expect to see?

Per https://go.dev/ref/mod#vcs-find

If the module path has a VCS qualifier (one of .bzr, .fossil, .git, .hg, .svn) at the end of a path component, the go command will use everything up to that path qualifier as the repository URL

[...]

If the URL does not include a scheme (either because the module path has a VCS qualifier or because the tag lacks a scheme), the go command will try each protocol supported by the version control system. For example, with Git, the go command will try https:// then git+ssh://. Insecure protocols (like http:// and git://) may only be used if the module path is matched by the GOINSECURE environment variable.

i.e. I expected that as described it will try the two schemes https and git+ssh in turn.

What did you see instead?

I've definitely not set GOINSECURE, but I see:

go: module dgl.cx/foo.git: git ls-remote -q origin in /go/pkg/mod/cache/vcs/b982d3896f60780c91477b0905164a9bb9b91a39d383c88b4152672c759055ab: exit status 128:
	fatal: unable to connect to dgl.cx:
	dgl.cx[0: [ipv4 address elided]]: errno=Connection refused
	dgl.cx[1: [ipv6 address elided]]: errno=Cannot assign requested address

It's definitely trying to connect over plain git protocol (git://):

$ sudo tcpdump -n port git
[...]
12:40:25.143285 IP [ip elided].53232 > [ip elided].9418: Flags [S], seq 3202314552, win 64240, options [mss 1460,sackOK,TS val 1040977568 ecr 0,nop,wscale 7], length 0
@seankhliao seankhliao added NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. GoCommand cmd/go labels Oct 31, 2023
@seankhliao
Copy link
Member

I see

$ go get -x dgl.cx/foo.git
# get https://dgl.cx/?go-get=1
cd /go/pkg/mod
git ls-remote https://dgl.cx/foo
# get https://dgl.cx/?go-get=1: 200 OK (0.155s)
cd /go/pkg/mod
git ls-remote git+ssh://dgl.cx/foo
cd /go/pkg/mod
git ls-remote ssh://dgl.cx/foo
mkdir -p /go/pkg/mod/cache/vcs # git3 git://dgl.cx/foo
# lock /go/pkg/mod/cache/vcs/b982d3896f60780c91477b0905164a9bb9b91a39d383c88b4152672c759055ab.lock
# /go/pkg/mod/cache/vcs/b982d3896f60780c91477b0905164a9bb9b91a39d383c88b4152672c759055ab for git3 git://dgl.cx/foo
cd /go/pkg/mod/cache/vcs/b982d3896f60780c91477b0905164a9bb9b91a39d383c88b4152672c759055ab; git ls-remote -q origin
0.091s # cd /go/pkg/mod/cache/vcs/b982d3896f60780c91477b0905164a9bb9b91a39d383c88b4152672c759055ab; git ls-remote -q origin
go: module dgl.cx/foo.git: git ls-remote -q origin in /go/pkg/mod/cache/vcs/b982d3896f60780c91477b0905164a9bb9b91a39d383c88b4152672c759055ab: exit status 128:
	fatal: unable to connect to dgl.cx:
	dgl.cx[0: 51.15.69.169]: errno=Connection refused
	dgl.cx[1: 2001:bc8:1820:23b::1]: errno=Cannot assign requested address

looks like the git origin was saved with git:// ?

@bcmills bcmills added this to the Go1.22 milestone Oct 31, 2023
@bcmills bcmills self-assigned this Oct 31, 2023
@gopherbot
Copy link

Change https://go.dev/cl/539321 mentions this issue: cmd/go/internal/vcs: error out if the requested repo does not support a secure protocol

@bcmills
Copy link
Contributor

bcmills commented Nov 6, 2023

@gopherbot, please backport to Go 1.21 and 1.20.

@gopherbot gopherbot mentioned this issue Nov 6, 2023
Closed
@gopherbot
Copy link

Backport issue(s) opened: #63972 (for 1.20), #63973 (for 1.21).

Remember to create the cherry-pick CL(s) as soon as the patch is submitted to master, according to https://go.dev/wiki/MinorReleases.

@gopherbot gopherbot mentioned this issue Nov 6, 2023
Closed
@gopherbot
Copy link

Change https://go.dev/cl/540257 mentions this issue: cmd/go/internal/vcs: error out if the requested repo does not support a secure protocol

@gopherbot
Copy link

Change https://go.dev/cl/540335 mentions this issue: [release-branch.go1.20] cmd/go/internal/vcs: error out if the requested repo does not support a secure protocol

@dmitshur dmitshur added NeedsFix The path to resolution is known, but the work has not been done. and removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Nov 6, 2023
gopherbot pushed a commit that referenced this issue Nov 27, 2023
@gopherbot
[release-branch.go1.21] cmd/go/internal/vcs: error out if the request…
23c943e 
…ed repo does not support a secure protocol

Updates #63845.
Fixes #63973.

Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit be26ae1)
Reviewed-on: https://go-review.googlesource.com/c/go/+/540257
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
gopherbot pushed a commit that referenced this issue Nov 27, 2023
@gopherbot
[release-branch.go1.20] cmd/go/internal/vcs: error out if the request…
46bc338 
…ed repo does not support a secure protocol

Updates #63845.
Fixes #63972.

Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit be26ae1)
Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 7, 2023
@rcrozean
[release-branch.go1.20] cmd/go/internal/vcs: error out if the request…
2043cf7 
…ed repo does not support a secure protocol

Updates golang#63845.
Fixes golang#63972.

Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit be26ae1)
Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
rcrozean pushed a commit to rcrozean/go that referenced this issue Dec 8, 2023
@rcrozean
[release-branch.go1.20] cmd/go/internal/vcs: error out if the request…
13a6e63 
…ed repo does not support a secure protocol

Updates golang#63845.
Fixes golang#63972.

Change-Id: If86d6b13d3b55877b35c087112bd76388c9404b8
Reviewed-on: https://go-review.googlesource.com/c/go/+/539321
Reviewed-by: Michael Matloob <matloob@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Auto-Submit: Bryan Mills <bcmills@google.com>
(cherry picked from commit be26ae1)
Reviewed-on: https://go-review.googlesource.com/c/go/+/540335
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bcmills bcmills

Labels
GoCommand cmd/go modules NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Go1.22
Development

No branches or pull requests
5 participants
@dgl @dmitshur @bcmills @gopherbot @seankhliao