Commit 70b890ce authored by Russ Cox's avatar Russ Cox

cmd/go/internal/modfetch/codehost: disable fetch of server-resolved commit hash

We cannot rely on the server to filter out the refs we don't want
(we only want refs/heads/* and refs/tags/*), so do not give it
the full hash.

Fixes #31191.

Change-Id: If1208c35954228aa6e8734f8d5f1725d0ec79c87
Reviewed-on: https://go-review.googlesource.com/c/go/+/174517
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: default avatarBryan C. Mills <bcmills@google.com>
TryBot-Result: Gobot Gobot <gobot@golang.org>
parent 8bde43e0
...@@ -32,7 +32,7 @@ func LocalGitRepo(remote string) (Repo, error) { ...@@ -32,7 +32,7 @@ func LocalGitRepo(remote string) (Repo, error) {
return newGitRepoCached(remote, true) return newGitRepoCached(remote, true)
} }
const gitWorkDirType = "git2" const gitWorkDirType = "git3"
var gitRepoCache par.Cache var gitRepoCache par.Cache
...@@ -339,8 +339,14 @@ func (r *gitRepo) stat(rev string) (*RevInfo, error) { ...@@ -339,8 +339,14 @@ func (r *gitRepo) stat(rev string) (*RevInfo, error) {
} }
} }
// If we know a specific commit we need, fetch it. // If we know a specific commit we need and its ref, fetch it.
if r.fetchLevel <= fetchSome && hash != "" && !r.local { // We do NOT fetch arbitrary hashes (when we don't know the ref)
// because we want to avoid ever importing a commit that isn't
// reachable from refs/tags/* or refs/heads/* or HEAD.
// Both Gerrit and GitHub expose every CL/PR as a named ref,
// and we don't want those commits masquerading as being real
// pseudo-versions in the main repo.
if r.fetchLevel <= fetchSome && ref != "" && hash != "" && !r.local {
r.fetchLevel = fetchSome r.fetchLevel = fetchSome
var refspec string var refspec string
if ref != "" && ref != "HEAD" { if ref != "" && ref != "HEAD" {
......
env GO111MODULE=on
env GOPROXY=direct
env GOSUMDB=off
[!net] skip
# fetch commit hash reachable from refs/heads/* and refs/tags/* is OK
go list -m golang.org/x/time@8be79e1e0910c292df4e79c241bb7e8f7e725959 # on master branch
# fetch other commit hash, even with a non-standard ref, is not OK
! go list -m golang.org/x/time@334d83c35137ac2b376c1dc3e4c7733791855a3a # refs/changes/24/41624/3
stderr 'unknown revision'
! go list -m golang.org/x/time@v0.0.0-20170424233410-334d83c35137
stderr 'unknown revision'
! go list -m golang.org/x/time@334d83c35137
stderr 'unknown revision'
-- go.mod --
module m
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment