[go/release-branch.go1.26] [release-branch.go1.26] cmd/go: update VCS commands to use safer flag/argument syntax
1 view
Skip to first unread message
Gopher Robot (Gerrit)
Jan 15, 2026, 1:14:37 PM (3 days ago) Jan 15
to Roland Shoemaker, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Junyang Shao, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.26] cmd/go: update VCS commands to use safer flag/argument syntax
In various situations, the toolchain invokes VCS commands. Some of these
commands take arbitrary input, either provided by users or fetched from
external sources. To prevent potential command injection vulnerabilities
or misinterpretation of arguments as flags, this change updates the VCS
commands to use various techniques to separate flags from positional
arguments, and to directly associate flags with their values.
Additionally, we update the environment variable for Mercurial to use
`HGPLAIN=+strictflags`, which is the more explicit way to disable user
configurations (intended or otherwise) that might interfere with command
execution.
We also now disallow version strings from being prefixed with '-' or
'/', as doing so opens us up to making the same mistake again in the
future. As far as we know there are currently ~0 public modules affected
by this.
While I was working on cmd/go/internal/vcs, I also noticed that a
significant portion of the commands being implemented were dead code.
In order to reduce the maintenance burden and surface area for potential
issues, I removed the dead code for unused commands.
We should probably follow up with a more structured change to make it
harder to accidentally re-introduce these issues in the future, but for
now this addresses the issue at hand.
Thanks to splitline (@splitline) from DEVCORE Research Team for
reporting this issue.
Fixes CVE-2025-68119
Fixes #77099
Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-by: Neal Patel <neal...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736705
Auto-Submit: Michael Pratt <mpr...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
Files:
- M src/cmd/go/internal/modcmd/edit.go
- M src/cmd/go/internal/modfetch/codehost/git.go
- M src/cmd/go/internal/modfetch/codehost/vcs.go
- M src/cmd/go/internal/modget/query.go
- M src/cmd/go/internal/modload/build.go
- M src/cmd/go/internal/modload/list.go
- M src/cmd/go/internal/toolchain/select.go
- M src/cmd/go/internal/vcs/vcs.go
- M src/cmd/go/internal/vcs/vcs_test.go
- M src/cmd/go/internal/workcmd/edit.go
Change size: L
Delta: 10 files changed, 157 insertions(+), 347 deletions(-)
Branch: refs/heads/release-branch.go1.26
Submit Requirements:
Code-Review: +2 by Junyang Shao
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Jan 15, 2026, 1:14:56 PM (3 days ago) Jan 15
to Roland Shoemaker, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Junyang Shao, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.25] cmd/go: update VCS commands to use safer flag/argument syntax
Reviewed-by: Michael Matloob <mat...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/736721
Reviewed-by: Junyang Shao <shaoj...@google.com>
Auto-Submit: Michael Pratt <mpr...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Files:
- M src/cmd/go/internal/modcmd/edit.go
- M src/cmd/go/internal/modfetch/codehost/git.go
- M src/cmd/go/internal/modfetch/codehost/vcs.go
- M src/cmd/go/internal/modget/query.go
- M src/cmd/go/internal/modload/build.go
- M src/cmd/go/internal/modload/list.go
- M src/cmd/go/internal/toolchain/select.go
- M src/cmd/go/internal/vcs/vcs.go
- M src/cmd/go/internal/vcs/vcs_test.go
- M src/cmd/go/internal/workcmd/edit.go
Change size: L
Delta: 10 files changed, 153 insertions(+), 345 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
Code-Review: +2 by Junyang Shao
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Jan 15, 2026, 1:35:52 PM (3 days ago) Jan 15
to Roland Shoemaker, Michael Pratt, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Junyang Shao, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
cmd/go: update VCS commands to use safer flag/argument syntax
Reviewed-on: https://go-review.googlesource.com/c/go/+/736710
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Junyang Shao <shaoj...@google.com>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Files:
- M src/cmd/go/internal/modcmd/edit.go
- M src/cmd/go/internal/modfetch/codehost/git.go
- M src/cmd/go/internal/modfetch/codehost/vcs.go
- M src/cmd/go/internal/modget/query.go
- M src/cmd/go/internal/modload/build.go
- M src/cmd/go/internal/modload/list.go
- M src/cmd/go/internal/toolchain/select.go
- M src/cmd/go/internal/vcs/vcs.go
- M src/cmd/go/internal/vcs/vcs_test.go
- M src/cmd/go/internal/workcmd/edit.go
Change size: L
Delta: 10 files changed, 157 insertions(+), 347 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Junyang Shao
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages