mirror of
https://github.com/golang/go.git
synced 2026-04-02 09:20:29 +09:00
082365aa55
In various situations, the toolchain invokes VCS commands. Some of these commands take arbitrary input, either provided by users or fetched from external sources. To prevent potential command injection vulnerabilities or misinterpretation of arguments as flags, this change updates the VCS commands to use various techniques to separate flags from positional arguments, and to directly associate flags with their values. Additionally, we update the environment variable for Mercurial to use `HGPLAIN=+strictflags`, which is the more explicit way to disable user configurations (intended or otherwise) that might interfere with command execution. We also now disallow version strings from being prefixed with '-' or '/', as doing so opens us up to making the same mistake again in the future. As far as we know there are currently ~0 public modules affected by this. While I was working on cmd/go/internal/vcs, I also noticed that a significant portion of the commands being implemented were dead code. In order to reduce the maintenance burden and surface area for potential issues, I removed the dead code for unused commands. We should probably follow up with a more structured change to make it harder to accidentally re-introduce these issues in the future, but for now this addresses the issue at hand. Thanks to splitline (@splitline) from DEVCORE Research Team for reporting this issue. Fixes CVE-2025-68119 Fixes #77099 Change-Id: I9d9f4ee05b95be49fe14edf71a1b8e6c0784378e Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3260 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Nicholas Husin <husin@google.com> Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3342 Reviewed-by: Michael Matloob <matloob@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/736721 Reviewed-by: Junyang Shao <shaojunyang@google.com> Auto-Submit: Michael Pratt <mpratt@google.com> TryBot-Bypass: Michael Pratt <mpratt@google.com>