Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: mod meta tag causes infinite loop in GOPROXY #31458
I'm stumped about how the
Let's say a user does a
Therefore, the meta tag that it returns will now be
The proxy, will now use
Even if we hard code the
The only solution so far is to use
Even if the purpose of the "mod meta tag" is not for vanity imports to expose them, I fail to realize where they ever make sense. The vgo proposal mentions here that you can use this feature for directly injecting the storage url: https://research.swtch.com/vgo-module#publishing
But I still fail to see how this is maintainable for a couple of reasons:
This seems like an implementation detail of the module server. The protocol for a server and a proxy is the same, but a server that is not a proxy fundamentally needs to know which paths it's serving.
(Note that one option is for the server to run
This is indeed an implementation detail of the module server.
@hyangah In this case it should be 100% safe to say that the only way a proxy server knows how to
For example, if a user did:
And then my marwan.io server returned something like ~
The only other way around my solution above, is that the proxy server has a way for that vanity import path to be populated outside of
If all of my assumptions are correct, I'm happy closing the issue :)
@marwan-at-work a different approach to protect the public proxy from the infinite loop is to design the myproxy.com to avoid duplicate work. The subsequent request in the chain will then be classified as duplicate of pending operation, and not add additional work to the proxy but wait for the pending duplicate work to complete. Eventually some of the request in the chain will timeout (as most production service would do) and the chain will terminate.
@hyangah I'm more focused on how it should work as opposed to the security vulnerability side of it.
From a vulnerability stand point, your suggestion makes sense. Another one is that the proxy server can also issue its own
However, from a feature perspective, I wasn't clear on how
But I'd love a confirmation that the
Thanks again :)
@marwan-at-work One of the use cases where the
For example, the module
I agree that it becomes problematic if the