Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
cmd/go: Let go mod download block proxy sites OR Export Go's Known Hostnames Matching Functionality #40405
This issue is a continuation of #31458
While in the original issue, I was mostly focusing on how the functionality is meant to be used, this issue is about what the Go command can do to help go proxies avoid that vulnerability.
Go treats certain hostnames such as github.com, bitbucket.org and others as "well known" and therefore Go bypasses the
The logic for this functionality lives here
When it comes to a private module, this is important because a "GET github.com/user/private?go-get=1" will return a 404 even if you send it Basic Authentication credentials through a ".netrc" file because this is a Web request that requires cookie authentication and not an API request.
This is the only way go proxies have been able to support private module fetching from such code hosting sites. So it's important to know that if Go changed its behavior on these well-known hostnames, then all go proxies that deal with private modules would break.
However, there's a problem: say you have a proxy running on
Therefore, the only way for a GOPROXY to avoid that vulnerability is by doing either of the following:
Personally, I believe option 2 is the easiest one from a proxy perspective though I can't speak for the Go implementation.