Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/go: go mod verify should check hashes in go.sum against GOSUMDB. #47752

Open
jayconrod opened this issue Aug 17, 2021 · 2 comments
Open

cmd/go: go mod verify should check hashes in go.sum against GOSUMDB. #47752

jayconrod opened this issue Aug 17, 2021 · 2 comments
Labels
FeatureRequest modules NeedsFix
Milestone

Comments

@jayconrod
Copy link
Contributor

@jayconrod jayconrod commented Aug 17, 2021

What version of Go are you using (go version)?

$ go version
1.17

Does this issue reproduce with the latest release?

yes

What did you do?

  1. Tag a version of a module, say example.com/m@v0.1.0.
  2. Set GOPROXY=direct, GOSUMDB=off, then go get example.com/m@v0.1.0 in another module. This downloads the version into the cache without notifying proxy.golang.org or sum.golang.org and adds a sum to go.sum.
  3. Change something and update the version tag to point to the new change.
  4. Clear GOPROXY and GOSUMDB.
  5. Run go mod verify, observing no security error.
  6. Clean the module cache with go clean -modcache.
  7. Run go list all or any other command that would download the modified version, observing a security error.

https://github.com/jayconrod/noverify is an example repo. github.com/jayconrod/noverify@v0.1.0 was modified, github.com/jayconrod/noverify/sum is the dependent module.

What did you expect to see?

The first go mod verify command should report a security error. For each module in the build list not matched by GOPRIVATE or GONOSUMDB (that is, each publicly available module), go mod verify should check the hash of the downloaded module and the hash in go.sum against the checksum database in GOSUMDB, assuming it is not disabled.

In this scenario, that hash won't be in the checksum database, and the lookup should cause sum.golang.org to fetch example.com/m@v0.1.0 from its origin and return the sum for the modified version. go mod verify would then report a security error because that sum will not match the original sum in the dependent module's go.sum. go mod verify should also report a security error if sum.golang.org returns any error response (most commonly, 404 or 410) or is not available.

This is important for identifying when both go.sum and the contents of the module cache don't match a publicly available version. People in this situation will see their builds work fine, but builds for other developers and CI builds will fail. go mod verify only checks that go.sum matches the contents of the module cache. It will only consult the checksum database if it needs to download something that's not cached.

What did you see instead?

go mod verify reports no security error in step 5.

@jayconrod jayconrod added NeedsFix modules labels Aug 17, 2021
@jayconrod jayconrod added this to the Go1.18 milestone Aug 17, 2021
@gopherbot
Copy link

@gopherbot gopherbot commented Aug 26, 2021

Change https://golang.org/cl/345189 mentions this issue: cmd/go/internal/modcmd: check hashes in go.sum against GOSUMDB

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jan 29, 2022

@bcmills This is in the 1.18 milestone; time to move to 1.19? Thanks.

@bcmills bcmills removed this from the Go1.18 milestone Jan 29, 2022
@bcmills bcmills added this to the Go1.19 milestone Jan 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
FeatureRequest modules NeedsFix
Projects
None yet
Development

No branches or pull requests

4 participants