cmd/go/internal/modload: ignore disallowed errors when checking for updates

addUpdate calls Query with the query "upgrade". Normally, this returns the highest release version (or prerelease, etc.) that is higher than the current version and is not retracted or excluded. If there is no such version, Query should return the current version. If the current version is retracted or excluded, then Query currently returns an error. addUpdate should ignore this error, as it ignores ErrNotExist and NoMatchingVersionError. For 'go list -m -u', addRetraction is also called, and that will detect the retraction. Fixes #53594 Change-Id: I90a2872cdeabf03894acad9e0cbdd7db4a4e269e Reviewed-on: https://go-review.googlesource.com/c/go/+/414825 Run-TryBot: Bryan Mills <bcmills@google.com> Reviewed-by: Bryan Mills <bcmills@google.com> Auto-Submit: Bryan Mills <bcmills@google.com> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Michael Knyszek <mknyszek@google.com>
2024-07-05 09:50:19 +00:00 · 2022-06-28 18:15:32 -07:00 · 2022-06-28 18:15:32 -07:00 · 27794c4d4a
commit 27794c4d4a
parent b2b8872c87
3 changed files with 26 additions and 1 deletions
--- a/src/cmd/go/internal/modload/build.go
+++ b/src/cmd/go/internal/modload/build.go
@ -131,10 +131,15 @@ func addUpdate(ctx context.Context, m *modinfo.ModulePublic) {

 	info, err := Query(ctx, m.Path, "upgrade", m.Version, CheckAllowed)
 	var noVersionErr *NoMatchingVersionError
-	if errors.Is(err, fs.ErrNotExist) || errors.As(err, &noVersionErr) {
+	if errors.Is(err, ErrDisallowed) ||
+		errors.Is(err, fs.ErrNotExist) ||
+		errors.As(err, &noVersionErr) {
 		// Ignore "not found" and "no matching version" errors.
 		// This means the proxy has no matching version or no versions at all.
 		//
+		// Ignore "disallowed" errors. This means the current version is
+		// excluded or retracted and there are no higher allowed versions.
+		//
 		// We should report other errors though. An attacker that controls the
 		// network shouldn't be able to hide versions by interfering with
 		// the HTTPS connection. An attacker that controls the proxy may still
--- a/src/cmd/go/testdata/mod/example.com_retract_noupgrade_v1.0.0.txt
+++ b/src/cmd/go/testdata/mod/example.com_retract_noupgrade_v1.0.0.txt
@ -0,0 +1,9 @@
+-- .mod --
+module example.com/retract/noupgrade
+
+go 1.19
+
+retract v1.0.0 // bad
+
+-- .info --
+{"Version":"v1.0.0"}
--- a/src/cmd/go/testdata/script/mod_retract_noupgrade.txt
+++ b/src/cmd/go/testdata/script/mod_retract_noupgrade.txt
@ -0,0 +1,11 @@
+go list -m -u example.com/retract/noupgrade
+stdout '^example.com/retract/noupgrade v1.0.0 \(retracted\)$'
+
+-- go.mod --
+module use
+
+go 1.19
+
+require example.com/retract/noupgrade v1.0.0
+-- go.sum --
+example.com/retract/noupgrade v1.0.0/go.mod h1:q2/HnBejUQ83RcUo4stf2U++/Zr9R/Ky3BsodjKBkQ4=