Merge PR "[AUTO-CHERRYPICK] [HIGH] Patch golang-1.18.8 for CVE-2025-4674 & CVE-2025-47906[MEDIUM] - branch main" microsoft#14830

Co-authored-by: Archana Shettigar <[email protected]>

Author: CBL-Mariner-Bot

SPECS/golang/CVE-2025-4674-1.18.patch

@@ -0,0 +1,313 @@
+From e9d2c032b14c17083be0f8f0c822565199d2994f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <[email protected]>
+Date: Mon, 9 Jun 2025 11:23:46 -0700
+Subject: [PATCH] [release-branch.go1.23] cmd/go: disable support for multiple
+ vcs in one module
+Upstream Patch Reference: https://github.com/golang/go/commit/e9d2c032b14c17083be0f8f0c822565199d2994f.patch
+
+Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
+which was always enabled, and disallow multiple VCS metadata folders
+being present in a single directory. This makes VCS injection attacks
+much more difficult.
+
+Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.
+
+Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
+reporting this issue.
+
+Updates #74380
+Fixes #74382
+Fixes CVE-2025-4674
+
+Change-Id: I2db79f2baacfacfec331ee7c6978c4057d483eba
+Reviewed-on: https://go-review.googlesource.com/c/go/+/686337
+LUCI-TryBot-Result: Go LUCI <[email protected]>
+Reviewed-by: David Chase <[email protected]>
+Reviewed-by: Carlos Amedee <[email protected]>
+Commit-Queue: Carlos Amedee <[email protected]>
+---
+ SECURITY.md                                   |  5 ++
+ src/cmd/go/internal/get/get.go                |  3 +-
+ src/cmd/go/internal/load/pkg.go               | 14 ++---
+ src/cmd/go/internal/vcs/vcs.go                | 36 +++++++++----
+ src/cmd/go/internal/vcs/vcs_test.go           |  2 +-
+ src/cmd/go/testdata/script/test_multivcs.txt  | 54 +++++++++++++++++++
+ .../script/version_buildvcs_nested.txt        | 19 +++++--
+ src/runtime/metrics/doc.go                    |  5 ++
+ 8 files changed, 114 insertions(+), 24 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/test_multivcs.txt
+
+diff --git a/SECURITY.md b/SECURITY.md
+index 9e92e8b..a0c7d15 100644
+--- a/SECURITY.md
++++ b/SECURITY.md
+@@ -10,4 +10,9 @@ part of that page.
+ 
+ ## Reporting a Vulnerability
+ 
++CVE-2025-4674:
++Go 1.23.11 disabled build information stamping when multiple VCS are detected due
++to concerns around VCS injection attacks. This behavior can be renabled with the
++setting `allowmultiplevcs=1`.
++
+ See https://golang.org/security for how to report a vulnerability.
+diff --git a/src/cmd/go/internal/get/get.go b/src/cmd/go/internal/get/get.go
+index 8cf8fe6..24aec66 100644
+--- a/src/cmd/go/internal/get/get.go
++++ b/src/cmd/go/internal/get/get.go
+@@ -446,8 +446,7 @@ func downloadPackage(p *load.Package) error {
+ 
+ 	if p.Internal.Build.SrcRoot != "" {
+ 		// Directory exists. Look for checkout along path to src.
+-		const allowNesting = false
+-		repoDir, vcsCmd, err = vcs.FromDir(p.Dir, p.Internal.Build.SrcRoot, allowNesting)
++		repoDir, vcsCmd, err = vcs.FromDir(p.Dir, p.Internal.Build.SrcRoot)
+ 		if err != nil {
+ 			return err
+ 		}
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index 5b5b5ef..373c056 100644
+--- a/src/cmd/go/internal/load/pkg.go
++++ b/src/cmd/go/internal/load/pkg.go
+@@ -2392,9 +2392,8 @@ func (p *Package) setBuildInfo(includeVCS bool) {
+ 	var repoDir string
+ 	var vcsCmd *vcs.Cmd
+ 	var err error
+-	const allowNesting = true
+ 	if includeVCS && cfg.BuildBuildvcs != "false" && p.Module != nil && p.Module.Version == "" && !p.Standard && !p.IsTestOnly() {
+-		repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "", allowNesting)
++		repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "")
+ 		if err != nil && !errors.Is(err, os.ErrNotExist) {
+ 			setVCSError(err)
+ 			return
+@@ -2417,10 +2416,11 @@ func (p *Package) setBuildInfo(includeVCS bool) {
+ 	}
+ 	if repoDir != "" && vcsCmd.Status != nil {
+ 		// Check that the current directory, package, and module are in the same
+-		// repository. vcs.FromDir allows nested Git repositories, but nesting
+-		// is not allowed for other VCS tools. The current directory may be outside
+-		// p.Module.Dir when a workspace is used.
+-		pkgRepoDir, _, err := vcs.FromDir(p.Dir, "", allowNesting)
++		// repository. vcs.FromDir disallows nested VCS and multiple VCS in the
++		// same repository, unless the GODEBUG allowmultiplevcs is set. The
++		// current directory may be outside p.Module.Dir when a workspace is
++		// used.
++		pkgRepoDir, _, err := vcs.FromDir(p.Dir, "")
+ 		if err != nil {
+ 			setVCSError(err)
+ 			return
+@@ -2432,7 +2432,7 @@ func (p *Package) setBuildInfo(includeVCS bool) {
+ 			}
+ 			goto omitVCS
+ 		}
+-		modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "", allowNesting)
++		modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "")
+ 		if err != nil {
+ 			setVCSError(err)
+ 			return
+diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go
+index 2acabf7..39f38fb 100644
+--- a/src/cmd/go/internal/vcs/vcs.go
++++ b/src/cmd/go/internal/vcs/vcs.go
+@@ -767,11 +767,25 @@ type vcsPath struct {
+ 	schemelessRepo bool                                // if true, the repo pattern lacks a scheme
+ }
+ 
++// allowMultipleVCS checks if GODEBUG=allowmultiplevcs=1 is set
++func allowMultipleVCS() bool {
++	val := os.Getenv("GODEBUG")
++	for _, part := range strings.Split(val, ",") {
++		part = strings.TrimSpace(part) // trim whitespace
++		if strings.HasPrefix(part, "allowmultiplevcs=") {
++			if strings.HasSuffix(part, "=1") {
++				return true
++			}
++		}
++	}
++	return false
++}
++
+ // FromDir inspects dir and its parents to determine the
+ // version control system and code repository to use.
+ // If no repository is found, FromDir returns an error
+ // equivalent to os.ErrNotExist.
+-func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cmd, err error) {
++func FromDir(dir, srcRoot string) (repoDir string, vcsCmd *Cmd, err error) {
+ 	// Clean and double-check that dir is in (a subdirectory of) srcRoot.
+ 	dir = filepath.Clean(dir)
+ 	if srcRoot != "" {
+@@ -785,25 +798,30 @@ func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cm
+ 	for len(dir) > len(srcRoot) {
+ 		for _, vcs := range vcsList {
+ 			if _, err := statAny(dir, vcs.RootNames); err == nil {
+-				// Record first VCS we find.
+-				// If allowNesting is false (as it is in GOPATH), keep looking for
+-				// repositories in parent directories and report an error if one is
+-				// found to mitigate VCS injection attacks.
+ 				if vcsCmd == nil {
+ 					vcsCmd = vcs
+ 					repoDir = dir
+-					if allowNesting {
++					if allowMultipleVCS() {
+ 						return repoDir, vcsCmd, nil
+ 					}
++					// If allowmultiplevcs is not set, keep looking for
++					// repositories in current and parent directories and report
++					// an error if one is found to mitigate VCS injection
++					// attacks.
++					continue
++				}
++				if vcsCmd == vcsGit && vcs == vcsGit {
++					// Nested Git is allowed, as this is how things like
++					// submodules work. Git explicitly protects against
++					// injection against itself.
+ 					continue
+ 				}
+ 				// Allow .git inside .git, which can arise due to submodules.
+ 				if vcsCmd == vcs && vcs.Cmd == "git" {
+ 					continue
+ 				}
+-				// Otherwise, we have one VCS inside a different VCS.
+-				return "", nil, fmt.Errorf("directory %q uses %s, but parent %q uses %s",
+-					repoDir, vcsCmd.Cmd, dir, vcs.Cmd)
++				return "", nil, fmt.Errorf("multiple VCS detected: %s in %q, and %s in %q",
++					vcsCmd.Cmd, repoDir, vcs.Cmd, dir)
+ 			}
+ 		}
+ 
+diff --git a/src/cmd/go/internal/vcs/vcs_test.go b/src/cmd/go/internal/vcs/vcs_test.go
+index 943d520..fa122ca 100644
+--- a/src/cmd/go/internal/vcs/vcs_test.go
++++ b/src/cmd/go/internal/vcs/vcs_test.go
+@@ -243,7 +243,7 @@ func TestFromDir(t *testing.T) {
+ 			}
+ 
+ 			wantRepoDir := filepath.Dir(dir)
+-			gotRepoDir, gotVCS, err := FromDir(dir, tempDir, false)
++			gotRepoDir, gotVCS, err := FromDir(dir, tempDir)
+ 			if err != nil {
+ 				t.Errorf("FromDir(%q, %q): %v", dir, tempDir, err)
+ 				continue
+diff --git a/src/cmd/go/testdata/script/test_multivcs.txt b/src/cmd/go/testdata/script/test_multivcs.txt
+new file mode 100644
+index 0000000..538cbf7
+--- /dev/null
++++ b/src/cmd/go/testdata/script/test_multivcs.txt
+@@ -0,0 +1,54 @@
++# To avoid VCS injection attacks, we should not accept multiple different VCS metadata
++# folders within a single module (either in the same directory, or nested in different
++# directories.)
++#
++# This behavior should be disabled by setting the allowmultiplevcs GODEBUG.
++
++[short] skip
++[!git] skip
++
++cd samedir
++
++exec git init .
++
++# Without explicitly requesting buildvcs, the go command should silently continue
++# without determining the correct VCS.
++go test -c -o $devnull .
++
++# If buildvcs is explicitly requested, we expect the go command to fail
++! go test -buildvcs -c -o $devnull .
++stderr '^error obtaining VCS status: multiple VCS detected:'
++
++env GODEBUG=allowmultiplevcs=1
++go test -buildvcs -c -o $devnull .
++
++env GODEBUG=
++cd ../nested
++exec git init .
++# cd a
++go test -c -o $devnull ./a
++! go test -buildvcs -c -o $devnull ./a
++stderr '^error obtaining VCS status: multiple VCS detected:'
++# allowmultiplevcs doesn't disable the check that the current directory, package, and
++# module are in the same repository.
++env GODEBUG=allowmultiplevcs=1
++! go test -buildvcs -c -o $devnull ./a
++stderr '^error obtaining VCS status: main package is in repository'
++
++-- samedir/go.mod --
++module example
++
++go 1.18
++-- samedir/example.go --
++package main
++-- samedir/.bzr/test --
++hello
++
++-- nested/go.mod --
++module example
++
++go 1.18
++-- nested/a/example.go --
++package main
++-- nested/a/.bzr/test --
++hello
+diff --git a/src/cmd/go/testdata/script/version_buildvcs_nested.txt b/src/cmd/go/testdata/script/version_buildvcs_nested.txt
+index a0c69f9..1eafff8 100644
+--- a/src/cmd/go/testdata/script/version_buildvcs_nested.txt
++++ b/src/cmd/go/testdata/script/version_buildvcs_nested.txt
+@@ -9,25 +9,34 @@ cd root
+ go mod init example.com/root
+ exec git init
+ 
+-# Nesting repositories in parent directories are ignored, as the current
+-# directory main package, and containing main module are in the same repository.
+-# This is an error in GOPATH mode (to prevent VCS injection), but for modules,
+-# we assume users have control over repositories they've checked out.
++# Nesting repositories in parent directories are an error, to prevent VCS injection.
++# This can be disabled with the allowmultiplevcs GODEBUG.
+ mkdir hgsub
+ cd hgsub
+ exec hg init
+ cp ../../main.go main.go
+ ! go build
++stderr '^error obtaining VCS status: multiple VCS detected: hg in ".*hgsub", and git in ".*root"$'
++stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
++env GODEBUG=allowmultiplevcs=1
++! go build
+ stderr '^error obtaining VCS status: main module is in repository ".*root" but current directory is in repository ".*hgsub"$'
+ stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
+ go build -buildvcs=false
++env GODEBUG=
+ go mod init example.com/root/hgsub
++! go build
++stderr '^error obtaining VCS status: multiple VCS detected: hg in ".*hgsub", and git in ".*root"$'
++stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
++env GODEBUG=allowmultiplevcs=1
+ go build
++env GODEBUG=
+ cd ..
+ 
+ # It's an error to build a package from a nested Git repository if the package
+ # is in a separate repository from the current directory or from the module
+-# root directory.
++# root directory. Otherwise nested Git repositories are allowed, as this is
++# how Git implements submodules (and protects against Git based VCS injection.)
+ mkdir gitsub
+ cd gitsub
+ exec git init
+diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
+index 91ef030..27ae51c 100644
+--- a/src/runtime/metrics/doc.go
++++ b/src/runtime/metrics/doc.go
+@@ -102,6 +102,11 @@ Below is the full list of supported metrics, ordered lexicographically.
+ 	/gc/pauses:seconds
+ 		Distribution individual GC-related stop-the-world pause latencies.
+ 
++	/godebug/non-default-behavior/allowmultiplevcs:events
++		The number of non-default behaviors executed by the cmd/go
++		package due to a non-default GODEBUG=allowmultiplevcs=...
++		setting.
++
+ 	/memory/classes/heap/free:bytes
+ 		Memory that is completely free and eligible to be returned to
+ 		the underlying system, but has not been. This metric is the
+-- 
+2.45.4
+