Add a sanity check for git ls-remote output

CHANGELOG.md

@@ -5,6 +5,7 @@ BUG FIXES:
 * Releases targeting Windows now have a `.exe` suffix (#1291).
 * Adaptively recover from dirty and corrupted git repositories in cache (#1279).
 * Suppress git password prompts in more places (#1357).
+* Validate `git ls-remote` output and ignore all malformed lines (#1379)
 
 IMPROVEMENTS:
 

gps/vcs_source.go

@@ -10,6 +10,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"regexp"
 	"strings"
 
 	"github.com/Masterminds/semver"
@@ -117,6 +118,10 @@ func (bs *baseVCSSource) exportRevisionTo(ctx context.Context, r Revision, to st
 	return fs.CopyDir(bs.repo.LocalPath(), to)
 }
 
+var (
+	gitHashRE = regexp.MustCompile(`^[a-f0-9]{40}$`)
+)
+
 // gitSource is a generic git repository implementation that should work with
 // all standard git remotes.
 type gitSource struct {
@@ -238,6 +243,10 @@ func (s *gitSource) exportRevisionTo(ctx context.Context, rev Revision, to strin
 	return nil
 }
 
+func (s *gitSource) isValidHash(hash []byte) bool {
+	return gitHashRE.Match(hash)
+}
+
 func (s *gitSource) listVersions(ctx context.Context) (vlist []PairedVersion, err error) {
 	r := s.repo
 
@@ -298,6 +307,13 @@ func (s *gitSource) listVersions(ctx context.Context) (vlist []PairedVersion, er
 	vlist = make([]PairedVersion, len(all))
 	for _, pair := range all {
 		var v PairedVersion
+		// Valid `git ls-remote` output should start with hash, be at least
+		// 45 chars long and 40th character should be '\t'
+		//
+		// See: https://github.com/golang/dep/pull/1160#issuecomment-328843519
+		if len(pair) < 45 || pair[40] != '\t' || !s.isValidHash(pair[:40]) {
+			continue
+		}
 		if string(pair[41:]) == "HEAD" {
 			// If HEAD is present, it's always first
 			headrev = Revision(pair[:40])