cmd/go/internal/modfetch/codehost: disable fetch of server-resolved commit hash

We cannot rely on the server to filter out the refs we don't want
(we only want refs/heads/* and refs/tags/*), so do not give it
the full hash.

Fixes #31191.

Change-Id: If1208c35954228aa6e8734f8d5f1725d0ec79c87
Reviewed-on: https://go-review.googlesource.com/c/go/+/174517
Run-TryBot: Russ Cox <[email protected]>
Reviewed-by: Bryan C. Mills <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>

Author: rsc

src/cmd/go/internal/modfetch/codehost/git.go

@@ -32,7 +32,7 @@ func LocalGitRepo(remote string) (Repo, error) {
 	return newGitRepoCached(remote, true)
 }
 
-const gitWorkDirType = "git2"
+const gitWorkDirType = "git3"
 
 var gitRepoCache par.Cache
 
@@ -339,8 +339,14 @@ func (r *gitRepo) stat(rev string) (*RevInfo, error) {
 		}
 	}
 
-	// If we know a specific commit we need, fetch it.
-	if r.fetchLevel <= fetchSome && hash != "" && !r.local {
+	// If we know a specific commit we need and its ref, fetch it.
+	// We do NOT fetch arbitrary hashes (when we don't know the ref)
+	// because we want to avoid ever importing a commit that isn't
+	// reachable from refs/tags/* or refs/heads/* or HEAD.
+	// Both Gerrit and GitHub expose every CL/PR as a named ref,
+	// and we don't want those commits masquerading as being real
+	// pseudo-versions in the main repo.
+	if r.fetchLevel <= fetchSome && ref != "" && hash != "" && !r.local {
 		r.fetchLevel = fetchSome
 		var refspec string
 		if ref != "" && ref != "HEAD" {

src/cmd/go/testdata/script/mod_get_hash.txt

@@ -0,0 +1,19 @@
+env GO111MODULE=on
+env GOPROXY=direct
+env GOSUMDB=off
+[!net] skip
+
+# fetch commit hash reachable from refs/heads/* and refs/tags/* is OK
+go list -m golang.org/x/time@8be79e1e0910c292df4e79c241bb7e8f7e725959 # on master branch
+
+# fetch other commit hash, even with a non-standard ref, is not OK
+! go list -m golang.org/x/time@334d83c35137ac2b376c1dc3e4c7733791855a3a # refs/changes/24/41624/3
+stderr 'unknown revision'
+! go list -m golang.org/x/[email protected]
+stderr 'unknown revision'
+! go list -m golang.org/x/time@334d83c35137
+stderr 'unknown revision'
+
+-- go.mod --
+module m
+