2 files changed, 333 insertions, 0 deletions
diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc
index ea57b23c3e..12d7539017 100644
--- a/meta/recipes-devtools/go/go-1.22.12.inc
+++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -17,6 +17,7 @@ SRC_URI += "\
    file://CVE-2025-22870.patch \
    file://CVE-2025-22871.patch \
    file://CVE-2025-4673.patch \
+    file://CVE-2025-4674.patch \
 "
 SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
diff --git a/meta/recipes-devtools/go/go/CVE-2025-4674.patch b/meta/recipes-devtools/go/go/CVE-2025-4674.patch
new file mode 100644
index 0000000000..bc6e438652
--- /dev/null
+++ b/meta/recipes-devtools/go/go/CVE-2025-4674.patch
@@ -0,0 +1,332 @@
+From e9d2c032b14c17083be0f8f0c822565199d2994f Mon Sep 17 00:00:00 2001
+From: Roland Shoemaker <bracewell@google.com>
+Date: Mon, 9 Jun 2025 11:23:46 -0700
+Subject: [PATCH] [release-branch.go1.23] cmd/go: disable support for multiple
+ vcs in one module
+Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
+which was always enabled, and disallow multiple VCS metadata folders
+being present in a single directory. This makes VCS injection attacks
+much more difficult.
+Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.
+Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
+reporting this issue.
+Updates #74380
+Fixes #74382
+Fixes CVE-2025-4674
+CVE: CVE-2025-4674
+Upstream-Status: Backport [https://github.com/golang/go/commit/e9d2c032b14c17083be0f8f0c822565199d2994f]
+Change-Id: I2db79f2baacfacfec331ee7c6978c4057d483eba
+Reviewed-on: https://go-review.googlesource.com/c/go/+/686337
+LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
+Reviewed-by: David Chase <drchase@google.com>
+Reviewed-by: Carlos Amedee <carlos@golang.org>
+Commit-Queue: Carlos Amedee <carlos@golang.org>
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ doc/godebug.md                                |  4 ++
+ src/cmd/go/internal/load/pkg.go               | 14 ++---
+ src/cmd/go/internal/vcs/vcs.go                | 28 ++++++----
+ src/cmd/go/internal/vcs/vcs_test.go           |  2 +-
+ src/cmd/go/testdata/script/test_multivcs.txt  | 54 +++++++++++++++++++
+ .../script/version_buildvcs_nested.txt        | 20 +++++--
+ src/internal/godebugs/godebugs_test.go        |  3 +-
+ src/internal/godebugs/table.go                |  1 +
+ src/runtime/metrics/doc.go                    |  5 ++
+ 9 files changed, 108 insertions(+), 23 deletions(-)
+ create mode 100644 src/cmd/go/testdata/script/test_multivcs.txt
+diff --git a/doc/godebug.md b/doc/godebug.md
+index fb3f32f..ae4f057 100644
+--- a/doc/godebug.md
+++ b/doc/godebug.md
+@@ -126,6 +126,10 @@ for example,
+ see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables)
+ and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
+Go 1.23.11 disabled build information stamping when multiple VCS are detected due
+to concerns around VCS injection attacks. This behavior can be renabled with the
+setting `allowmultiplevcs=1`.
+
+ ### Go 1.22
+ Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size
+diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
+index f41fb2c..428780e 100644
+--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
+@@ -2465,7 +2465,6 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
+        var repoDir string
+        var vcsCmd *vcs.Cmd
+        var err error
+-       const allowNesting = true
+        wantVCS := false
+        switch cfg.BuildBuildvcs {
+@@ -2485,7 +2484,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
+                        // (so the bootstrap toolchain packages don't even appear to be in GOROOT).
+                        goto omitVCS
+                }
+-               repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "", allowNesting)
+               repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "")
+                if err != nil && !errors.Is(err, os.ErrNotExist) {
+                        setVCSError(err)
+                        return
+@@ -2508,10 +2507,11 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
+        }
+        if repoDir != "" && vcsCmd.Status != nil {
+                // Check that the current directory, package, and module are in the same
+-               // repository. vcs.FromDir allows nested Git repositories, but nesting
+-               // is not allowed for other VCS tools. The current directory may be outside
+-               // p.Module.Dir when a workspace is used.
+-               pkgRepoDir, _, err := vcs.FromDir(p.Dir, "", allowNesting)
+               // repository. vcs.FromDir disallows nested VCS and multiple VCS in the
+               // same repository, unless the GODEBUG allowmultiplevcs is set. The
+               // current directory may be outside p.Module.Dir when a workspace is
+               // used.
+               pkgRepoDir, _, err := vcs.FromDir(p.Dir, "")
+                if err != nil {
+                        setVCSError(err)
+                        return
+@@ -2523,7 +2523,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
+                        }
+                        goto omitVCS
+                }
+-               modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "", allowNesting)
+               modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "")
+                if err != nil {
+                        setVCSError(err)
+                        return
+diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go
+index 8550f2a..89d9f0e 100644
+--- a/src/cmd/go/internal/vcs/vcs.go
+++ b/src/cmd/go/internal/vcs/vcs.go
+@@ -8,6 +8,7 @@ import (
+        "bytes"
+        "errors"
+        "fmt"
+       "internal/godebug"
+        "internal/lazyregexp"
+        "internal/singleflight"
+        "io/fs"
+@@ -831,11 +832,13 @@ type vcsPath struct {
+        schemelessRepo bool                                // if true, the repo pattern lacks a scheme
+ }
+var allowmultiplevcs = godebug.New("allowmultiplevcs")
+
+ // FromDir inspects dir and its parents to determine the
+ // version control system and code repository to use.
+ // If no repository is found, FromDir returns an error
+ // equivalent to os.ErrNotExist.
+-func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cmd, err error) {
+func FromDir(dir, srcRoot string) (repoDir string, vcsCmd *Cmd, err error) {
+        // Clean and double-check that dir is in (a subdirectory of) srcRoot.
+        dir = filepath.Clean(dir)
+        if srcRoot != "" {
+@@ -849,21 +852,28 @@ func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cm
+        for len(dir) > len(srcRoot) {
+                for _, vcs := range vcsList {
+                        if isVCSRoot(dir, vcs.RootNames) {
+-                               // Record first VCS we find.
+-                               // If allowNesting is false (as it is in GOPATH), keep looking for
+-                               // repositories in parent directories and report an error if one is
+-                               // found to mitigate VCS injection attacks.
+                                if vcsCmd == nil {
+                                       // Record first VCS we find.
+                                        vcsCmd = vcs
+                                        repoDir = dir
+-                                       if allowNesting {
+                                       if allowmultiplevcs.Value() == "1" {
+                                               allowmultiplevcs.IncNonDefault()
+                                                return repoDir, vcsCmd, nil
+                                        }
+                                       // If allowmultiplevcs is not set, keep looking for
+                                       // repositories in current and parent directories and report
+                                       // an error if one is found to mitigate VCS injection
+                                       // attacks.
+                                       continue
+                               }
+                               if vcsCmd == vcsGit && vcs == vcsGit {
+                                       // Nested Git is allowed, as this is how things like
+                                       // submodules work. Git explicitly protects against
+                                       // injection against itself.
+                                        continue
+                                }
+-                               // Otherwise, we have one VCS inside a different VCS.
+-                               return "", nil, fmt.Errorf("directory %q uses %s, but parent %q uses %s",
+-                                       repoDir, vcsCmd.Cmd, dir, vcs.Cmd)
+                               return "", nil, fmt.Errorf("multiple VCS detected: %s in %q, and %s in %q",
+                                       vcsCmd.Cmd, repoDir, vcs.Cmd, dir)
+                        }
+                }
+diff --git a/src/cmd/go/internal/vcs/vcs_test.go b/src/cmd/go/internal/vcs/vcs_test.go
+index 2ce85ea..06e63c2 100644
+--- a/src/cmd/go/internal/vcs/vcs_test.go
+++ b/src/cmd/go/internal/vcs/vcs_test.go
+@@ -239,7 +239,7 @@ func TestFromDir(t *testing.T) {
+                        }
+                        wantRepoDir := filepath.Dir(dir)
+-                       gotRepoDir, gotVCS, err := FromDir(dir, tempDir, false)
+                       gotRepoDir, gotVCS, err := FromDir(dir, tempDir)
+                        if err != nil {
+                                t.Errorf("FromDir(%q, %q): %v", dir, tempDir, err)
+                                continue
+diff --git a/src/cmd/go/testdata/script/test_multivcs.txt b/src/cmd/go/testdata/script/test_multivcs.txt
+new file mode 100644
+index 0000000..538cbf7
+--- /dev/null
+++ b/src/cmd/go/testdata/script/test_multivcs.txt
+@@ -0,0 +1,54 @@
+# To avoid VCS injection attacks, we should not accept multiple different VCS metadata
+# folders within a single module (either in the same directory, or nested in different
+# directories.)
+#
+# This behavior should be disabled by setting the allowmultiplevcs GODEBUG.
+
+[short] skip
+[!git] skip
+
+cd samedir
+
+exec git init .
+
+# Without explicitly requesting buildvcs, the go command should silently continue
+# without determining the correct VCS.
+go test -c -o $devnull .
+
+# If buildvcs is explicitly requested, we expect the go command to fail
+! go test -buildvcs -c -o $devnull .
+stderr '^error obtaining VCS status: multiple VCS detected:'
+
+env GODEBUG=allowmultiplevcs=1
+go test -buildvcs -c -o $devnull .
+
+env GODEBUG=
+cd ../nested
+exec git init .
+# cd a
+go test -c -o $devnull ./a
+! go test -buildvcs -c -o $devnull ./a
+stderr '^error obtaining VCS status: multiple VCS detected:'
+# allowmultiplevcs doesn't disable the check that the current directory, package, and
+# module are in the same repository.
+env GODEBUG=allowmultiplevcs=1
+! go test -buildvcs -c -o $devnull ./a
+stderr '^error obtaining VCS status: main package is in repository'
+
+-- samedir/go.mod --
+module example
+
+go 1.18
+-- samedir/example.go --
+package main
+-- samedir/.bzr/test --
+hello
+
+-- nested/go.mod --
+module example
+
+go 1.18
+-- nested/a/example.go --
+package main
+-- nested/a/.bzr/test --
+hello
+diff --git a/src/cmd/go/testdata/script/version_buildvcs_nested.txt b/src/cmd/go/testdata/script/version_buildvcs_nested.txt
+index 6dab847..22cd71c 100644
+--- a/src/cmd/go/testdata/script/version_buildvcs_nested.txt
+++ b/src/cmd/go/testdata/script/version_buildvcs_nested.txt
+@@ -9,25 +9,35 @@ cd root
+ go mod init example.com/root
+ exec git init
+-# Nesting repositories in parent directories are ignored, as the current
+-# directory main package, and containing main module are in the same repository.
+-# This is an error in GOPATH mode (to prevent VCS injection), but for modules,
+-# we assume users have control over repositories they've checked out.
+
+# Nesting repositories in parent directories are an error, to prevent VCS injection.
+# This can be disabled with the allowmultiplevcs GODEBUG.
+ mkdir hgsub
+ cd hgsub
+ exec hg init
+ cp ../../main.go main.go
+ ! go build
+stderr '^error obtaining VCS status: multiple VCS detected: hg in ".*hgsub", and git in ".*root"$'
+stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
+env GODEBUG=allowmultiplevcs=1
+! go build
+ stderr '^error obtaining VCS status: main module is in repository ".*root" but current directory is in repository ".*hgsub"$'
+ stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
+ go build -buildvcs=false
+env GODEBUG=
+ go mod init example.com/root/hgsub
+! go build
+stderr '^error obtaining VCS status: multiple VCS detected: hg in ".*hgsub", and git in ".*root"$'
+stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
+env GODEBUG=allowmultiplevcs=1
+ go build
+env GODEBUG=
+ cd ..
+ # It's an error to build a package from a nested Git repository if the package
+ # is in a separate repository from the current directory or from the module
+-# root directory.
+# root directory. Otherwise nested Git repositories are allowed, as this is
+# how Git implements submodules (and protects against Git based VCS injection.)
+ mkdir gitsub
+ cd gitsub
+ exec git init
+diff --git a/src/internal/godebugs/godebugs_test.go b/src/internal/godebugs/godebugs_test.go
+index a1cb8d4..b3784eb 100644
+--- a/src/internal/godebugs/godebugs_test.go
+++ b/src/internal/godebugs/godebugs_test.go
+@@ -39,7 +39,8 @@ func TestAll(t *testing.T) {
+                if info.Old != "" && info.Changed == 0 {
+                        t.Errorf("Name=%s has Old, missing Changed", info.Name)
+                }
+-               if !strings.Contains(doc, "`"+info.Name+"`") {
+               if !strings.Contains(doc, "`"+info.Name+"`") &&
+                       !strings.Contains(doc, "`"+info.Name+"=") {
+                        t.Errorf("Name=%s not documented in doc/godebug.md", info.Name)
+                }
+        }
+diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
+index 11c5b7d..33dcd81 100644
+--- a/src/internal/godebugs/table.go
+++ b/src/internal/godebugs/table.go
+@@ -25,6 +25,7 @@ type Info struct {
+ // Note: After adding entries to this table, update the list in doc/godebug.md as well.
+ // (Otherwise the test in this package will fail.)
+ var All = []Info{
+       {Name: "allowmultiplevcs", Package: "cmd/go"},
+        {Name: "execerrdot", Package: "os/exec"},
+        {Name: "gocachehash", Package: "cmd/go"},
+        {Name: "gocachetest", Package: "cmd/go"},
+diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
+index 85f256d..517ec0e 100644
+--- a/src/runtime/metrics/doc.go
+++ b/src/runtime/metrics/doc.go
+@@ -230,6 +230,11 @@ Below is the full list of supported metrics, ordered lexicographically.
+        /gc/stack/starting-size:bytes
+                The stack size of new goroutines.
+       /godebug/non-default-behavior/allowmultiplevcs:events
+               The number of non-default behaviors executed by the cmd/go
+               package due to a non-default GODEBUG=allowmultiplevcs=...
+               setting.
+
+        /godebug/non-default-behavior/execerrdot:events
+                The number of non-default behaviors executed by the os/exec
+                package due to a non-default GODEBUG=execerrdot=... setting.
+--
+2.40.0

diff --git a/meta/recipes-devtools/go/go-1.22.12.inc b/meta/recipes-devtools/go/go-1.22.12.inc index ea57b23c3e..12d7539017 100644 --- a/meta/recipes-devtools/go/go-1.22.12.inc +++ b/meta/recipes-devtools/go/go-1.22.12.inc
@@ -17,6 +17,7 @@ SRC_URI += "\
17	file://CVE-2025-22870.patch \	17	file://CVE-2025-22870.patch \
18	file://CVE-2025-22871.patch \	18	file://CVE-2025-22871.patch \
19	file://CVE-2025-4673.patch \	19	file://CVE-2025-4673.patch \
		20	file://CVE-2025-4674.patch \
20	"	21	"
21	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"	22	SRC_URI[main.sha256sum] = "012a7e1f37f362c0918c1dfa3334458ac2da1628c4b9cf4d9ca02db986e17d71"
22		23


diff --git a/meta/recipes-devtools/go/go/CVE-2025-4674.patch b/meta/recipes-devtools/go/go/CVE-2025-4674.patch new file mode 100644 index 0000000000..bc6e438652 --- /dev/null +++ b/meta/recipes-devtools/go/go/CVE-2025-4674.patch
@@ -0,0 +1,332 @@
		1	From e9d2c032b14c17083be0f8f0c822565199d2994f Mon Sep 17 00:00:00 2001
		2	From: Roland Shoemaker <bracewell@google.com>
		3	Date: Mon, 9 Jun 2025 11:23:46 -0700
		4	Subject: [PATCH] [release-branch.go1.23] cmd/go: disable support for multiple
		5	vcs in one module
		6
		7	Removes the somewhat redundant vcs.FromDir, "allowNesting" argument,
		8	which was always enabled, and disallow multiple VCS metadata folders
		9	being present in a single directory. This makes VCS injection attacks
		10	much more difficult.
		11
		12	Also adds a GODEBUG, allowmultiplevcs, which re-enables this behavior.
		13
		14	Thanks to RyotaK (https://ryotak.net) of GMO Flatt Security Inc for
		15	reporting this issue.
		16
		17	Updates #74380
		18	Fixes #74382
		19	Fixes CVE-2025-4674
		20
		21	CVE: CVE-2025-4674
		22
		23	Upstream-Status: Backport [https://github.com/golang/go/commit/e9d2c032b14c17083be0f8f0c822565199d2994f]
		24
		25	Change-Id: I2db79f2baacfacfec331ee7c6978c4057d483eba
		26	Reviewed-on: https://go-review.googlesource.com/c/go/+/686337
		27	LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
		28	Reviewed-by: David Chase <drchase@google.com>
		29	Reviewed-by: Carlos Amedee <carlos@golang.org>
		30	Commit-Queue: Carlos Amedee <carlos@golang.org>
		31
		32	Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
		33	---
		34	doc/godebug.md \| 4 ++
		35	src/cmd/go/internal/load/pkg.go \| 14 ++---
		36	src/cmd/go/internal/vcs/vcs.go \| 28 ++++++----
		37	src/cmd/go/internal/vcs/vcs_test.go \| 2 +-
		38	src/cmd/go/testdata/script/test_multivcs.txt \| 54 +++++++++++++++++++
		39	.../script/version_buildvcs_nested.txt \| 20 +++++--
		40	src/internal/godebugs/godebugs_test.go \| 3 +-
		41	src/internal/godebugs/table.go \| 1 +
		42	src/runtime/metrics/doc.go \| 5 ++
		43	9 files changed, 108 insertions(+), 23 deletions(-)
		44	create mode 100644 src/cmd/go/testdata/script/test_multivcs.txt
		45
		46	diff --git a/doc/godebug.md b/doc/godebug.md
		47	index fb3f32f..ae4f057 100644
		48	--- a/doc/godebug.md
		49	+++ b/doc/godebug.md
		50	@@ -126,6 +126,10 @@ for example,
		51	see the [runtime documentation](/pkg/runtime#hdr-Environment_Variables)
		52	and the [go command documentation](/cmd/go#hdr-Build_and_test_caching).
		53
		54	+Go 1.23.11 disabled build information stamping when multiple VCS are detected due
		55	+to concerns around VCS injection attacks. This behavior can be renabled with the
		56	+setting `allowmultiplevcs=1`.
		57	+
		58	### Go 1.22
		59
		60	Go 1.22 adds a configurable limit to control the maximum acceptable RSA key size
		61	diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
		62	index f41fb2c..428780e 100644
		63	--- a/src/cmd/go/internal/load/pkg.go
		64	+++ b/src/cmd/go/internal/load/pkg.go
		65	@@ -2465,7 +2465,6 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
		66	var repoDir string
		67	var vcsCmd *vcs.Cmd
		68	var err error
		69	- const allowNesting = true
		70
		71	wantVCS := false
		72	switch cfg.BuildBuildvcs {
		73	@@ -2485,7 +2484,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
		74	// (so the bootstrap toolchain packages don't even appear to be in GOROOT).
		75	goto omitVCS
		76	}
		77	- repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "", allowNesting)
		78	+ repoDir, vcsCmd, err = vcs.FromDir(base.Cwd(), "")
		79	if err != nil && !errors.Is(err, os.ErrNotExist) {
		80	setVCSError(err)
		81	return
		82	@@ -2508,10 +2507,11 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
		83	}
		84	if repoDir != "" && vcsCmd.Status != nil {
		85	// Check that the current directory, package, and module are in the same
		86	- // repository. vcs.FromDir allows nested Git repositories, but nesting
		87	- // is not allowed for other VCS tools. The current directory may be outside
		88	- // p.Module.Dir when a workspace is used.
		89	- pkgRepoDir, _, err := vcs.FromDir(p.Dir, "", allowNesting)
		90	+ // repository. vcs.FromDir disallows nested VCS and multiple VCS in the
		91	+ // same repository, unless the GODEBUG allowmultiplevcs is set. The
		92	+ // current directory may be outside p.Module.Dir when a workspace is
		93	+ // used.
		94	+ pkgRepoDir, _, err := vcs.FromDir(p.Dir, "")
		95	if err != nil {
		96	setVCSError(err)
		97	return
		98	@@ -2523,7 +2523,7 @@ func (p *Package) setBuildInfo(ctx context.Context, autoVCS bool) {
		99	}
		100	goto omitVCS
		101	}
		102	- modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "", allowNesting)
		103	+ modRepoDir, _, err := vcs.FromDir(p.Module.Dir, "")
		104	if err != nil {
		105	setVCSError(err)
		106	return
		107	diff --git a/src/cmd/go/internal/vcs/vcs.go b/src/cmd/go/internal/vcs/vcs.go
		108	index 8550f2a..89d9f0e 100644
		109	--- a/src/cmd/go/internal/vcs/vcs.go
		110	+++ b/src/cmd/go/internal/vcs/vcs.go
		111	@@ -8,6 +8,7 @@ import (
		112	"bytes"
		113	"errors"
		114	"fmt"
		115	+ "internal/godebug"
		116	"internal/lazyregexp"
		117	"internal/singleflight"
		118	"io/fs"
		119	@@ -831,11 +832,13 @@ type vcsPath struct {
		120	schemelessRepo bool // if true, the repo pattern lacks a scheme
		121	}
		122
		123	+var allowmultiplevcs = godebug.New("allowmultiplevcs")
		124	+
		125	// FromDir inspects dir and its parents to determine the
		126	// version control system and code repository to use.
		127	// If no repository is found, FromDir returns an error
		128	// equivalent to os.ErrNotExist.
		129	-func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cmd, err error) {
		130	+func FromDir(dir, srcRoot string) (repoDir string, vcsCmd *Cmd, err error) {
		131	// Clean and double-check that dir is in (a subdirectory of) srcRoot.
		132	dir = filepath.Clean(dir)
		133	if srcRoot != "" {
		134	@@ -849,21 +852,28 @@ func FromDir(dir, srcRoot string, allowNesting bool) (repoDir string, vcsCmd *Cm
		135	for len(dir) > len(srcRoot) {
		136	for _, vcs := range vcsList {
		137	if isVCSRoot(dir, vcs.RootNames) {
		138	- // Record first VCS we find.
		139	- // If allowNesting is false (as it is in GOPATH), keep looking for
		140	- // repositories in parent directories and report an error if one is
		141	- // found to mitigate VCS injection attacks.
		142	if vcsCmd == nil {
		143	+ // Record first VCS we find.
		144	vcsCmd = vcs
		145	repoDir = dir
		146	- if allowNesting {
		147	+ if allowmultiplevcs.Value() == "1" {
		148	+ allowmultiplevcs.IncNonDefault()
		149	return repoDir, vcsCmd, nil
		150	}
		151	+ // If allowmultiplevcs is not set, keep looking for
		152	+ // repositories in current and parent directories and report
		153	+ // an error if one is found to mitigate VCS injection
		154	+ // attacks.
		155	+ continue
		156	+ }
		157	+ if vcsCmd == vcsGit && vcs == vcsGit {
		158	+ // Nested Git is allowed, as this is how things like
		159	+ // submodules work. Git explicitly protects against
		160	+ // injection against itself.
		161	continue
		162	}
		163	- // Otherwise, we have one VCS inside a different VCS.
		164	- return "", nil, fmt.Errorf("directory %q uses %s, but parent %q uses %s",
		165	- repoDir, vcsCmd.Cmd, dir, vcs.Cmd)
		166	+ return "", nil, fmt.Errorf("multiple VCS detected: %s in %q, and %s in %q",
		167	+ vcsCmd.Cmd, repoDir, vcs.Cmd, dir)
		168	}
		169	}
		170
		171	diff --git a/src/cmd/go/internal/vcs/vcs_test.go b/src/cmd/go/internal/vcs/vcs_test.go
		172	index 2ce85ea..06e63c2 100644
		173	--- a/src/cmd/go/internal/vcs/vcs_test.go
		174	+++ b/src/cmd/go/internal/vcs/vcs_test.go
		175	@@ -239,7 +239,7 @@ func TestFromDir(t *testing.T) {
		176	}
		177
		178	wantRepoDir := filepath.Dir(dir)
		179	- gotRepoDir, gotVCS, err := FromDir(dir, tempDir, false)
		180	+ gotRepoDir, gotVCS, err := FromDir(dir, tempDir)
		181	if err != nil {
		182	t.Errorf("FromDir(%q, %q): %v", dir, tempDir, err)
		183	continue
		184	diff --git a/src/cmd/go/testdata/script/test_multivcs.txt b/src/cmd/go/testdata/script/test_multivcs.txt
		185	new file mode 100644
		186	index 0000000..538cbf7
		187	--- /dev/null
		188	+++ b/src/cmd/go/testdata/script/test_multivcs.txt
		189	@@ -0,0 +1,54 @@
		190	+# To avoid VCS injection attacks, we should not accept multiple different VCS metadata
		191	+# folders within a single module (either in the same directory, or nested in different
		192	+# directories.)
		193	+#
		194	+# This behavior should be disabled by setting the allowmultiplevcs GODEBUG.
		195	+
		196	+[short] skip
		197	+[!git] skip
		198	+
		199	+cd samedir
		200	+
		201	+exec git init .
		202	+
		203	+# Without explicitly requesting buildvcs, the go command should silently continue
		204	+# without determining the correct VCS.
		205	+go test -c -o $devnull .
		206	+
		207	+# If buildvcs is explicitly requested, we expect the go command to fail
		208	+! go test -buildvcs -c -o $devnull .
		209	+stderr '^error obtaining VCS status: multiple VCS detected:'
		210	+
		211	+env GODEBUG=allowmultiplevcs=1
		212	+go test -buildvcs -c -o $devnull .
		213	+
		214	+env GODEBUG=
		215	+cd ../nested
		216	+exec git init .
		217	+# cd a
		218	+go test -c -o $devnull ./a
		219	+! go test -buildvcs -c -o $devnull ./a
		220	+stderr '^error obtaining VCS status: multiple VCS detected:'
		221	+# allowmultiplevcs doesn't disable the check that the current directory, package, and
		222	+# module are in the same repository.
		223	+env GODEBUG=allowmultiplevcs=1
		224	+! go test -buildvcs -c -o $devnull ./a
		225	+stderr '^error obtaining VCS status: main package is in repository'
		226	+
		227	+-- samedir/go.mod --
		228	+module example
		229	+
		230	+go 1.18
		231	+-- samedir/example.go --
		232	+package main
		233	+-- samedir/.bzr/test --
		234	+hello
		235	+
		236	+-- nested/go.mod --
		237	+module example
		238	+
		239	+go 1.18
		240	+-- nested/a/example.go --
		241	+package main
		242	+-- nested/a/.bzr/test --
		243	+hello
		244	diff --git a/src/cmd/go/testdata/script/version_buildvcs_nested.txt b/src/cmd/go/testdata/script/version_buildvcs_nested.txt
		245	index 6dab847..22cd71c 100644
		246	--- a/src/cmd/go/testdata/script/version_buildvcs_nested.txt
		247	+++ b/src/cmd/go/testdata/script/version_buildvcs_nested.txt
		248	@@ -9,25 +9,35 @@ cd root
		249	go mod init example.com/root
		250	exec git init
		251
		252	-# Nesting repositories in parent directories are ignored, as the current
		253	-# directory main package, and containing main module are in the same repository.
		254	-# This is an error in GOPATH mode (to prevent VCS injection), but for modules,
		255	-# we assume users have control over repositories they've checked out.
		256	+
		257	+# Nesting repositories in parent directories are an error, to prevent VCS injection.
		258	+# This can be disabled with the allowmultiplevcs GODEBUG.
		259	mkdir hgsub
		260	cd hgsub
		261	exec hg init
		262	cp ../../main.go main.go
		263	! go build
		264	+stderr '^error obtaining VCS status: multiple VCS detected: hg in ".hgsub", and git in ".root"$'
		265	+stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
		266	+env GODEBUG=allowmultiplevcs=1
		267	+! go build
		268	stderr '^error obtaining VCS status: main module is in repository ".root" but current directory is in repository ".hgsub"$'
		269	stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
		270	go build -buildvcs=false
		271	+env GODEBUG=
		272	go mod init example.com/root/hgsub
		273	+! go build
		274	+stderr '^error obtaining VCS status: multiple VCS detected: hg in ".hgsub", and git in ".root"$'
		275	+stderr '^\tUse -buildvcs=false to disable VCS stamping.$'
		276	+env GODEBUG=allowmultiplevcs=1
		277	go build
		278	+env GODEBUG=
		279	cd ..
		280
		281	# It's an error to build a package from a nested Git repository if the package
		282	# is in a separate repository from the current directory or from the module
		283	-# root directory.
		284	+# root directory. Otherwise nested Git repositories are allowed, as this is
		285	+# how Git implements submodules (and protects against Git based VCS injection.)
		286	mkdir gitsub
		287	cd gitsub
		288	exec git init
		289	diff --git a/src/internal/godebugs/godebugs_test.go b/src/internal/godebugs/godebugs_test.go
		290	index a1cb8d4..b3784eb 100644
		291	--- a/src/internal/godebugs/godebugs_test.go
		292	+++ b/src/internal/godebugs/godebugs_test.go
		293	@@ -39,7 +39,8 @@ func TestAll(t *testing.T) {
		294	if info.Old != "" && info.Changed == 0 {
		295	t.Errorf("Name=%s has Old, missing Changed", info.Name)
		296	}
		297	- if !strings.Contains(doc, "`"+info.Name+"`") {
		298	+ if !strings.Contains(doc, "`"+info.Name+"`") &&
		299	+ !strings.Contains(doc, "`"+info.Name+"=") {
		300	t.Errorf("Name=%s not documented in doc/godebug.md", info.Name)
		301	}
		302	}
		303	diff --git a/src/internal/godebugs/table.go b/src/internal/godebugs/table.go
		304	index 11c5b7d..33dcd81 100644
		305	--- a/src/internal/godebugs/table.go
		306	+++ b/src/internal/godebugs/table.go
		307	@@ -25,6 +25,7 @@ type Info struct {
		308	// Note: After adding entries to this table, update the list in doc/godebug.md as well.
		309	// (Otherwise the test in this package will fail.)
		310	var All = []Info{
		311	+ {Name: "allowmultiplevcs", Package: "cmd/go"},
		312	{Name: "execerrdot", Package: "os/exec"},
		313	{Name: "gocachehash", Package: "cmd/go"},
		314	{Name: "gocachetest", Package: "cmd/go"},
		315	diff --git a/src/runtime/metrics/doc.go b/src/runtime/metrics/doc.go
		316	index 85f256d..517ec0e 100644
		317	--- a/src/runtime/metrics/doc.go
		318	+++ b/src/runtime/metrics/doc.go
		319	@@ -230,6 +230,11 @@ Below is the full list of supported metrics, ordered lexicographically.
		320	/gc/stack/starting-size:bytes
		321	The stack size of new goroutines.
		322
		323	+ /godebug/non-default-behavior/allowmultiplevcs:events
		324	+ The number of non-default behaviors executed by the cmd/go
		325	+ package due to a non-default GODEBUG=allowmultiplevcs=...
		326	+ setting.
		327	+
		328	/godebug/non-default-behavior/execerrdot:events
		329	The number of non-default behaviors executed by the os/exec
		330	package due to a non-default GODEBUG=execerrdot=... setting.
		331	--
		332	2.40.0