cmd/go: validating version format in mod edit

Version strings set by -retract and -exclude are not canonicalized
by go mod commands. This change adds validation to go mod edit to
prevent invalid version strings from being added to the go.mod file.

For golang/go#43280

Change-Id: I3708b7a09111a56effac1fe1165122772e3f2d75
Reviewed-on: https://go-review.googlesource.com/c/mod/+/279394
Run-TryBot: Bryan C. Mills <bcmills@google.com>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Jay Conrod <jayconrod@google.com>
Reviewed-by: Bryan C. Mills <bcmills@google.com>
Trust: Michael Matloob <matloob@golang.org>

Author: tzierbock

modfile/rule.go

@@ -832,7 +832,16 @@ func (f *File) DropRequire(path string) error {
 	return nil
 }
 
+// AddExclude adds a exclude statement to the mod file. Errors if the provided
+// version is not a canonical version string
 func (f *File) AddExclude(path, vers string) error {
+	if !isCanonicalVersion(vers) {
+		return &module.InvalidVersionError{
+			Version: vers,
+			Err:     errors.New("must be of the form v1.2.3"),
+		}
+	}
+
 	var hint *Line
 	for _, x := range f.Exclude {
 		if x.Mod.Path == path && x.Mod.Version == vers {
@@ -904,7 +913,22 @@ func (f *File) DropReplace(oldPath, oldVers string) error {
 	return nil
 }
 
+// AddRetract adds a retract statement to the mod file. Errors if the provided
+// version interval does not consist of canonical version strings
 func (f *File) AddRetract(vi VersionInterval, rationale string) error {
+	if !isCanonicalVersion(vi.High) {
+		return &module.InvalidVersionError{
+			Version: vi.High,
+			Err:     errors.New("must be of the form v1.2.3"),
+		}
+	}
+	if !isCanonicalVersion(vi.Low) {
+		return &module.InvalidVersionError{
+			Version: vi.Low,
+			Err:     errors.New("must be of the form v1.2.3"),
+		}
+	}
+
 	r := &Retract{
 		VersionInterval: vi,
 	}
@@ -1061,3 +1085,9 @@ func lineRetractLess(li, lj *Line) bool {
 	}
 	return semver.Compare(vii.High, vij.High) > 0
 }
+
+// isCanonicalVersion tests if the provided version string represents a valid
+// canonical version.
+func isCanonicalVersion(vers string) bool {
+	return vers != "" && semver.Canonical(vers) == vers
+}

modfile/rule_test.go

@@ -568,6 +568,48 @@ var sortBlocksTests = []struct {
 	},
 }
 
+var addRetractValidateVersionTests = []struct {
+	dsc, low, high string
+}{
+	{
+		"blank_version",
+		"",
+		"",
+	},
+	{
+		"missing_prefix",
+		"1.0.0",
+		"1.0.0",
+	},
+	{
+		"non_canonical",
+		"v1.2",
+		"v1.2",
+	},
+	{
+		"invalid_range",
+		"v1.2.3",
+		"v1.3",
+	},
+}
+
+var addExcludeValidateVersionTests = []struct {
+	dsc, ver string
+}{
+	{
+		"blank_version",
+		"",
+	},
+	{
+		"missing_prefix",
+		"1.0.0",
+	},
+	{
+		"non_canonical",
+		"v1.2",
+	},
+}
+
 func TestAddRequire(t *testing.T) {
 	for _, tt := range addRequireTests {
 		t.Run(tt.desc, func(t *testing.T) {
@@ -699,3 +741,31 @@ func testEdit(t *testing.T, in, want string, strict bool, transform func(f *File
 
 	return f
 }
+
+func TestAddRetractValidateVersion(t *testing.T) {
+	for _, tt := range addRetractValidateVersionTests {
+		t.Run(tt.dsc, func(t *testing.T) {
+			f, err := Parse("in", []byte("module m"), nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if err = f.AddRetract(VersionInterval{Low: tt.low, High: tt.high}, ""); err == nil {
+				t.Fatal("expected AddRetract to complain about version format")
+			}
+		})
+	}
+}
+
+func TestAddExcludeValidateVersion(t *testing.T) {
+	for _, tt := range addExcludeValidateVersionTests {
+		t.Run(tt.dsc, func(t *testing.T) {
+			f, err := Parse("in", []byte("module m"), nil)
+			if err != nil {
+				t.Fatal(err)
+			}
+			if err = f.AddExclude("aa", tt.ver); err == nil {
+				t.Fatal("expected AddExclude to complain about version format")
+			}
+		})
+	}
+}