From 9931369767bf99c9462d2e5afede5635ebfc7c85 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Wed, 10 Apr 2024 14:12:19 +0800 Subject: [PATCH 1/3] Performance optimization for git push (#30104) (#30354) Agit returned result should be from `ProcReceive` hook but not `PostReceive` hook. Then for all non-agit pull requests, it will not check the pull requests for every pushing `refs/pull/%d/head`. Backport #30104 (cherry picked from commit 6e3aaa997549b83935241e486caf811793c88aea) Conflicts: it is implemented differently in Forgejo, just keep the test in tests/integration/git_push_test.go (cherry picked from commit b7cff17de1ae1705de5d57fee7bd8cb1edaff2c5) --- tests/integration/git_push_test.go | 67 ++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) create mode 100644 tests/integration/git_push_test.go diff --git a/tests/integration/git_push_test.go b/tests/integration/git_push_test.go new file mode 100644 index 0000000000..a64c2953c5 --- /dev/null +++ b/tests/integration/git_push_test.go @@ -0,0 +1,67 @@ +// Copyright 2024 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package integration + +import ( + "net/url" + "testing" + + "code.gitea.io/gitea/models/db" + "code.gitea.io/gitea/models/unittest" + user_model "code.gitea.io/gitea/models/user" + "code.gitea.io/gitea/modules/git" + repo_service "code.gitea.io/gitea/services/repository" + + "github.com/stretchr/testify/require" +) + +func TestGitPush(t *testing.T) { + onGiteaRun(t, testGitPush) +} + +func testGitPush(t *testing.T, u *url.URL) { + t.Run("Push branch with options", func(t *testing.T) { + runTestGitPush(t, u, func(t *testing.T, gitPath string) { + branchName := "branch-with-options" + doGitCreateBranch(gitPath, branchName)(t) + doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t) + }) + }) +} + +func runTestGitPush(t *testing.T, u *url.URL, gitOperation func(t *testing.T, gitPath string)) { + user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) + repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{ + Name: "repo-to-push", + Description: "test git push", + AutoInit: false, + DefaultBranch: "main", + IsPrivate: false, + }) + require.NoError(t, err) + require.NotEmpty(t, repo) + + gitPath := t.TempDir() + + doGitInitTestRepository(gitPath)(t) + + oldPath := u.Path + oldUser := u.User + defer func() { + u.Path = oldPath + u.User = oldUser + }() + u.Path = repo.FullName() + ".git" + u.User = url.UserPassword(user.LowerName, userPassword) + + doGitAddRemote(gitPath, "origin", u)(t) + + gitRepo, err := git.OpenRepository(git.DefaultContext, gitPath) + require.NoError(t, err) + defer gitRepo.Close() + + gitOperation(t, gitPath) + + require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, user.ID, repo.ID)) +} From c8645d2a708759527d101b1deaf7bc0c1313190b Mon Sep 17 00:00:00 2001 From: Gergely Nagy Date: Mon, 15 Apr 2024 10:07:45 +0200 Subject: [PATCH 2/3] hooks: Harden when we accept push options that change repo settings It is possible to change some repo settings (its visibility, and template status) via `git push` options: `-o repo.private=true`, `-o repo.template=true`. Previously, there weren't sufficient permission checks on these, and anyone who could `git push` to a repository - including via an AGit workflow! - was able to change either of these settings. To guard against this, the pre-receive hook will now check if either of these options are present, and if so, will perform additional permission checks to ensure that these can only be set by a repository owner or an administrator. Additionally, changing these settings is disabled for forks, even for the fork's owner. There's still a case where the owner of a repository can change the visibility of it, and it will not propagate to forks (it propagates to forks when changing the visibility via the API), but that's an inconsistency, not a security issue. Signed-off-by: Gergely Nagy (cherry picked from commit cc80e661531794fff7f8a336eaaefdb7e3bd3956) Conflicts: tests/integration/git_push_test.go DeleteRepositoryDirectly does not exist CreateRepoOptions is in repo_module --- routers/private/hook_pre_receive.go | 55 ++++++++++++++++++++ tests/integration/git_push_test.go | 80 +++++++++++++++++++---------- 2 files changed, 108 insertions(+), 27 deletions(-) diff --git a/routers/private/hook_pre_receive.go b/routers/private/hook_pre_receive.go index 7f37d73795..947edb77aa 100644 --- a/routers/private/hook_pre_receive.go +++ b/routers/private/hook_pre_receive.go @@ -101,6 +101,57 @@ func (ctx *preReceiveContext) AssertCreatePullRequest() bool { return true } +func (ctx *preReceiveContext) canChangeSettings() bool { + if !ctx.loadPusherAndPermission() { + return false + } + + perm, err := access_model.GetUserRepoPermission(ctx, ctx.Repo.Repository, ctx.user) + if err != nil { + return false + } + if !perm.IsOwner() && !perm.IsAdmin() { + return false + } + + if ctx.Repo.Repository.IsFork { + return false + } + + return true +} + +func (ctx *preReceiveContext) assertChangeSettings() bool { + opts := web.GetForm(ctx).(*private.HookOptions) + + if len(opts.GitPushOptions) == 0 { + return true + } + + _, hasPrivateOpt := opts.GitPushOptions[private.GitPushOptionRepoPrivate] + _, hasTemplateOpt := opts.GitPushOptions[private.GitPushOptionRepoTemplate] + + if !hasPrivateOpt && !hasTemplateOpt { + // If neither `repo.private` nor `repo.template` is present in + // the push options, we're good to go without further permission + // checking. + return true + } + + // Either `repo.private` or `repo.template` is among the push options, + // do some permission checks. + if !ctx.canChangeSettings() { + if ctx.Written() { + return false + } + ctx.JSON(http.StatusForbidden, private.Response{ + UserMsg: "Permission denied for changing repo settings.", + }) + return false + } + return true +} + // HookPreReceive checks whether a individual commit is acceptable func HookPreReceive(ctx *gitea_context.PrivateContext) { opts := web.GetForm(ctx).(*private.HookOptions) @@ -111,6 +162,10 @@ func HookPreReceive(ctx *gitea_context.PrivateContext) { opts: opts, } + if !ourCtx.assertChangeSettings() { + return + } + // Iterate across the provided old commit IDs for i := range opts.OldCommitIDs { oldCommitID := opts.OldCommitIDs[i] diff --git a/tests/integration/git_push_test.go b/tests/integration/git_push_test.go index a64c2953c5..55a856fe93 100644 --- a/tests/integration/git_push_test.go +++ b/tests/integration/git_push_test.go @@ -8,31 +8,22 @@ import ( "testing" "code.gitea.io/gitea/models/db" + repo_model "code.gitea.io/gitea/models/repo" "code.gitea.io/gitea/models/unittest" user_model "code.gitea.io/gitea/models/user" - "code.gitea.io/gitea/modules/git" + repo_module "code.gitea.io/gitea/modules/repository" repo_service "code.gitea.io/gitea/services/repository" "github.com/stretchr/testify/require" ) -func TestGitPush(t *testing.T) { - onGiteaRun(t, testGitPush) +func TestOptionsGitPush(t *testing.T) { + onGiteaRun(t, testOptionsGitPush) } -func testGitPush(t *testing.T, u *url.URL) { - t.Run("Push branch with options", func(t *testing.T) { - runTestGitPush(t, u, func(t *testing.T, gitPath string) { - branchName := "branch-with-options" - doGitCreateBranch(gitPath, branchName)(t) - doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t) - }) - }) -} - -func runTestGitPush(t *testing.T, u *url.URL, gitOperation func(t *testing.T, gitPath string)) { +func testOptionsGitPush(t *testing.T, u *url.URL) { user := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 2}) - repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_service.CreateRepoOptions{ + repo, err := repo_service.CreateRepository(db.DefaultContext, user, user, repo_module.CreateRepoOptions{ Name: "repo-to-push", Description: "test git push", AutoInit: false, @@ -46,22 +37,57 @@ func runTestGitPush(t *testing.T, u *url.URL, gitOperation func(t *testing.T, gi doGitInitTestRepository(gitPath)(t) - oldPath := u.Path - oldUser := u.User - defer func() { - u.Path = oldPath - u.User = oldUser - }() u.Path = repo.FullName() + ".git" u.User = url.UserPassword(user.LowerName, userPassword) - doGitAddRemote(gitPath, "origin", u)(t) - gitRepo, err := git.OpenRepository(git.DefaultContext, gitPath) - require.NoError(t, err) - defer gitRepo.Close() + { + // owner sets private & template to true via push options + branchName := "branch1" + doGitCreateBranch(gitPath, branchName)(t) + doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t) + repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push") + require.NoError(t, err) + require.True(t, repo.IsPrivate) + require.True(t, repo.IsTemplate) + } - gitOperation(t, gitPath) + { + // owner sets private & template to false via push options + branchName := "branch2" + doGitCreateBranch(gitPath, branchName)(t) + doGitPushTestRepository(gitPath, "origin", branchName, "-o", "repo.private=false", "-o", "repo.template=false")(t) + repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push") + require.NoError(t, err) + require.False(t, repo.IsPrivate) + require.False(t, repo.IsTemplate) + } - require.NoError(t, repo_service.DeleteRepositoryDirectly(db.DefaultContext, user, user.ID, repo.ID)) + { + // create a collaborator with write access + collaborator := unittest.AssertExistsAndLoadBean(t, &user_model.User{ID: 5}) + u.User = url.UserPassword(collaborator.LowerName, userPassword) + doGitAddRemote(gitPath, "collaborator", u)(t) + repo, err := repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push") + require.NoError(t, err) + repo_module.AddCollaborator(db.DefaultContext, repo, collaborator) + } + + { + // collaborator with write access is allowed to push + branchName := "branch3" + doGitCreateBranch(gitPath, branchName)(t) + doGitPushTestRepository(gitPath, "collaborator", branchName)(t) + } + + { + // collaborator with write access fails to change private & template via push options + branchName := "branch4" + doGitCreateBranch(gitPath, branchName)(t) + doGitPushTestRepositoryFail(gitPath, "collaborator", branchName, "-o", "repo.private=true", "-o", "repo.template=true")(t) + repo, err = repo_model.GetRepositoryByOwnerAndName(db.DefaultContext, user.Name, "repo-to-push") + require.NoError(t, err) + require.False(t, repo.IsPrivate) + require.False(t, repo.IsTemplate) + } } From ecf654e17f284152cdfc97fec3bf338b2902cbc1 Mon Sep 17 00:00:00 2001 From: Earl Warren Date: Thu, 18 Apr 2024 23:23:11 +0200 Subject: [PATCH 3/3] fix(security): upgrade to go v1.21 --- .forgejo/workflows/build-release.yml | 2 +- .forgejo/workflows/testing.yml | 12 ++++++------ go.mod | 8 ++++---- go.sum | 18 +++++++++--------- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/.forgejo/workflows/build-release.yml b/.forgejo/workflows/build-release.yml index f84aca6d28..51e012fbe4 100644 --- a/.forgejo/workflows/build-release.yml +++ b/.forgejo/workflows/build-release.yml @@ -45,7 +45,7 @@ jobs: - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: ">=1.20" + go-version: ">=1.21" check-latest: true - name: Create the version from ref_name diff --git a/.forgejo/workflows/testing.yml b/.forgejo/workflows/testing.yml index c93d27ebf6..9205536764 100644 --- a/.forgejo/workflows/testing.yml +++ b/.forgejo/workflows/testing.yml @@ -16,7 +16,7 @@ jobs: - uses: https://code.forgejo.org/actions/checkout@v3 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: "1.20" + go-version: "1.21" check-latest: true - run: make deps-backend deps-tools - run: make lint-backend @@ -30,7 +30,7 @@ jobs: - uses: https://code.forgejo.org/actions/checkout@v3 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: "1.20" + go-version: "1.21" check-latest: true - run: make deps-backend deps-tools - run: make --always-make checks-backend # ensure the "go-licenses" make target runs @@ -43,7 +43,7 @@ jobs: - uses: https://code.forgejo.org/actions/checkout@v3 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: "1.20" + go-version: "1.21" - run: | git config --add safe.directory '*' adduser --quiet --comment forgejo --disabled-password forgejo @@ -81,7 +81,7 @@ jobs: - uses: https://code.forgejo.org/actions/checkout@v3 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: "1.20" + go-version: "1.21" - name: install dependencies run: | export DEBIAN_FRONTEND=noninteractive @@ -121,7 +121,7 @@ jobs: - uses: https://code.forgejo.org/actions/checkout@v3 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: "1.20" + go-version: "1.21" - name: install dependencies run: | export DEBIAN_FRONTEND=noninteractive @@ -155,7 +155,7 @@ jobs: - uses: https://code.forgejo.org/actions/checkout@v3 - uses: https://code.forgejo.org/actions/setup-go@v4 with: - go-version: "1.20" + go-version: "1.21" - name: install dependencies run: | export DEBIAN_FRONTEND=noninteractive diff --git a/go.mod b/go.mod index 72522af690..fe0bd13d9d 100644 --- a/go.mod +++ b/go.mod @@ -107,15 +107,15 @@ require ( github.com/yuin/goldmark v1.5.5 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20220924101305-151362477c87 github.com/yuin/goldmark-meta v1.1.0 - golang.org/x/crypto v0.17.0 + golang.org/x/crypto v0.21.0 golang.org/x/image v0.7.0 - golang.org/x/net v0.13.0 + golang.org/x/net v0.23.0 golang.org/x/oauth2 v0.8.0 - golang.org/x/sys v0.15.0 + golang.org/x/sys v0.18.0 golang.org/x/text v0.14.0 golang.org/x/tools v0.8.0 google.golang.org/grpc v1.53.0 - google.golang.org/protobuf v1.30.0 + google.golang.org/protobuf v1.33.0 gopkg.in/gomail.v2 v2.0.0-20160411212932-81ebce5c23df gopkg.in/ini.v1 v1.67.0 gopkg.in/yaml.v3 v3.0.1 diff --git a/go.sum b/go.sum index f819cb5d0f..a0e05b85af 100644 --- a/go.sum +++ b/go.sum @@ -1174,8 +1174,8 @@ golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4 golang.org/x/crypto v0.3.1-0.20221117191849-2c476679df9a/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58= golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU= -golang.org/x/crypto v0.17.0 h1:r8bRNjWL3GshPW3gkd+RpvzWrZAwPS49OmTGZ/uhM4k= -golang.org/x/crypto v0.17.0/go.mod h1:gCAAfMLgwOJRpTjQ2zCCt2OcSfYMTeZVSRtQlPC7Nq4= +golang.org/x/crypto v0.21.0 h1:X31++rzVUdKhX5sWmSOFZxx8UW/ldWx55cbf08iNAMA= +golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -1269,8 +1269,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs= golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc= golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns= -golang.org/x/net v0.13.0 h1:Nvo8UFsZ8X3BhAC9699Z1j7XQ3rsZnUUm7jfBEk1ueY= -golang.org/x/net v0.13.0/go.mod h1:zEVYFnQC7m/vmpQFELhcD1EWkZlX69l4oqgmer6hfKA= +golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs= +golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -1376,8 +1376,8 @@ golang.org/x/sys v0.3.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.7.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc= -golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= +golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4= +golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= @@ -1387,7 +1387,7 @@ golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k= golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U= golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY= -golang.org/x/term v0.15.0 h1:y/Oo/a/q3IXu26lQgl04j/gjuBDOBlx7X6Om1j2CPW4= +golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -1585,8 +1585,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI= +google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos= gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk= gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=