HashiCorp Go-getter Arbitrary File Read Vulnerability During Git Operations

A vulnerability in HashiCorp's go-getter library, affecting versions prior to 1.8.5, may allow arbitrary file reads from the file system during certain Git operations. This issue arises when a maliciously crafted URL is used, and it involves injecting additional Git arguments that can be exploited to access unauthorized files. The vulnerability has been addressed in go-getter version 1.8.6 and does not impact the go-getter/v2 branch.

Impact

Exploitation of this vulnerability could lead to unauthorized access and reading of arbitrary files on the file system where the affected go-getter library is used.

Reproduction

The vulnerability can be reproduced by using go-getter versions prior to 1.8.5 and providing a Git URL that is crafted to inject additional Git arguments. If no Git reference is specified, go-getter will attempt to retrieve the HEAD reference of the default branch from the remote repository. This process can be manipulated to read arbitrary files from the file system.

Remediation

Users of the go-getter library should upgrade to version 1.8.6 or later. The latest releases can be found on the HashiCorp go-getter GitHub releases page.