Update go-getter client options (#111)

* Update go-getter client options to disable symlinks * Set resonable timeouts for remote storage getters * Replace default Getters with explicit list of Getters * Update CHANGELOG * Bump default to accommodate long downloads
hashicorp · Jun 9, 2022 · 73f8475 · 73f8475
1 parent 45a145e
commit 73f8475
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 6 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,10 @@
+## 0.3.0 (Upcoming)
+
+* multistep/commonsteps: Update settings for the default go-getter client to prevent arbitrary host access via go-getter's path traversal, symlink processing, and command injection flaws.
+* multistep/commonsteps: Disable support for the `X-Terraform-Get` header to mitigate against protocol switching, endless redirect, and configuration bypass abuse of custom HTTP response header processing.
+* multistep/commonsteps: Add default timeouts to the GitGetter, HgGetter, S3Getter, and GcsGetter getters to mitigate against resource exhaustion when calling out to external command line applications.
+* sdk: Bump github.com/hashicorp/go-getter/v2, github.com/hashicorp/go-getter/gcs/v2, github.com/hashicorp/go-getter/s3/v2 to address a number of security vulnerabilities as defined in [HCSEC-2022-13](https://discuss.hashicorp.com/t/hcsec-2022-13-multiple-vulnerabilities-in-go-getter-library/39930)
+
 ## 0.2.13 (May 11, 2022)
 
 * cmd/packer-sdc: Update golang.org/x/tools to fix internal package errors when running code generation commands with Go 1.18 [GH-108](https://github.com/hashicorp/packer-plugin-sdk/pull/108)

diff --git a/multistep/commonsteps/step_download.go b/multistep/commonsteps/step_download.go
@@ -11,6 +11,7 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"time"
 
 	gcs "github.com/hashicorp/go-getter/gcs/v2"
 	s3 "github.com/hashicorp/go-getter/s3/v2"
@@ -55,13 +56,44 @@ type StepDownload struct {
 	Extension string
 }
 
-var defaultGetterClient = getter.Client{
-	Getters: getter.Getters,
-}
+// defaultGetterReadTimeout is the read timeout for downloading operations via go-getter.
+// The timeout must be long enough to accommodate large/slow downloads.
+const defaultGetterReadTimeout time.Duration = 30 * time.Minute
 
-func init() {
-	defaultGetterClient.Getters = append(defaultGetterClient.Getters, new(gcs.Getter))
-	defaultGetterClient.Getters = append(defaultGetterClient.Getters, new(s3.Getter))
+var defaultGetterClient = getter.Client{
+	// Disable writing and reading through symlinks.
+	DisableSymlinks: true,
+	// The order of the Getters in the list may affect the result
+	// depending if the Request.Src is detected as valid by multiple getters
+	Getters: []getter.Getter{
+		&getter.GitGetter{
+			Timeout: defaultGetterReadTimeout,
+			Detectors: []getter.Detector{
+				new(getter.GitHubDetector),
+				new(getter.GitDetector),
+				new(getter.BitBucketDetector),
+				new(getter.GitLabDetector),
+			},
+		},
+		&getter.HgGetter{
+			Timeout: defaultGetterReadTimeout,
+		},
+		new(getter.SmbClientGetter),
+		new(getter.SmbMountGetter),
+		&getter.HttpGetter{
+			Netrc:                 true,
+			XTerraformGetDisabled: true,
+			HeadFirstTimeout:      defaultGetterReadTimeout,
+			ReadTimeout:           defaultGetterReadTimeout,
+		},
+		new(getter.FileGetter),
+		&gcs.Getter{
+			Timeout: defaultGetterReadTimeout,
+		},
+		&s3.Getter{
+			Timeout: defaultGetterReadTimeout,
+		},
+	},
 }
 
 func (s *StepDownload) Run(ctx context.Context, state multistep.StateBag) multistep.StepAction {