[AUTO-CHERRYPICK] Add Patch in terraform for CVE-2024-6257. - branch main (#9954)

CBL-Mariner-Bot · Sumynwa · jslobodzian · web-flow · commit 2cfea6b9b000 · 2024-07-29T23:49:01.000-04:00
Co-authored-by: Sumynwa &lt;sumsharma@microsoft.com&gt;
Co-authored-by: jslobodzian &lt;joslobo@microsoft.com&gt;
diff --git a/SPECS/terraform/CVE-2024-6257.patch b/SPECS/terraform/CVE-2024-6257.patch
@@ -0,0 +1,128 @@
+From 9906874a23919a81eff097d84fdb8f98525ac880 Mon Sep 17 00:00:00 2001
+From: dduzgun-security <deniz.duzgun@hashicorp.com>
+Date: Thu, 20 Jun 2024 10:06:56 -0400
+Subject: [PATCH 1/2] recreate git config during update to prevent config
+ alteration
+
+Modified to apply to vendored code by: Sumedh Sharma <sumsharma@microsoft.com>
+ - Adjusted paths to work for vendored version
+ - Removed test code since it is not included in vendor trace
+---
+ vendor/github.com/hashicorp/go-getter/get_git.go | 81 +++++++++++++++----
+ 1 file changed, 67 insertions(+), 14 deletions(-)
+
+diff --git a/vendor/github.com/hashicorp/go-getter/get_git.go b/vendor/github.com/hashicorp/go-getter/get_git.go
+index 5227db7..51a898b 100644
+--- a/vendor/github.com/hashicorp/go-getter/get_git.go
++++ b/vendor/github.com/hashicorp/go-getter/get_git.go
+@@ -125,7 +125,7 @@ func (g *GitGetter) Get(dst string, u *url.URL) error {
+ 		return err
+ 	}
+ 	if err == nil {
+-		err = g.update(ctx, dst, sshKeyFile, ref, depth)
++		err = g.update(ctx, dst, sshKeyFile, u, ref, depth)
+ 	} else {
+ 		err = g.clone(ctx, dst, sshKeyFile, u, ref, depth)
+ 	}
+@@ -228,28 +228,64 @@ func (g *GitGetter) clone(ctx context.Context, dst, sshKeyFile string, u *url.UR
+ 	return nil
+ }
+ 
+-func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile, ref string, depth int) error {
+-	// Determine if we're a branch. If we're NOT a branch, then we just
+-	// switch to master prior to checking out
+-	cmd := exec.CommandContext(ctx, "git", "show-ref", "-q", "--verify", "refs/heads/"+ref)
++func (g *GitGetter) update(ctx context.Context, dst, sshKeyFile string, u *url.URL, ref string, depth int) error {
++	// Remove all variations of .git directories
++	err := removeCaseInsensitiveGitDirectory(dst)
++	if err != nil {
++		return err
++	}
++
++	// Initialize the git repository
++	cmd := exec.CommandContext(ctx, "git", "init")
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
++
++	// Add the git remote
++	cmd = exec.CommandContext(ctx, "git", "remote", "add", "origin", "--", u.String())
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
++
++	// Fetch the remote ref
++	cmd = exec.CommandContext(ctx, "git", "fetch", "--tags")
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
++
++	// Fetch the remote ref
++	cmd = exec.CommandContext(ctx, "git", "fetch", "origin", "--", ref)
+ 	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
++	}
+ 
+-	if getRunCommand(cmd) != nil {
+-		// Not a branch, switch to default branch. This will also catch
+-		// non-existent branches, in which case we want to switch to default
+-		// and then checkout the proper branch later.
+-		ref = findDefaultBranch(ctx, dst)
++	// Reset the branch to the fetched ref
++	cmd = exec.CommandContext(ctx, "git", "reset", "--hard", "FETCH_HEAD")
++	cmd.Dir = dst
++	err = getRunCommand(cmd)
++	if err != nil {
++		return err
+ 	}
+ 
+-	// We have to be on a branch to pull
+-	if err := g.checkout(ctx, dst, ref); err != nil {
++	// Checkout ref branch
++	err = g.checkout(ctx, dst, ref)
++	if err != nil {
+ 		return err
+ 	}
+ 
++	// Pull the latest changes from the ref branch
+ 	if depth > 0 {
+-		cmd = exec.CommandContext(ctx, "git", "pull", "--depth", strconv.Itoa(depth), "--ff-only")
++		cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--depth", strconv.Itoa(depth), "--ff-only", "--", ref)
+ 	} else {
+-		cmd = exec.CommandContext(ctx, "git", "pull", "--ff-only")
++		cmd = exec.CommandContext(ctx, "git", "pull", "origin", "--ff-only", "--", ref)
+ 	}
+ 
+ 	cmd.Dir = dst
+@@ -374,3 +410,20 @@ func checkGitVersion(ctx context.Context, min string) error {
+ 
+ 	return nil
+ }
++
++// removeCaseInsensitiveGitDirectory removes all .git directory variations
++func removeCaseInsensitiveGitDirectory(dst string) error {
++	files, err := os.ReadDir(dst)
++	if err != nil {
++		return fmt.Errorf("Failed to read the destination directory %s during git update", dst)
++	}
++	for _, f := range files {
++		if strings.EqualFold(f.Name(), ".git") && f.IsDir() {
++			err := os.RemoveAll(filepath.Join(dst, f.Name()))
++			if err != nil {
++				return fmt.Errorf("Failed to remove the .git directory in the destination directory %s during git update", dst)
++			}
++		}
++	}
++	return nil
++}
+-- 
+2.25.1
+
diff --git a/SPECS/terraform/terraform.spec b/SPECS/terraform/terraform.spec
@@ -1,7 +1,7 @@
 Summary:        Infrastructure as code deployment management tool
 Name:           terraform
 Version:        1.3.2
-Release:        16%{?dist}
+Release:        17%{?dist}
 License:        MPLv2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -29,7 +29,9 @@ Source0:        https://github.com/hashicorp/terraform/archive/refs/tags/v%{vers
 Source1:        %{name}-%{version}-vendor.tar.gz
 Patch0:         CVE-2023-44487.patch
 Patch1:         CVE-2024-3817.patch
-Patch2:         CVE-2024-6104.patch
+Patch2:         CVE-2024-6257.patch
+Patch3:         CVE-2024-6104.patch
+
 
 %global debug_package %{nil}
 %define our_gopath %{_topdir}/.gopath
@@ -63,6 +65,9 @@ install -p -m 755 -t %{buildroot}%{_bindir} ./terraform
 %{_bindir}/terraform
 
 %changelog
+* Thu Jul 25 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-17
+- Patch CVE-2024-6257 in vendored hashicorp/go-getter
+
 * Mon Jul 29 2024 Sumedh Sharma <sumsharma@microsoft.com> - 1.3.2-16
 - Patch CVE-2024-6104
 
