SECVULN Fix for git checkout argument injection enables arbitrary file read

nasareeny · nasareeny · commit ca510b29e432 · 2026-03-25T16:14:24.000+05:30
diff --git a/.release/ci.hcl b/.release/ci.hcl
@@ -4,7 +4,7 @@ project "go-getter" {
   team = "team-ip-compliance"
 
   slack {
-    notification_channel = "C09KTF77K6X" // ensure this is a PUBLIC slack channel. If it's private, the promotion workflows will fail.
+    notification_channel = "C09KU972BDH" // ensure this is a PUBLIC slack channel. If it's private, the promotion workflows will fail.
   }
 
   github {
diff --git a/get_git.go b/get_git.go
@@ -174,6 +174,10 @@ func (g *GitGetter) GetFile(dst string, u *url.URL) error {
 }
 
 func (g *GitGetter) checkout(ctx context.Context, dst string, ref string) error {
+	if strings.HasPrefix(ref, "-") {
+		return fmt.Errorf("invalid ref: %q", ref)
+	}
+
 	cmd := exec.CommandContext(ctx, "git", "checkout", ref, "--")
 	cmd.Dir = dst
 	return getRunCommand(cmd)
diff --git a/get_git_test.go b/get_git_test.go
@@ -1248,6 +1248,45 @@ func (r *gitRepo) latestCommit() (string, error) {
 	return string(rawOut), nil
 }
 
+// Test checkout ref option injection to verify that if a user tries to inject a git option
+func TestGitGetter_checkoutRefOptionInjectionRejected(t *testing.T) {
+	if !testHasGit {
+		t.Skip("git not found, skipping")
+	}
+
+	g := new(GitGetter)
+	repo := testGitRepo(t, "empty-repo")
+	repo.git("config", "commit.gpgsign", "false")
+	repo.commitFile("safe.txt", "safe")
+
+	// Create a fake "secret" file to simulate sensitive data
+	secretPath := filepath.Join(t.TempDir(), "secret.txt")
+	secretLine := "THIS_IS_A_SECRET"
+	if err := os.WriteFile(secretPath, []byte(secretLine+"\n"), 0600); err != nil {
+		t.Fatal(err)
+	}
+
+	// Attempt to inject a git option
+	ref := "--pathspec-from-file=" + secretPath
+
+	err := g.checkout(context.Background(), repo.dir, ref)
+
+	// Expect error due to validation (not git execution)
+	if err == nil {
+		t.Fatal("expected error for invalid ref, got nil")
+	}
+
+	// Ensure it's our validation error, not git output
+	if !strings.Contains(err.Error(), "invalid ref") {
+		t.Fatalf("expected validation error, got: %v", err)
+	}
+
+	// Ensure secret is NOT leaked
+	if strings.Contains(err.Error(), secretLine) {
+		t.Fatalf("secret leaked in error message:\n%s", err.Error())
+	}
+}
+
 // This is a read-only deploy key for an empty test repository.
 // Note: This is split over multiple lines to avoid being disabled by key
 // scanners automatically.
diff --git a/version/VERSION b/version/VERSION
@@ -1 +1 @@
-1.8.5
+1.8.6
diff --git a/version/version.go b/version/version.go
@@ -4,7 +4,7 @@
 package version
 
 var (
-	Version           = "1.8.5"
+	Version           = "1.8.6"
 	VersionPrerelease = ""
 	VersionMetadata   = ""
 	// PluginVersion removed to avoid import cycle

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ project "go-getter" {`
`4`	`4`	`team = "team-ip-compliance"`
`5`	`5`
`6`	`6`	`slack {`
`7`		`- notification_channel = "C09KTF77K6X" // ensure this is a PUBLIC slack channel. If it's private, the promotion workflows will fail.`
	`7`	`+ notification_channel = "C09KU972BDH" // ensure this is a PUBLIC slack channel. If it's private, the promotion workflows will fail.`
`8`	`8`	`}`
`9`	`9`
`10`	`10`	`github {`