Revert "SECVULN Fix for git checkout argument injection enables arbitrary file read"

This reverts commit ca510b2.

Author: nasareeny

.release/ci.hcl

@@ -4,7 +4,7 @@ project "go-getter" {
   team = "team-ip-compliance"
 
   slack {
-    notification_channel = "C09KU972BDH" // ensure this is a PUBLIC slack channel. If it's private, the promotion workflows will fail.
+    notification_channel = "C09KTF77K6X" // ensure this is a PUBLIC slack channel. If it's private, the promotion workflows will fail.
   }
 
   github {

get_git.go

@@ -174,10 +174,6 @@ func (g *GitGetter) GetFile(dst string, u *url.URL) error {
 }
 
 func (g *GitGetter) checkout(ctx context.Context, dst string, ref string) error {
-	if strings.HasPrefix(ref, "-") {
-		return fmt.Errorf("invalid ref: %q", ref)
-	}
-
 	cmd := exec.CommandContext(ctx, "git", "checkout", ref, "--")
 	cmd.Dir = dst
 	return getRunCommand(cmd)

get_git_test.go

@@ -1248,45 +1248,6 @@ func (r *gitRepo) latestCommit() (string, error) {
 	return string(rawOut), nil
 }
 
-// Test checkout ref option injection to verify that if a user tries to inject a git option
-func TestGitGetter_checkoutRefOptionInjectionRejected(t *testing.T) {
-	if !testHasGit {
-		t.Skip("git not found, skipping")
-	}
-
-	g := new(GitGetter)
-	repo := testGitRepo(t, "empty-repo")
-	repo.git("config", "commit.gpgsign", "false")
-	repo.commitFile("safe.txt", "safe")
-
-	// Create a fake "secret" file to simulate sensitive data
-	secretPath := filepath.Join(t.TempDir(), "secret.txt")
-	secretLine := "THIS_IS_A_SECRET"
-	if err := os.WriteFile(secretPath, []byte(secretLine+"\n"), 0600); err != nil {
-		t.Fatal(err)
-	}
-
-	// Attempt to inject a git option
-	ref := "--pathspec-from-file=" + secretPath
-
-	err := g.checkout(context.Background(), repo.dir, ref)
-
-	// Expect error due to validation (not git execution)
-	if err == nil {
-		t.Fatal("expected error for invalid ref, got nil")
-	}
-
-	// Ensure it's our validation error, not git output
-	if !strings.Contains(err.Error(), "invalid ref") {
-		t.Fatalf("expected validation error, got: %v", err)
-	}
-
-	// Ensure secret is NOT leaked
-	if strings.Contains(err.Error(), secretLine) {
-		t.Fatalf("secret leaked in error message:\n%s", err.Error())
-	}
-}
-
 // This is a read-only deploy key for an empty test repository.
 // Note: This is split over multiple lines to avoid being disabled by key
 // scanners automatically.

version/VERSION

@@ -1 +1 @@
-1.8.6
+1.8.5

version/version.go

@@ -4,7 +4,7 @@
 package version
 
 var (
-	Version           = "1.8.6"
+	Version           = "1.8.5"
 	VersionPrerelease = ""
 	VersionMetadata   = ""
 	// PluginVersion removed to avoid import cycle