Merge pull request #31164 from hashicorp/jbardin/go-getter-security-options

add XTerraformGetLimit to prevent redirect loops
4 years ago · 4fb8a5a3ec
parent 229789f60f 47f9850f02
commit 4fb8a5a3ec
2 changed files with 6 additions and 4 deletions
--- a/internal/command/providers_mirror.go
+++ b/internal/command/providers_mirror.go
@ -94,8 +94,9 @@ func (c *ProvidersMirrorCommand) Run(args []string) int {
 	// generality of go-getter but it's still handy to use the HTTP getter
 	// as an easy way to download over HTTP into a file on disk.
 	httpGetter := getter.HttpGetter{
-		Client: httpclient.New(),
-		Netrc:  true,
+		Client:                httpclient.New(),
+		Netrc:                 true,
+		XTerraformGetDisabled: true,
 	}

 	// The following logic is similar to that used by the provider installer
--- a/internal/getmodules/getter.go
+++ b/internal/getmodules/getter.go
@ -83,8 +83,9 @@ var goGetterGetters = map[string]getter.Getter{
 var getterHTTPClient = cleanhttp.DefaultClient()

 var getterHTTPGetter = &getter.HttpGetter{
-	Client: getterHTTPClient,
-	Netrc:  true,
+	Client:             getterHTTPClient,
+	Netrc:              true,
+	XTerraformGetLimit: 10,
 }

 // A reusingGetter is a helper for the module installer that remembers