Version 0.144.0 affected by critical go-getter (1.5.9) vulnerability

[BernhardGruen]

Hey,

Our trivy found out that helmfile (0.144.0 - newest version as of today) is affected by a critical vulnerability in go-getter.
These are the corresponding CVEs:

• https://avd.aquasec.com/nvd/cve-2022-26945 (command injection vulnerability)
• https://avd.aquasec.com/nvd/cve-2022-30321 (unsafe download (issue 1 of 3))
• https://avd.aquasec.com/nvd/cve-2022-30322 (unsafe download (issue 2 of 3))
• https://avd.aquasec.com/nvd/cve-2022-30323 (unsafe download (issue 3 of 3))

As helmfile is able to download from foreign sources I assume that helmfile could be tricked into downloading potential harmful files (i.e. via DNS spoofing) and then executing those files as well.

I already found out that a fixed version of go-getter is used in the repository but there was no new release. Based on the criticality of that vulnerability I think publishing a patched version of 0.144.0 would be beneficial.

Best regards,

Bernhard Grün

[yxxhero]

@BernhardGruen Welcome to create a PR.

[jduepmeier]

Version v0.145.0 is now released with go-getter v1.6.2