GHSA-wcmj-x466-56mm

## Summary

If a symlink already exists under the `.terraform/providers` directory where a provider package needs to be installed, `tofu init` would follow that symlink and install the new package content into it.

If an attacker can coerce an operator into running `tofu init` in a directory whose contents are attacker-controlled, they can include such a symlink along with instruction to install an attacker-controlled provider package at the path of that symlink, which would then cause OpenTofu to write the contents of that provider package into an arbitrary directory elsewhere in the filesystem if the OpenTofu process has sufficient permission to write there.

## Details

OpenTofu permits provider cache entries to be symlinks to other locations because that is how the local cache in a specific working directory refers to matching entries in a global cache directory configured in the CLI configuration file.

Unfortunately, OpenTofu's provider installer was missing a rule to remove an existing symlink during installation if it refers to a directory that doesn't already match the expected provider package content. Instead, it would attempt to update the content of the target directory to match the content of the provider package.

If developers use OpenTofu with the `TF_DATA_DIR` environment variable set, note that the directory they specify in that environment variable is treated as a replacement location for the content that would normally be in the `.terraform` directory, and so it is _that_ location which is sensitive to pre-existing symlinks.

In the newly-issued versions of OpenTofu, it is now considered an error if any existing directory entry is present in the cache whose content does not already match the expected package content. As before, if an existing entry is present and its content already matches the expected package content then OpenTofu makes no changes to the target directory and just uses it as-is.

## Workaround

If developers cannot upgrade to a fixed version immediately, OpenTofu recommends that they ensure that there is no `.terraform` directory already present when running `tofu init` for the first time in a new working directory. The absence of that directory guarantees that there cannot be a conflicting symlink.

For an extra line of defense, verify before running `tofu init` that there are no symlinks anywhere under the current working directory that refer to any path above the current working directory. This limits the scope of attack only to other files in the same working directory, which the attacker already controls in this scenario.

## Notes and Resources

- OpenTofu thanks Francesco Sabiu (@fsabiu) for finding and responsibly disclosing this vulnerability. - Generally-speaking, the OpenTofu project expects that operators will run `tofu init` only in directories containing content they trust.

OpenTofu prioritized addressing this _specific_ concern because a successful attack can write arbitrary files into an arbitrary directory and therefore the potential impact is relatively high and the solution to the problem is low-risk, but this is a pragmatic exception to the usual threat model and there aren't any plans for broader hardening of OpenTofu against attacks of this type. OpenTofu recommends that developers ensure that their working directory contents are as they expect before running `tofu init`.

In particular: it remains possible for an attacker to place a symlink at some higher point in the directory structure of the provider cache, into which OpenTofu will construct subdirectories needed to create the remaining provider cache directory structure. OpenTofu evaluated that as a less severe concern because it does not give the attacker full control over what is written into the target directory, but note that this does still allow an attacker to write arbitrary content into a directory two levels beneath the target when placing the symlink at the hostname level of the cache directory structure. - The original fix for this issue is in https://github.com/opentofu/opentofu/pull/4082. It was backported as follows: - [v1.12 branch](https://github.com/opentofu/opentofu/pull/4087) for v1.12.0 - [v1.11 branch](https://github.com/opentofu/opentofu/pull/4088) for v1.11.7 - [v1.10 branch](https://github.com/opentofu/opentofu/pull/4089) for v1.10.10