fix: normalize legacy triple-slash vendor URIs for go-getter compatibility

internal/exec/terraform_clean_test.go

@@ -73,6 +73,16 @@ func TestCLITerraformClean(t *testing.T) {
 	}
 }
 
+func verifyFileExists(t *testing.T, files []string) (bool, string) {
+	for _, file := range files {
+		if _, err := os.Stat(file); err != nil {
+			t.Errorf("Reason: Expected file does not exist: %q", file)
+			return false, file
+		}
+	}
+	return true, ""
+}
+
 func verifyFileDeleted(t *testing.T, files []string) (bool, string) {
 	for _, file := range files {
 		fileAbs, err := os.Stat(file)

internal/exec/vendor_model.go

@@ -346,6 +346,7 @@ func downloadAndInstall(p *pkgAtmosVendor, dryRun bool, atmosConfig *schema.Atmo
 		if err := p.installer(&tempDir, atmosConfig); err != nil {
 			return newInstallError(err, p.name)
 		}
+
 		if err := copyToTargetWithPatterns(tempDir, p.targetPath, &p.atmosVendorSource, p.sourceIsLocalFile); err != nil {
 			return newInstallError(fmt.Errorf("failed to copy package: %w", err), p.name)
 		}
@@ -360,7 +361,6 @@ func (p *pkgAtmosVendor) installer(tempDir *string, atmosConfig *schema.AtmosCon
 	switch p.pkgType {
 	case pkgTypeRemote:
 		// Use go-getter to download remote packages
-
 		if err := downloader.NewGoGetterDownloader(atmosConfig).Fetch(p.uri, *tempDir, downloader.ClientModeAny, 10*time.Minute); err != nil {
 			return fmt.Errorf("failed to download package: %w", err)
 		}

internal/exec/vendor_triple_slash_test.go

@@ -0,0 +1,222 @@
+package exec
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/cloudposse/atmos/tests"
+	"github.com/spf13/cobra"
+)
+
+// TestVendorPullWithTripleSlashPattern tests the vendor pull command with the triple-slash pattern
+// which indicates cloning from the root of a repository (e.g., github.com/repo.git///?ref=v1.0).
+// This pattern was broken after go-getter v1.7.9 due to changes in subdirectory path handling.
+func TestVendorPullWithTripleSlashPattern(t *testing.T) {
+	// Check for GitHub access with rate limit check
+	rateLimits := tests.RequireGitHubAccess(t)
+	if rateLimits != nil && rateLimits.Remaining < 10 {
+		t.Skipf("Insufficient GitHub API requests remaining (%d). Test may require ~10 requests", rateLimits.Remaining)
+	}
+
+	// Store original environment variables
+	originalCliPath := os.Getenv("ATMOS_CLI_CONFIG_PATH")
+	originalBasePath := os.Getenv("ATMOS_BASE_PATH")
+	originalLogLevel := os.Getenv("ATMOS_LOGS_LEVEL")
+
+	// Set debug logging to see what's happening
+	os.Setenv("ATMOS_LOGS_LEVEL", "Debug")
+
+	// Capture the starting working directory
+	startingDir, err := os.Getwd()
+	require.NoError(t, err, "Failed to get the current working directory")
+
+	defer func() {
+		// Restore original environment variables
+		if originalCliPath != "" {
+			os.Setenv("ATMOS_CLI_CONFIG_PATH", originalCliPath)
+		} else {
+			os.Unsetenv("ATMOS_CLI_CONFIG_PATH")
+		}
+
+		if originalBasePath != "" {
+			os.Setenv("ATMOS_BASE_PATH", originalBasePath)
+		} else {
+			os.Unsetenv("ATMOS_BASE_PATH")
+		}
+
+		if originalLogLevel != "" {
+			os.Setenv("ATMOS_LOGS_LEVEL", originalLogLevel)
+		} else {
+			os.Unsetenv("ATMOS_LOGS_LEVEL")
+		}
+
+		// Change back to the original working directory after the test
+		if err := os.Chdir(startingDir); err != nil {
+			t.Fatalf("Failed to change back to the starting directory: %v", err)
+		}
+	}()
+
+	// Define the test directory
+	testDir := "../../tests/fixtures/scenarios/vendor-triple-slash"
+
+	// Change to the test directory
+	err = os.Chdir(testDir)
+	require.NoError(t, err, "Failed to change to test directory")
+
+	// Set up the command
+	cmd := &cobra.Command{}
+	cmd.PersistentFlags().String("base-path", "", "Base path for Atmos project")
+	cmd.PersistentFlags().StringSlice("config", []string{}, "Paths to configuration file")
+	cmd.PersistentFlags().StringSlice("config-path", []string{}, "Path to configuration directory")
+
+	flags := cmd.Flags()
+	flags.String("component", "s3-bucket", "")
+	flags.String("stack", "", "")
+	flags.String("tags", "", "")
+	flags.Bool("dry-run", false, "")
+	flags.Bool("everything", false, "")
+
+	// Execute vendor pull command
+	err = ExecuteVendorPullCommand(cmd, []string{})
+	require.NoError(t, err, "Vendor pull command should execute without error")
+
+	// Check that the target directory was created
+	targetDir := filepath.Join("components", "terraform", "s3-bucket")
+	assert.DirExists(t, targetDir, "Target directory should be created")
+
+	// Test that the expected files were pulled from the repository
+	// According to the bug report, these files should be present but are not being pulled
+	expectedFiles := []string{
+		// Main terraform files that should match "**/*.tf"
+		filepath.Join(targetDir, "main.tf"),
+		filepath.Join(targetDir, "outputs.tf"),
+		filepath.Join(targetDir, "variables.tf"),
+		filepath.Join(targetDir, "versions.tf"),
+
+		// Documentation files that should match "**/README.md"
+		filepath.Join(targetDir, "README.md"),
+
+		// License file that should match "**/LICENSE"
+		filepath.Join(targetDir, "LICENSE"),
+
+		// Module files that should match "**/modules/**"
+		// The terraform-aws-s3-bucket repository has modules subdirectory
+		filepath.Join(targetDir, "modules", "notification", "main.tf"),
+		filepath.Join(targetDir, "modules", "notification", "variables.tf"),
+		filepath.Join(targetDir, "modules", "notification", "outputs.tf"),
+		filepath.Join(targetDir, "modules", "notification", "versions.tf"),
+	}
+
+	// Check that files were actually pulled (not just an empty directory)
+	// This is the main assertion that should fail based on the bug report
+	for _, file := range expectedFiles {
+		assert.FileExists(t, file, "File should be pulled from repository: %s", file)
+	}
+
+	// Clean up: Remove the created directory and its contents
+	defer func() {
+		if err := os.RemoveAll(targetDir); err != nil {
+			t.Logf("Failed to clean up target directory: %v", err)
+		}
+	}()
+}
+
+// TestVendorPullWithMultipleVendorFiles tests that vendor pull works correctly
+// even when there are multiple vendor YAML files in the same directory.
+// This could be a potential cause of the issue where the vendor process
+// gets confused by multiple configuration files.
+func TestVendorPullWithMultipleVendorFiles(t *testing.T) {
+	// Check for GitHub access with rate limit check
+	rateLimits := tests.RequireGitHubAccess(t)
+	if rateLimits != nil && rateLimits.Remaining < 10 {
+		t.Skipf("Insufficient GitHub API requests remaining (%d). Test may require ~10 requests", rateLimits.Remaining)
+	}
+
+	// Store original environment variables
+	originalCliPath := os.Getenv("ATMOS_CLI_CONFIG_PATH")
+	originalBasePath := os.Getenv("ATMOS_BASE_PATH")
+	originalLogLevel := os.Getenv("ATMOS_LOGS_LEVEL")
+
+	// Set debug logging to see what's happening
+	os.Setenv("ATMOS_LOGS_LEVEL", "Debug")
+
+	// Capture the starting working directory
+	startingDir, err := os.Getwd()
+	require.NoError(t, err, "Failed to get the current working directory")
+
+	defer func() {
+		// Restore original environment variables
+		if originalCliPath != "" {
+			os.Setenv("ATMOS_CLI_CONFIG_PATH", originalCliPath)
+		} else {
+			os.Unsetenv("ATMOS_CLI_CONFIG_PATH")
+		}
+
+		if originalBasePath != "" {
+			os.Setenv("ATMOS_BASE_PATH", originalBasePath)
+		} else {
+			os.Unsetenv("ATMOS_BASE_PATH")
+		}
+
+		if originalLogLevel != "" {
+			os.Setenv("ATMOS_LOGS_LEVEL", originalLogLevel)
+		} else {
+			os.Unsetenv("ATMOS_LOGS_LEVEL")
+		}
+
+		// Change back to the original working directory after the test
+		if err := os.Chdir(startingDir); err != nil {
+			t.Fatalf("Failed to change back to the starting directory: %v", err)
+		}
+	}()
+
+	// Define the test directory
+	testDir := "../../tests/fixtures/scenarios/vendor-triple-slash"
+
+	// Change to the test directory
+	err = os.Chdir(testDir)
+	require.NoError(t, err, "Failed to change to test directory")
+
+	// Verify that multiple vendor files exist in the directory
+	vendorFiles := []string{"vendor.yaml", "vendor-test.yaml"}
+	for _, file := range vendorFiles {
+		assert.FileExists(t, file, "Vendor file should exist: %s", file)
+	}
+
+	// Set up the command
+	cmd := &cobra.Command{}
+	cmd.PersistentFlags().String("base-path", "", "Base path for Atmos project")
+	cmd.PersistentFlags().StringSlice("config", []string{}, "Paths to configuration file")
+	cmd.PersistentFlags().StringSlice("config-path", []string{}, "Path to configuration directory")
+
+	flags := cmd.Flags()
+	flags.String("component", "", "")
+	flags.String("stack", "", "")
+	flags.String("tags", "aws", "")
+	flags.Bool("dry-run", false, "")
+	flags.Bool("everything", false, "")
+
+	// Execute vendor pull command with tags filter
+	err = ExecuteVendorPullCommand(cmd, []string{})
+	require.NoError(t, err, "Vendor pull command should execute without error even with multiple vendor files")
+
+	// Check that the s3-bucket component was pulled (it has the 'aws' tag)
+	targetDir := filepath.Join("components", "terraform", "s3-bucket")
+	assert.DirExists(t, targetDir, "Target directory for s3-bucket should be created")
+
+	// Verify that at least some files were pulled
+	entries, err := os.ReadDir(targetDir)
+	assert.NoError(t, err, "Should be able to read target directory")
+	assert.NotEmpty(t, entries, "Target directory should not be empty - files should have been pulled")
+
+	// Clean up: Remove the created directory and its contents
+	defer func() {
+		if err := os.RemoveAll(targetDir); err != nil {
+			t.Logf("Failed to clean up target directory: %v", err)
+		}
+	}()
+}

internal/exec/vendor_utils.go

@@ -275,6 +275,11 @@ func processAtmosVendorSource(sources []schema.AtmosVendorSource, component stri
 			return nil, err
 		}
 
+		// Normalize the URI to handle triple-slash pattern (///), which indicates cloning from
+		// the root of the repository. This pattern broke in go-getter v1.7.9 due to CVE-2025-8959
+		// security fixes.
+		uri = normalizeVendorURI(uri)
+
 		useOciScheme, useLocalFileSystem, sourceIsLocalFile, err := determineSourceType(&uri, vendorConfigFilePath)
 		if err != nil {
 			return nil, err
@@ -424,6 +429,59 @@ func shouldSkipSource(s *schema.AtmosVendorSource, component string, tags []stri
 	return (component != "" && s.Component != component) || (len(tags) > 0 && len(lo.Intersect(tags, s.Tags)) == 0)
 }
 
+// normalizeVendorURI normalizes vendor source URIs to handle legacy patterns.
+// In go-getter syntax, the double-slash (//) is a delimiter between the repository URL
+// and the subdirectory path within that repository. A triple-slash (///) indicates that
+// the content should be pulled from the root of the repository.
+//
+// The triple-slash pattern (e.g., "github.com/repo.git///?ref=v1.0.0") was a documented
+// way to explicitly vendor from the root of a Git repository. After go-getter v1.7.9
+// (introduced in Atmos v1.189.0), this pattern no longer works due to security fixes
+// for CVE-2025-8959 that changed subdirectory path handling.
+//
+// This function converts:
+//   - "github.com/repo.git///?ref=v1.0.0" -> "github.com/repo.git?ref=v1.0.0" (root of repository)
+//   - "github.com/repo.git///some/path?ref=v1.0.0" -> "github.com/repo.git//some/path?ref=v1.0.0"
+func normalizeVendorURI(uri string) string {
+	// Don't modify file:/// URIs (valid file scheme with empty host)
+	if strings.HasPrefix(uri, "file:///") {
+		return uri
+	}
+
+	// Check if the URI contains the triple slash pattern for Git repos
+	// The pattern is: repository.git///?query or repository.git///path?query
+	if !strings.Contains(uri, ".git///") {
+		return uri
+	}
+
+	// Find the position of .git///
+	gitTripleSlashPos := strings.Index(uri, ".git///")
+	if gitTripleSlashPos == -1 {
+		return uri
+	}
+
+	// Extract parts before and after .git///
+	const gitSuffixLen = 4                                 // length of ".git"
+	const tripleSlashLen = 7                               // length of ".git///"
+	beforePattern := uri[:gitTripleSlashPos+gitSuffixLen]  // includes ".git"
+	afterPattern := uri[gitTripleSlashPos+tripleSlashLen:] // after "///"
+
+	// Check what comes after the triple slash
+	if afterPattern == "" || strings.HasPrefix(afterPattern, "?") {
+		// Root of repository case: .git///? or .git///
+		normalized := beforePattern + afterPattern
+		log.Debug("Normalized vendor URI: removed root repository indicator (///) to clone from repository root",
+			"original", uri, "normalized", normalized)
+		return normalized
+	}
+
+	// Path specified after triple slash: .git///path
+	normalized := beforePattern + "//" + afterPattern
+	log.Debug("Normalized vendor URI: converted triple slash to double slash",
+		"original", uri, "normalized", normalized)
+	return normalized
+}
+
 func determineSourceType(uri *string, vendorConfigFilePath string) (bool, bool, bool, error) {
 	// Determine if the URI is an OCI scheme, a local file, or remote
 	useLocalFileSystem := false