Merge pull request #31164 from hashicorp/jbardin/go-getter-security-options

add XTerraformGetLimit to prevent redirect loops

internal/command/providers_mirror.go

@@ -94,8 +94,9 @@ func (c *ProvidersMirrorCommand) Run(args []string) int {
 	// generality of go-getter but it's still handy to use the HTTP getter
 	// as an easy way to download over HTTP into a file on disk.
 	httpGetter := getter.HttpGetter{
-		Client: httpclient.New(),
-		Netrc:  true,
+		Client:                httpclient.New(),
+		Netrc:                 true,
+		XTerraformGetDisabled: true,
 	}
 
 	// The following logic is similar to that used by the provider installer

internal/getmodules/getter.go

@@ -83,8 +83,9 @@ var goGetterGetters = map[string]getter.Getter{
 var getterHTTPClient = cleanhttp.DefaultClient()
 
 var getterHTTPGetter = &getter.HttpGetter{
-	Client: getterHTTPClient,
-	Netrc:  true,
+	Client:             getterHTTPClient,
+	Netrc:              true,
+	XTerraformGetLimit: 10,
 }
 
 // A reusingGetter is a helper for the module installer that remembers