Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
helm
CVE-2024-25620.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2024-25620.patch of Package helm
From 8e6a5149d2e2e3beffa51d53048b2fed90d8c529 Mon Sep 17 00:00:00 2001 From: Matt Farina <matt.farina@suse.com> Date: Wed, 7 Feb 2024 10:54:15 -0500 Subject: [PATCH] validation fix Signed-off-by: Matt Farina <matt.farina@suse.com> --- pkg/chart/metadata.go | 6 ++++ pkg/chart/metadata_test.go | 5 ++++ pkg/chartutil/errors.go | 8 +++++ pkg/chartutil/save.go | 20 +++++++++++++ pkg/chartutil/save_test.go | 29 +++++++++++++++++++ pkg/downloader/manager_test.go | 26 +++++++++++++++++ pkg/lint/rules/chartfile.go | 4 +++ pkg/lint/rules/chartfile_test.go | 8 +++++ .../rules/testdata/badchartname/Chart.yaml | 5 ++++ .../rules/testdata/badchartname/values.yaml | 1 + 10 files changed, 112 insertions(+) create mode 100644 pkg/lint/rules/testdata/badchartname/Chart.yaml create mode 100644 pkg/lint/rules/testdata/badchartname/values.yaml Index: helm-3.13.3/pkg/chart/metadata.go =================================================================== --- helm-3.13.3.orig/pkg/chart/metadata.go +++ helm-3.13.3/pkg/chart/metadata.go @@ -16,6 +16,7 @@ limitations under the License. package chart import ( + "path/filepath" "strings" "unicode" @@ -110,6 +111,11 @@ func (md *Metadata) Validate() error { if md.Name == "" { return ValidationError("chart.metadata.name is required") } + + if md.Name != filepath.Base(md.Name) { + return ValidationErrorf("chart.metadata.name %q is invalid", md.Name) + } + if md.Version == "" { return ValidationError("chart.metadata.version is required") } Index: helm-3.13.3/pkg/chart/metadata_test.go =================================================================== --- helm-3.13.3.orig/pkg/chart/metadata_test.go +++ helm-3.13.3/pkg/chart/metadata_test.go @@ -41,6 +41,10 @@ func TestValidate(t *testing.T) { ValidationError("chart.metadata.version is required"), }, { + &Metadata{Name: "../../test", APIVersion: "v2", Version: "1.0"}, + ValidationError("chart.metadata.name \"../../test\" is invalid"), + }, + { &Metadata{Name: "test", APIVersion: "v2", Version: "1.0", Type: "test"}, ValidationError("chart.metadata.type must be application or library"), }, Index: helm-3.13.3/pkg/chartutil/errors.go =================================================================== --- helm-3.13.3.orig/pkg/chartutil/errors.go +++ helm-3.13.3/pkg/chartutil/errors.go @@ -33,3 +33,11 @@ type ErrNoValue struct { } func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) } + +type ErrInvalidChartName struct { + Name string +} + +func (e ErrInvalidChartName) Error() string { + return fmt.Sprintf("%q is not a valid chart name", e.Name) +} Index: helm-3.13.3/pkg/chartutil/save.go =================================================================== --- helm-3.13.3.orig/pkg/chartutil/save.go +++ helm-3.13.3/pkg/chartutil/save.go @@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b // directory, writing the chart's contents to that subdirectory. func SaveDir(c *chart.Chart, dest string) error { // Create the chart directory + err := validateName(c.Name()) + if err != nil { + return err + } outdir := filepath.Join(dest, c.Name()) if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() { return errors.Errorf("file %s already exists and is not a directory", outdir) @@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) } func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error { + err := validateName(c.Name()) + if err != nil { + return err + } base := filepath.Join(prefix, c.Name()) // Pull out the dependencies of a v1 Chart, since there's no way @@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name st _, err := out.Write(body) return err } + +// If the name has directory name has characters which would change the location +// they need to be removed. +func validateName(name string) error { + nname := filepath.Base(name) + + if nname != name { + return ErrInvalidChartName{name} + } + + return nil +} Index: helm-3.13.3/pkg/chartutil/save_test.go =================================================================== --- helm-3.13.3.orig/pkg/chartutil/save_test.go +++ helm-3.13.3/pkg/chartutil/save_test.go @@ -106,6 +106,24 @@ func TestSave(t *testing.T) { } }) } + + c := &chart.Chart{ + Metadata: &chart.Metadata{ + APIVersion: chart.APIVersionV1, + Name: "../ahab", + Version: "1.2.3", + }, + Lock: &chart.Lock{ + Digest: "testdigest", + }, + Files: []*chart.File{ + {Name: "scheherazade/shahryar.txt", Data: []byte("1,001 Nights")}, + }, + } + _, err := Save(c, tmp) + if err == nil { + t.Fatal("Expected error saving chart with invalid name") + } } // Creates a copy with a different schema; does not modify anything. @@ -232,4 +250,15 @@ func TestSaveDir(t *testing.T) { if len(c2.Files) != 1 || c2.Files[0].Name != c.Files[0].Name { t.Fatal("Files data did not match") } + + tmp2 := t.TempDir() + c.Metadata.Name = "../ahab" + pth := filepath.Join(tmp2, "tmpcharts") + if err := os.MkdirAll(filepath.Join(pth), 0755); err != nil { + t.Fatal(err) + } + + if err := SaveDir(c, pth); err.Error() != "\"../ahab\" is not a valid chart name" { + t.Fatalf("Did not get expected error for chart named %q", c.Name()) + } } Index: helm-3.13.3/pkg/downloader/manager_test.go =================================================================== --- helm-3.13.3.orig/pkg/downloader/manager_test.go +++ helm-3.13.3/pkg/downloader/manager_test.go @@ -262,6 +262,32 @@ func TestDownloadAll(t *testing.T) { if _, err := os.Stat(filepath.Join(chartPath, "charts", "signtest-0.1.0.tgz")); os.IsNotExist(err) { t.Error(err) } + + // A chart with a bad name like this cannot be loaded and saved. Handling in + // the loading and saving will return an error about the invalid name. In + // this case, the chart needs to be created directly. + badchartyaml := `apiVersion: v2 +description: A Helm chart for Kubernetes +name: ../bad-local-subchart +version: 0.1.0` + if err := os.MkdirAll(filepath.Join(chartPath, "testdata", "bad-local-subchart"), 0755); err != nil { + t.Fatal(err) + } + err = os.WriteFile(filepath.Join(chartPath, "testdata", "bad-local-subchart", "Chart.yaml"), []byte(badchartyaml), 0644) + if err != nil { + t.Fatal(err) + } + + badLocalDep := &chart.Dependency{ + Name: "../bad-local-subchart", + Repository: "file://./testdata/bad-local-subchart", + Version: "0.1.0", + } + + err = m.downloadAll([]*chart.Dependency{badLocalDep}) + if err == nil { + t.Fatal("Expected error for bad dependency name") + } } func TestUpdateBeforeBuild(t *testing.T) { Index: helm-3.13.3/pkg/lint/rules/chartfile.go =================================================================== --- helm-3.13.3.orig/pkg/lint/rules/chartfile.go +++ helm-3.13.3/pkg/lint/rules/chartfile.go @@ -106,6 +106,10 @@ func validateChartName(cf *chart.Metadat if cf.Name == "" { return errors.New("name is required") } + name := filepath.Base(cf.Name) + if name != cf.Name { + return fmt.Errorf("chart name %q is invalid", cf.Name) + } return nil } Index: helm-3.13.3/pkg/lint/rules/chartfile_test.go =================================================================== --- helm-3.13.3.orig/pkg/lint/rules/chartfile_test.go +++ helm-3.13.3/pkg/lint/rules/chartfile_test.go @@ -30,16 +30,19 @@ import ( ) const ( + badCharNametDir = "testdata/badchartname" badChartDir = "testdata/badchartfile" anotherBadChartDir = "testdata/anotherbadchartfile" ) var ( + badChartNamePath = filepath.Join(badCharNametDir, "Chart.yaml") badChartFilePath = filepath.Join(badChartDir, "Chart.yaml") nonExistingChartFilePath = filepath.Join(os.TempDir(), "Chart.yaml") ) var badChart, _ = chartutil.LoadChartfile(badChartFilePath) +var badChartName, _ = chartutil.LoadChartfile(badChartNamePath) // Validation functions Test func TestValidateChartYamlNotDirectory(t *testing.T) { @@ -69,6 +72,11 @@ func TestValidateChartName(t *testing.T) if err == nil { t.Errorf("validateChartName to return a linter error, got no error") } + + err = validateChartName(badChartName) + if err == nil { + t.Error("expected validateChartName to return a linter error for an invalid name, got no error") + } } func TestValidateChartVersion(t *testing.T) { Index: helm-3.13.3/pkg/lint/rules/testdata/badchartname/Chart.yaml =================================================================== --- /dev/null +++ helm-3.13.3/pkg/lint/rules/testdata/badchartname/Chart.yaml @@ -0,0 +1,5 @@ +apiVersion: v2 +description: A Helm chart for Kubernetes +version: 0.1.0 +name: "../badchartname" +type: application Index: helm-3.13.3/pkg/lint/rules/testdata/badchartname/values.yaml =================================================================== --- /dev/null +++ helm-3.13.3/pkg/lint/rules/testdata/badchartname/values.yaml @@ -0,0 +1 @@ +# Default values for badchartfile.
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor