Reading large files can crash flux with an out-of-memory bug

[dholbach]

From Ada Logics

There are two places where the code uses io.ReadAll to read Helm charts. This function needs to be used with care as it can be used to crash the application due to memory issues in case the files being read are large.

The areas we consider:

https://github.com/fluxcd/source-controller/blob/main/controllers/helmchart_controller.go#L329-L333

And

source-controller/internal/helm/repository.go

Lines 208 to 212 in d7afc35

	res, err := r.Client.Get(u.String(), r.Options...)
	if err != nil {
	return err
	}
	b, err := io.ReadAll(res)

If an attacker can taint a HELM chart to be large in size, then a denial-of-service attack can occur.

Recommendation

Validate size of input before reading data with io.ReadAll