Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-jm56-5h66-w453
Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
  • Loading branch information
technosophos committed Sep 17, 2020
1 parent 59d5b94 commit 055dd41
Show file tree
Hide file tree
Showing 3 changed files with 48 additions and 2 deletions.
2 changes: 1 addition & 1 deletion pkg/downloader/chart_downloader_test.go
Expand Up @@ -71,7 +71,7 @@ func TestResolveChartRef(t *testing.T) {
if tt.fail {
continue
}
t.Errorf("%s: failed with error %s", tt.name, err)
t.Errorf("%s: failed with error %q", tt.name, err)
continue
}
if got := u.String(); got != tt.expect {
Expand Down
19 changes: 18 additions & 1 deletion pkg/repo/index.go
Expand Up @@ -228,6 +228,23 @@ type ChartVersion struct {
Created time.Time `json:"created,omitempty"`
Removed bool `json:"removed,omitempty"`
Digest string `json:"digest,omitempty"`

// ChecksumDeprecated is deprecated in Helm 3, and therefore ignored. Helm 3 replaced
// this with Digest. However, with a strict YAML parser enabled, a field must be
// present on the struct for backwards compatibility.
ChecksumDeprecated string `json:"checksum,omitempty"`

// EngineDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict
// YAML parser enabled, this field must be present.
EngineDeprecated string `json:"engine,omitempty"`

// TillerVersionDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict
// YAML parser enabled, this field must be present.
TillerVersionDeprecated string `json:"tillerVersion,omitempty"`

// URLDeprecated is deprectaed in Helm 3, superseded by URLs. It is ignored. However,
// with a strict YAML parser enabled, this must be present on the struct.
URLDeprecated string `json:"url,omitempty"`
}

// IndexDirectory reads a (flat) directory and generates an index.
Expand Down Expand Up @@ -281,7 +298,7 @@ func IndexDirectory(dir, baseURL string) (*IndexFile, error) {
// This will fail if API Version is not set (ErrNoAPIVersion) or if the unmarshal fails.
func loadIndex(data []byte) (*IndexFile, error) {
i := &IndexFile{}
if err := yaml.Unmarshal(data, i); err != nil {
if err := yaml.UnmarshalStrict(data, i); err != nil {
return i, err
}
i.SortEntries()
Expand Down
29 changes: 29 additions & 0 deletions pkg/repo/index_test.go
Expand Up @@ -95,6 +95,35 @@ func TestLoadIndex(t *testing.T) {
verifyLocalIndex(t, i)
}

const indexWithDuplicates = `
apiVersion: v1
entries:
nginx:
- urls:
- https://kubernetes-charts.storage.googleapis.com/nginx-0.2.0.tgz
name: nginx
description: string
version: 0.2.0
home: https://github.com/something/else
digest: "sha256:1234567890abcdef"
nginx:
- urls:
- https://kubernetes-charts.storage.googleapis.com/alpine-1.0.0.tgz
- http://storage2.googleapis.com/kubernetes-charts/alpine-1.0.0.tgz
name: alpine
description: string
version: 1.0.0
home: https://github.com/something
digest: "sha256:1234567890abcdef"
`

// TestLoadIndex_Duplicates is a regression to make sure that we don't non-deterministically allow duplicate packages.
func TestLoadIndex_Duplicates(t *testing.T) {
if _, err := loadIndex([]byte(indexWithDuplicates)); err == nil {
t.Errorf("Expected an error when duplicate entries are present")
}
}

func TestLoadIndexFile(t *testing.T) {
i, err := LoadIndexFile(testfile)
if err != nil {
Expand Down

0 comments on commit 055dd41

Please sign in to comment.