-
Notifications
You must be signed in to change notification settings - Fork 7.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Why does helm package follow symlinks? #8540
Comments
I think we need something like https://github.com/cyphar/filepath-securejoin |
A couple of things to note here.
|
Infinite loops are not possible either, as that was addressed in ee8cd8b. That should hopefully address all of your concerns. Is there some other action item that should be addressed here, or can we close this? |
@bacongobbler Just to clarify. Is it correct to say that in Helm 3, It sounds like some thought went into this, so I don't expect any change but just need to clearly understand what mitigation I need to put in place. Thanks! |
At the very least,
In terms of outright disallowing In addition, there are warnings reported when a symbolic link is used to inform the user that the chart is linking in external files:
But we don't disallow users from symlinking external files into the chart. In terms of mitigation, you could change the file mode bits for files you do not wish the untrusted user to link to. For example, you could create a I have not tested this myself, but I'm fairly confident that should solve your use case. Does that help? |
@ibuildthecloud With Helm we have classified people into different roles. They are often not the same people filling them. Two of the roles are the chart creator and then the helm/chart user. For example, a company like Bitnami would package up mariadb as a chart creator and then many people would install the chart as a Helm/chart user. Bitnami as the chart creator would use What use cases do you have for people running |
closing as answered/inactive. |
I'm trying to write some automation that will run "helm package" on arbitrary and possibly untrusted content. The fact that helm package will follow symlinks introduces a security concern in that 1) content outside the chart root can be read and 2) I believe it's possible to create an infinite loop. Why does helm need support symlinks and could it be possible to disable this behaviour optionally?
The text was updated successfully, but these errors were encountered: