portainer · hookenz · Feb 21, 2024 · Feb 20, 2024 · Feb 20, 2024 · Feb 20, 2024
diff --git a/api/http/handler/helm/handler.go b/api/http/handler/helm/handler.go
@@ -69,12 +69,14 @@ func NewTemplateHandler(bouncer security.BouncerService, helmPackageManager libh
 		requestBouncer:     bouncer,
 	}
 
+	h.Use(bouncer.AuthenticatedAccess)
+
 	h.Handle("/templates/helm",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmRepoSearch))).Methods(http.MethodGet)
+		httperror.LoggerHandler(h.helmRepoSearch)).Methods(http.MethodGet)
 
 	// helm show [COMMAND] [CHART] [REPO] flags
 	h.Handle("/templates/helm/{command:chart|values|readme}",
-		bouncer.AuthenticatedAccess(httperror.LoggerHandler(h.helmShow))).Methods(http.MethodGet)
+		httperror.LoggerHandler(h.helmShow)).Methods(http.MethodGet)
 
 	return h
 }

diff --git a/pkg/libhelm/binary/search_repo.go b/pkg/libhelm/binary/search_repo.go
@@ -18,6 +18,7 @@ import (
 )
 
 var errRequiredSearchOptions = errors.New("repo is required")
+var errInvalidRepoURL = errors.New("the request failed since either the Helm repository was not found or the index.yaml is not valid")
 
 type File struct {
 	APIVersion string             `yaml:"apiVersion" json:"apiVersion"`
@@ -64,6 +65,10 @@ func (hbpm *helmBinaryPackageManager) SearchRepo(searchRepoOpts options.SearchRe
 		}
 	}
 
+	if client.CheckRedirect != nil {
+		client.CheckRedirect = CheckRedirect
+	}
+
 	url, err := url.ParseRequestURI(searchRepoOpts.Repo)
 	if err != nil {
 		return nil, errors.Wrap(err, fmt.Sprintf("invalid helm chart URL: %s", searchRepoOpts.Repo))
@@ -72,20 +77,37 @@ func (hbpm *helmBinaryPackageManager) SearchRepo(searchRepoOpts options.SearchRe
 	url.Path = path.Join(url.Path, "index.yaml")
 	resp, err := client.Get(url.String())
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to get index file")
+		return nil, errInvalidRepoURL
 	}
 	defer resp.Body.Close()
 
 	var file File
 	err = yaml.NewDecoder(resp.Body).Decode(&file)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to decode index file")
+		return nil, errInvalidRepoURL
+	}
+
+	if file.APIVersion == "" || file.Entries == nil {
+		return nil, errInvalidRepoURL
 	}
 
 	result, err := json.Marshal(file)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to marshal index file")
+		return nil, errInvalidRepoURL
 	}
 
 	return result, nil
 }
+
+func CheckRedirect(req *http.Request, via []*http.Request) error {
+	// The request url must end in index.yaml
+	if path.Base(req.URL.Path) != "index.yaml" {
+		return errors.New("the request URL must end in index.yaml")
+	}
+
+	// default behavior below
+	if len(via) >= 10 {
+		return errors.New("stopped after 10 redirects")
+	}
+	return nil
+}
diff --git a/pkg/libhelm/binary/show.go b/pkg/libhelm/binary/show.go
@@ -22,7 +22,7 @@ func (hbpm *helmBinaryPackageManager) Show(showOpts options.ShowOptions) ([]byte
 
 	result, err := hbpm.run("show", args, showOpts.Env)
 	if err != nil {
-		return nil, errors.Wrap(err, "failed to run helm show on specified args")
+		return nil, errors.New("the request failed since either the Helm repository was not found or the chart does not exist")
 	}
 
 	return result, nil