File CVE-2024-26147.patch of Package helm.32773
From 764557c470533fa57aad99f865c9ff75a64d4163 Mon Sep 17 00:00:00 2001
From: Matt Farina <matt.farina@suse.com>
Date: Wed, 21 Feb 2024 09:45:58 -0500
Subject: [PATCH] Some fixes
Signed-off-by: Matt Farina <matt.farina@suse.com>
---
pkg/plugin/plugin.go | 4 ++++
pkg/plugin/plugin_test.go | 6 ++++++
pkg/repo/index.go | 4 ++++
pkg/repo/index_test.go | 4 ++++
4 files changed, 18 insertions(+)
Index: helm-3.13.3/pkg/plugin/plugin.go
===================================================================
--- helm-3.13.3.orig/pkg/plugin/plugin.go
+++ helm-3.13.3/pkg/plugin/plugin.go
@@ -175,6 +175,10 @@ var validPluginName = regexp.MustCompile
// validatePluginData validates a plugin's YAML data.
func validatePluginData(plug *Plugin, filepath string) error {
+ // When metadata section missing, initialize with no data
+ if plug.Metadata == nil {
+ plug.Metadata = &Metadata{}
+ }
if !validPluginName.MatchString(plug.Metadata.Name) {
return fmt.Errorf("invalid plugin name at %q", filepath)
}
Index: helm-3.13.3/pkg/plugin/plugin_test.go
===================================================================
--- helm-3.13.3.orig/pkg/plugin/plugin_test.go
+++ helm-3.13.3/pkg/plugin/plugin_test.go
@@ -350,6 +350,11 @@ func TestSetupEnvWithSpace(t *testing.T)
}
func TestValidatePluginData(t *testing.T) {
+ // A mock plugin missing any metadata.
+ mockMissingMeta := &Plugin{
+ Dir: "no-such-dir",
+ }
+
for i, item := range []struct {
pass bool
plug *Plugin
@@ -360,6 +365,7 @@ func TestValidatePluginData(t *testing.T
{false, mockPlugin("$foo -bar")}, // Test leading chars
{false, mockPlugin("foo -bar ")}, // Test trailing chars
{false, mockPlugin("foo\nbar")}, // Test newline
+ {false, mockMissingMeta}, // Test if the metadata section missing
} {
err := validatePluginData(item.plug, fmt.Sprintf("test-%d", i))
if item.pass && err != nil {
Index: helm-3.13.3/pkg/repo/index.go
===================================================================
--- helm-3.13.3.orig/pkg/repo/index.go
+++ helm-3.13.3/pkg/repo/index.go
@@ -359,6 +359,10 @@ func loadIndex(data []byte, source strin
log.Printf("skipping loading invalid entry for chart %q from %s: empty entry", name, source)
continue
}
+ // When metadata section missing, initialize with no data
+ if cvs[idx].Metadata == nil {
+ cvs[idx].Metadata = &chart.Metadata{}
+ }
if cvs[idx].APIVersion == "" {
cvs[idx].APIVersion = chart.APIVersionV1
}
Index: helm-3.13.3/pkg/repo/index_test.go
===================================================================
--- helm-3.13.3.orig/pkg/repo/index_test.go
+++ helm-3.13.3/pkg/repo/index_test.go
@@ -69,6 +69,10 @@ entries:
name: grafana
foo:
-
+ bar:
+ - digest: "sha256:1234567890abcdef"
+ urls:
+ - https://charts.helm.sh/stable/alpine-1.0.0.tgz
`
)