When an index is in a JSON format, the `sigs.k8s.io/yaml` package uses
an inefficient approach to unmarshaling the data, as it does an
unnecessary roundtrip on the data to transform the YAML to valid JSON.
To prevent this from happening, detect if the bytes which we attempt
to load contain valid JSON, and unmarshal them directly using
`json.Unmarshal` instead.
Signed-off-by: Hidde Beydals <hidde@hhh.computer>
ref: https://github.com/helm/helm/security/advisories/GHSA-c38g-469g-cmgx
* Skip invalid chart versions when reading the repository index file or
when programmatically adding a chart version.
* Adds semver validation and strips non-printable characters and
normalizes spaces for string fields in Metadata.Validate()
* Fixes a unit test that was pulling a remote repo. Now uses a local
repo.
* Fixes ignored error in repo update command
Signed-off-by: Adam Reese <adam@reese.io>
Chart.yaml files have an annotation field that allow a chart to
have custom information similar to the way Kubernetes annotations
work.
In an index.yaml file each chart version can have annotations in
a similar manner to the Chart.yaml file. It is derived from the
same underlying struct.
These enable extension points where people can add their own info.
One thing missing is the ability to extend the top level of an
index file. This change adds annotations to the top level of an
index.yaml file. This would provide top level support for vendors
to extent index.yaml files.
Closes#8767
Signed-off-by: Matt Farina <matt@mattfarina.com>
A recent change merged into Helm fixes a number of security issues related to parsing malformed index files. Unfortunately, it also broke the ability for users to load index files from chartmuseum, which adds a "server info" field to add additional metadata.
This commit adds that field so that index files from chartmuseum can be validated. Since Helm does not use this field for anything, the information is discarded and unused.
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
Previous versions of Helm had placeholder text in the index.yaml file.
This generates an HTML index for 'helm serve'. It also has a
refactoring of the server so that the server can be tested.
Closes#1397
This performs a relatively weak in-memory translation of index file
data. It does not, in most cases, write the corrected data to disk, and
it emits a warning directly to STDERR each time it loads a deprecated
index.
Known limitations:
- It cannot recover certain bogus records that earlier alpha releases
generated (notably, where all chartfile data is missing)
- In some cases, it has to parse a filename to get version info. This is
lossy.
- Because it takes three passes through the YAML and JSON unmarshal, it
is not performant.
This feature is transitional and should be removed during the Beta
cycle, prior to the release of 2.0.0.
Closes#1265
This implements a new index file format for repository indices. It also
implements a new format for requirements.yaml.
Breaking change: This will break all previous versions of Helm, and will
impact helm search, repo, serve, and fetch functions.
Closes#1197
