|
| 1 | +From 4740f58fb36257e4a9c8ae18a3d050b4462e360c Mon Sep 17 00:00:00 2001 |
| 2 | +From: jykanase < [email protected]> |
| 3 | +Date: Thu, 10 Jul 2025 13:18:01 +0000 |
| 4 | +Subject: [PATCH] CVE-2025-53547 |
| 5 | + |
| 6 | +Upstream patch reference: https://github.com/helm/helm/commit/4b8e61093d8f579f1165cdc6bd4b43fa5455f571 |
| 7 | +--- |
| 8 | + pkg/downloader/manager.go | 14 +++++ |
| 9 | + pkg/downloader/manager_test.go | 94 ++++++++++++++++++++++++++++++++++ |
| 10 | + 2 files changed, 108 insertions(+) |
| 11 | + |
| 12 | +diff --git a/pkg/downloader/manager.go b/pkg/downloader/manager.go |
| 13 | +index 68c9c6e..4f24609 100644 |
| 14 | +--- a/pkg/downloader/manager.go |
| 15 | ++++ b/pkg/downloader/manager.go |
| 16 | +@@ -852,6 +852,20 @@ func writeLock(chartpath string, lock *chart.Lock, legacyLockfile bool) error { |
| 17 | + lockfileName = "requirements.lock" |
| 18 | + } |
| 19 | + dest := filepath.Join(chartpath, lockfileName) |
| 20 | ++ |
| 21 | ++ info, err := os.Lstat(dest) |
| 22 | ++ if err != nil && !os.IsNotExist(err) { |
| 23 | ++ return fmt.Errorf("error getting info for %q: %w", dest, err) |
| 24 | ++ } else if err == nil { |
| 25 | ++ if info.Mode()&os.ModeSymlink != 0 { |
| 26 | ++ link, err := os.Readlink(dest) |
| 27 | ++ if err != nil { |
| 28 | ++ return fmt.Errorf("error reading symlink for %q: %w", dest, err) |
| 29 | ++ } |
| 30 | ++ return fmt.Errorf("the %s file is a symlink to %q", lockfileName, link) |
| 31 | ++ } |
| 32 | ++ } |
| 33 | ++ |
| 34 | + return os.WriteFile(dest, data, 0644) |
| 35 | + } |
| 36 | + |
| 37 | +diff --git a/pkg/downloader/manager_test.go b/pkg/downloader/manager_test.go |
| 38 | +index db2487d..77c3ee9 100644 |
| 39 | +--- a/pkg/downloader/manager_test.go |
| 40 | ++++ b/pkg/downloader/manager_test.go |
| 41 | +@@ -21,6 +21,9 @@ import ( |
| 42 | + "path/filepath" |
| 43 | + "reflect" |
| 44 | + "testing" |
| 45 | ++ "time" |
| 46 | ++ |
| 47 | ++ "sigs.k8s.io/yaml" |
| 48 | + |
| 49 | + "helm.sh/helm/v3/pkg/chart" |
| 50 | + "helm.sh/helm/v3/pkg/chart/loader" |
| 51 | +@@ -598,3 +601,94 @@ func TestKey(t *testing.T) { |
| 52 | + } |
| 53 | + } |
| 54 | + } |
| 55 | ++ |
| 56 | ++func TestWriteLock(t *testing.T) { |
| 57 | ++ fixedTime, err := time.Parse(time.RFC3339, "2025-07-04T00:00:00Z") |
| 58 | ++ assert.NoError(t, err) |
| 59 | ++ lock := &chart.Lock{ |
| 60 | ++ Generated: fixedTime, |
| 61 | ++ Digest: "sha256:12345", |
| 62 | ++ Dependencies: []*chart.Dependency{ |
| 63 | ++ { |
| 64 | ++ Name: "fantastic-chart", |
| 65 | ++ Version: "1.2.3", |
| 66 | ++ Repository: "https://example.com/charts", |
| 67 | ++ }, |
| 68 | ++ }, |
| 69 | ++ } |
| 70 | ++ expectedContent, err := yaml.Marshal(lock) |
| 71 | ++ assert.NoError(t, err) |
| 72 | ++ |
| 73 | ++ t.Run("v2 lock file", func(t *testing.T) { |
| 74 | ++ dir := t.TempDir() |
| 75 | ++ err := writeLock(dir, lock, false) |
| 76 | ++ assert.NoError(t, err) |
| 77 | ++ |
| 78 | ++ lockfilePath := filepath.Join(dir, "Chart.lock") |
| 79 | ++ _, err = os.Stat(lockfilePath) |
| 80 | ++ assert.NoError(t, err, "Chart.lock should exist") |
| 81 | ++ |
| 82 | ++ content, err := os.ReadFile(lockfilePath) |
| 83 | ++ assert.NoError(t, err) |
| 84 | ++ assert.Equal(t, expectedContent, content) |
| 85 | ++ |
| 86 | ++ // Check that requirements.lock does not exist |
| 87 | ++ _, err = os.Stat(filepath.Join(dir, "requirements.lock")) |
| 88 | ++ assert.Error(t, err) |
| 89 | ++ assert.True(t, os.IsNotExist(err)) |
| 90 | ++ }) |
| 91 | ++ |
| 92 | ++ t.Run("v1 lock file", func(t *testing.T) { |
| 93 | ++ dir := t.TempDir() |
| 94 | ++ err := writeLock(dir, lock, true) |
| 95 | ++ assert.NoError(t, err) |
| 96 | ++ |
| 97 | ++ lockfilePath := filepath.Join(dir, "requirements.lock") |
| 98 | ++ _, err = os.Stat(lockfilePath) |
| 99 | ++ assert.NoError(t, err, "requirements.lock should exist") |
| 100 | ++ |
| 101 | ++ content, err := os.ReadFile(lockfilePath) |
| 102 | ++ assert.NoError(t, err) |
| 103 | ++ assert.Equal(t, expectedContent, content) |
| 104 | ++ |
| 105 | ++ // Check that Chart.lock does not exist |
| 106 | ++ _, err = os.Stat(filepath.Join(dir, "Chart.lock")) |
| 107 | ++ assert.Error(t, err) |
| 108 | ++ assert.True(t, os.IsNotExist(err)) |
| 109 | ++ }) |
| 110 | ++ |
| 111 | ++ t.Run("overwrite existing lock file", func(t *testing.T) { |
| 112 | ++ dir := t.TempDir() |
| 113 | ++ lockfilePath := filepath.Join(dir, "Chart.lock") |
| 114 | ++ assert.NoError(t, os.WriteFile(lockfilePath, []byte("old content"), 0644)) |
| 115 | ++ |
| 116 | ++ err = writeLock(dir, lock, false) |
| 117 | ++ assert.NoError(t, err) |
| 118 | ++ |
| 119 | ++ content, err := os.ReadFile(lockfilePath) |
| 120 | ++ assert.NoError(t, err) |
| 121 | ++ assert.Equal(t, expectedContent, content) |
| 122 | ++ }) |
| 123 | ++ |
| 124 | ++ t.Run("lock file is a symlink", func(t *testing.T) { |
| 125 | ++ dir := t.TempDir() |
| 126 | ++ dummyFile := filepath.Join(dir, "dummy.txt") |
| 127 | ++ assert.NoError(t, os.WriteFile(dummyFile, []byte("dummy"), 0644)) |
| 128 | ++ |
| 129 | ++ lockfilePath := filepath.Join(dir, "Chart.lock") |
| 130 | ++ assert.NoError(t, os.Symlink(dummyFile, lockfilePath)) |
| 131 | ++ |
| 132 | ++ err = writeLock(dir, lock, false) |
| 133 | ++ assert.Error(t, err) |
| 134 | ++ assert.Contains(t, err.Error(), "the Chart.lock file is a symlink to") |
| 135 | ++ }) |
| 136 | ++ |
| 137 | ++ t.Run("chart path is not a directory", func(t *testing.T) { |
| 138 | ++ dir := t.TempDir() |
| 139 | ++ filePath := filepath.Join(dir, "not-a-dir") |
| 140 | ++ assert.NoError(t, os.WriteFile(filePath, []byte("file"), 0644)) |
| 141 | ++ |
| 142 | ++ err = writeLock(filePath, lock, false) |
| 143 | ++ assert.Error(t, err) |
| 144 | ++ }) |
| 145 | ++} |
| 146 | +-- |
| 147 | +2.45.2 |
| 148 | + |
0 commit comments