From abbfba035fb8ddb1102b8b09cc755aa13ea48e5b Mon Sep 17 00:00:00 2001
From: Tarashish Mishra <sunu@sunu.in>
Date: Thu, 3 Jul 2025 19:16:09 +0530
Subject: [PATCH] Skip GDAL VRT driver to mitigate security issue

Skip VRT driver to prevent arbitrary file reading vulnerability
reported in GDAL issue https://github.com/OSGeo/gdal/issues/12645
and https://github.com/developmentseed/titiler/issues/1180.
This configuration prevents exploitation of GDAL's VRT driver
which can be used to read arbitrary files from the filesystem.
---
 CHANGELOG.md             | 1 +
 charts/eoapi/values.yaml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index dd60893d..5d2b3bb4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -19,6 +19,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Refactors eoapi-support into core eoapi chart [#262](https://github.com/developmentseed/eoapi-k8s/pull/262)
 - Make integration tests fail properly
+- Temporarily skip VRT driver in GDALg to avoid https://github.com/OSGeo/gdal/issues/12645
 
 ## [0.7.13] - 2025-11-04
 
diff --git a/charts/eoapi/values.yaml b/charts/eoapi/values.yaml
index 3350c404..b41ed741 100644
--- a/charts/eoapi/values.yaml
+++ b/charts/eoapi/values.yaml
@@ -295,6 +295,7 @@ raster:
       GDAL_HTTP_MERGE_CONSECUTIVE_RANGES: "YES"
       GDAL_HTTP_MULTIPLEX: "YES"
       GDAL_HTTP_VERSION: "2"
+      GDAL_SKIP: "VRT" # skip VRT driver to avoid https://github.com/OSGeo/gdal/issues/12645
       PYTHONWARNINGS: "ignore"
       VSI_CACHE: "TRUE"
       VSI_CACHE_SIZE: "5000000"  # 5 MB (per file-handle)