Merge pull request from GHSA-jm56-5h66-w453

Signed-off-by: Matt Butcher <matt.butcher@microsoft.com>
pull/8759/head
Matt Butcher 4 years ago committed by GitHub
parent 59d5b94d35
commit 055dd41cbe
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -71,7 +71,7 @@ func TestResolveChartRef(t *testing.T) {
if tt.fail { if tt.fail {
continue continue
} }
t.Errorf("%s: failed with error %s", tt.name, err) t.Errorf("%s: failed with error %q", tt.name, err)
continue continue
} }
if got := u.String(); got != tt.expect { if got := u.String(); got != tt.expect {

@ -228,6 +228,23 @@ type ChartVersion struct {
Created time.Time `json:"created,omitempty"` Created time.Time `json:"created,omitempty"`
Removed bool `json:"removed,omitempty"` Removed bool `json:"removed,omitempty"`
Digest string `json:"digest,omitempty"` Digest string `json:"digest,omitempty"`
// ChecksumDeprecated is deprecated in Helm 3, and therefore ignored. Helm 3 replaced
// this with Digest. However, with a strict YAML parser enabled, a field must be
// present on the struct for backwards compatibility.
ChecksumDeprecated string `json:"checksum,omitempty"`
// EngineDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict
// YAML parser enabled, this field must be present.
EngineDeprecated string `json:"engine,omitempty"`
// TillerVersionDeprecated is deprecated in Helm 3, and therefore ignored. However, with a strict
// YAML parser enabled, this field must be present.
TillerVersionDeprecated string `json:"tillerVersion,omitempty"`
// URLDeprecated is deprectaed in Helm 3, superseded by URLs. It is ignored. However,
// with a strict YAML parser enabled, this must be present on the struct.
URLDeprecated string `json:"url,omitempty"`
} }
// IndexDirectory reads a (flat) directory and generates an index. // IndexDirectory reads a (flat) directory and generates an index.
@ -281,7 +298,7 @@ func IndexDirectory(dir, baseURL string) (*IndexFile, error) {
// This will fail if API Version is not set (ErrNoAPIVersion) or if the unmarshal fails. // This will fail if API Version is not set (ErrNoAPIVersion) or if the unmarshal fails.
func loadIndex(data []byte) (*IndexFile, error) { func loadIndex(data []byte) (*IndexFile, error) {
i := &IndexFile{} i := &IndexFile{}
if err := yaml.Unmarshal(data, i); err != nil { if err := yaml.UnmarshalStrict(data, i); err != nil {
return i, err return i, err
} }
i.SortEntries() i.SortEntries()

@ -95,6 +95,35 @@ func TestLoadIndex(t *testing.T) {
verifyLocalIndex(t, i) verifyLocalIndex(t, i)
} }
const indexWithDuplicates = `
apiVersion: v1
entries:
nginx:
- urls:
- https://kubernetes-charts.storage.googleapis.com/nginx-0.2.0.tgz
name: nginx
description: string
version: 0.2.0
home: https://github.com/something/else
digest: "sha256:1234567890abcdef"
nginx:
- urls:
- https://kubernetes-charts.storage.googleapis.com/alpine-1.0.0.tgz
- http://storage2.googleapis.com/kubernetes-charts/alpine-1.0.0.tgz
name: alpine
description: string
version: 1.0.0
home: https://github.com/something
digest: "sha256:1234567890abcdef"
`
// TestLoadIndex_Duplicates is a regression to make sure that we don't non-deterministically allow duplicate packages.
func TestLoadIndex_Duplicates(t *testing.T) {
if _, err := loadIndex([]byte(indexWithDuplicates)); err == nil {
t.Errorf("Expected an error when duplicate entries are present")
}
}
func TestLoadIndexFile(t *testing.T) { func TestLoadIndexFile(t *testing.T) {
i, err := LoadIndexFile(testfile) i, err := LoadIndexFile(testfile)
if err != nil { if err != nil {

Loading…
Cancel
Save