Skip to content

Commit

Permalink
Fix arbitrary Helm list parameter injection
Browse files Browse the repository at this point in the history
  • Loading branch information
nicolst committed Dec 18, 2024
1 parent f5186ec commit bd72bd1
Showing 1 changed file with 8 additions and 0 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,7 @@ public class HelmInstallService {
private final Pattern semverPattern =
Pattern.compile(
"^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$");
private final Pattern rfc1123Pattern = Pattern.compile("^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$");

private final HelmReleaseInfoParser helmReleaseInfoParser = new HelmReleaseInfoParser();
private static final String VALUES_INFO_TYPE = "values";
Expand Down Expand Up @@ -299,6 +300,13 @@ private String buildEnvVar(Map<String, String> env) {
*/
public HelmLs getAppById(HelmConfiguration configuration, String appId, String namespace)
throws MultipleServiceFound {
if (appId.length() > 53 || !rfc1123Pattern.matcher(appId).matches()) {
throw new IllegalArgumentException(
"Invalid app id "
+ appId
+ ". Must be 53 or fewer characters and be a valid RFC 1123 string.");
}

StringBuilder command = new StringBuilder("helm list --filter ");
safeConcat(command, appId);
command.append(" -n ");
Expand Down

0 comments on commit bd72bd1

Please sign in to comment.