CBL-Mariner/SPECS/cert-manager/CVE-2024-25620.patch

From e90f3034faa9a6a23131df5665570d221e3092f3 Mon Sep 17 00:00:00 2001
From: Bhagyashri Pathak <bhapathak@microsoft.com>
Date: Thu, 8 Aug 2024 10:27:21 +0530
Subject: [PATCH] CVE-2024-25620 patch 

---
 vendor/helm.sh/helm/v3/pkg/chart/metadata.go  |  4 ++++
 .../helm.sh/helm/v3/pkg/chartutil/errors.go   |  8 ++++++++
 vendor/helm.sh/helm/v3/pkg/chartutil/save.go  | 20 +++++++++++++++++++
 .../helm/v3/pkg/lint/rules/chartfile.go       |  4 ++++
 4 files changed, 36 insertions(+)

diff --git a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
index ae572ab..3834b4c 100644
--- a/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
+++ b/vendor/helm.sh/helm/v3/pkg/chart/metadata.go
@@ -16,6 +16,7 @@ limitations under the License.
 package chart
 
 import (
+	"path/filepath"
 	"strings"
 	"unicode"
 
@@ -110,6 +111,9 @@ func (md *Metadata) Validate() error {
 	if md.Name == "" {
 		return ValidationError("chart.metadata.name is required")
 	}
+	if md.Name != filepath.Base(md.Name) {
+		return ValidationErrorf("chart.metadata.name %q is invalid", md.Name)
+	}
 	if md.Version == "" {
 		return ValidationError("chart.metadata.version is required")
 	}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
index fcdcc27..0a4046d 100644
--- a/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/errors.go
@@ -33,3 +33,11 @@ type ErrNoValue struct {
 }
 
 func (e ErrNoValue) Error() string { return fmt.Sprintf("%q is not a value", e.Key) }
+
+type ErrInvalidChartName struct {
+	Name string
+}
+
+func (e ErrInvalidChartName) Error() string {
+	return fmt.Sprintf("%q is not a valid chart name", e.Name)
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
index 2ce4edd..4ee9070 100644
--- a/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
+++ b/vendor/helm.sh/helm/v3/pkg/chartutil/save.go
@@ -39,6 +39,10 @@ var headerBytes = []byte("+aHR0cHM6Ly95b3V0dS5iZS96OVV6MWljandyTQo=")
 // directory, writing the chart's contents to that subdirectory.
 func SaveDir(c *chart.Chart, dest string) error {
 	// Create the chart directory
+	err := validateName(c.Name())
+	if err != nil {
+		return err
+	}
 	outdir := filepath.Join(dest, c.Name())
 	if fi, err := os.Stat(outdir); err == nil && !fi.IsDir() {
 		return errors.Errorf("file %s already exists and is not a directory", outdir)
@@ -149,6 +153,10 @@ func Save(c *chart.Chart, outDir string) (string, error) {
 }
 
 func writeTarContents(out *tar.Writer, c *chart.Chart, prefix string) error {
+	err := validateName(c.Name())
+	if err != nil {
+		return err
+	}
 	base := filepath.Join(prefix, c.Name())
 
 	// Pull out the dependencies of a v1 Chart, since there's no way
@@ -242,3 +250,15 @@ func writeToTar(out *tar.Writer, name string, body []byte) error {
 	_, err := out.Write(body)
 	return err
 }
+
+// If the name has directory name has characters which would change the location
+// they need to be removed.
+func validateName(name string) error {
+	nname := filepath.Base(name)
+
+	if nname != name {
+		return ErrInvalidChartName{name}
+	}
+
+	return nil
+}
diff --git a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
index b49f2ce..f8f033c 100644
--- a/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
+++ b/vendor/helm.sh/helm/v3/pkg/lint/rules/chartfile.go
@@ -107,6 +107,10 @@ func validateChartName(cf *chart.Metadata) error {
 	if cf.Name == "" {
 		return errors.New("name is required")
 	}
+	name := filepath.Base(cf.Name)
+	if name != cf.Name {
+		return fmt.Errorf("chart name %q is invalid", cf.Name)
+	}
 	return nil
 }
 
-- 
2.34.1