From 84b30d1404920dddb4609e4aae7d67a8e3996e24 Mon Sep 17 00:00:00 2001
From: Sunny <github@darkowlzz.space>
Date: Tue, 20 Feb 2024 14:27:57 +0000
Subject: [PATCH] Improve chart name validation

Allow periods in the chart name and validate chart name before
packaging it.

Signed-off-by: Sunny <github@darkowlzz.space>
---
 internal/helm/chart/builder.go                 |   9 +++++++--
 internal/helm/chart/builder_test.go            |  17 +++++++++++++++++
 .../charts/helmchart-badname-0.1.0.tgz         | Bin 0 -> 3427 bytes
 3 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 internal/helm/testdata/charts/helmchart-badname-0.1.0.tgz

diff --git a/internal/helm/chart/builder.go b/internal/helm/chart/builder.go
index 5be208d8..b5ac9382 100644
--- a/internal/helm/chart/builder.go
+++ b/internal/helm/chart/builder.go
@@ -81,9 +81,9 @@ func (r RemoteReference) Validate() error {
 	if r.Name == "" {
 		return fmt.Errorf("no name set for remote chart reference")
 	}
-	name := regexp.MustCompile("^([-a-z0-9]+/?)+$")
+	name := regexp.MustCompile(`^([-a-z0-9]+/?\.?)+$`)
 	if !name.MatchString(r.Name) {
-		return fmt.Errorf("invalid chart name '%s': a valid name must be lower case letters and numbers and MAY be separated with dashes (-) or slashes (/)", r.Name)
+		return fmt.Errorf("invalid chart name '%s': a valid name must be lower case letters and numbers and MAY be separated with dashes (-), slashes (/) or periods (.)", r.Name)
 	}
 	return nil
 }
@@ -199,6 +199,11 @@ func (b *Build) String() string {
 
 // packageToPath attempts to package the given chart to the out filepath.
 func packageToPath(chart *helmchart.Chart, out string) error {
+	// Names cannot have directory name characters.
+	if chart.Name() != filepath.Base(chart.Name()) {
+		return fmt.Errorf("%q is not a valid chart name", chart.Name())
+	}
+
 	o, err := os.MkdirTemp("", "chart-build-*")
 	if err != nil {
 		return fmt.Errorf("failed to create temporary directory for chart: %w", err)
diff --git a/internal/helm/chart/builder_test.go b/internal/helm/chart/builder_test.go
index 47e2909a..be348b55 100644
--- a/internal/helm/chart/builder_test.go
+++ b/internal/helm/chart/builder_test.go
@@ -113,6 +113,15 @@ func TestRemoteReference_Validate(t *testing.T) {
 			ref:     RemoteReference{Name: "not//a/valid/chart"},
 			wantErr: "invalid chart name 'not//a/valid/chart'",
 		},
+		{
+			name: "ref with period in name",
+			ref:  RemoteReference{Name: "valid.chart.name"},
+		},
+		{
+			name:    "ref with double period in name",
+			ref:     RemoteReference{Name: "../valid-chart-name"},
+			wantErr: "invalid chart name '../valid-chart-name",
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
@@ -246,6 +255,14 @@ func Test_packageToPath(t *testing.T) {
 	g.Expect(out).To(BeARegularFile())
 	_, err = secureloader.LoadFile(out)
 	g.Expect(err).ToNot(HaveOccurred())
+
+	chart, err = secureloader.LoadFile("../testdata/charts/helmchart-badname-0.1.0.tgz")
+	g.Expect(err).ToNot(HaveOccurred())
+	g.Expect(chart).ToNot(BeNil())
+
+	out2 := tmpFile("chart-badname-0.1.0", ".tgz")
+	err = packageToPath(chart, out2)
+	g.Expect(err).To(HaveOccurred())
 }
 
 func tmpFile(prefix, suffix string) string {
diff --git a/internal/helm/testdata/charts/helmchart-badname-0.1.0.tgz b/internal/helm/testdata/charts/helmchart-badname-0.1.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..1f6675d5c013646fda09994c79dd2fe4d60a35d1
GIT binary patch
literal 3427
zcmV-p4V>~HiwFpxnABwe188MzZDVL*a&#?XVPtM$ZDlPmE-@}JE_7jX0PP%WZ`(Ms
zpY<zvY8QQ6EkEKUg@GQ>OM1QF($r|WJuDWBf|lr58(GwfloMZ?`|USFQcuf{o6RO$
z9A^th4{|sh&YRTESTy%%G?m>2jWQ;@C7nl)?iP9gd&8mn3()*K*dGiZ^@si8Zm-`P
z4t5{)`a3)O`;SQPj_GKHOh}pnDZdv_b8_DaJSK;1O0!53z5Zm%Q!>ki!gC&zPqR=E
z_(#c4Z{8nw;QgFR$pSJBBZdtQnIF-V0fIE7lL&A~P9}^bR0wDm#&EmjSxO|EClQq(
zWR8=vBno|cz_VD6NZ)b7IXz<|hY)zfMJRc?9Fh1ej4$C?l10&&LkD<vG(F*RoHD^;
zX}XQ!^(pgHCdG*S{EHLQIs33+X&MG>L|oUILW7luj$r8`^w}HVS5&|_kI8Am{BRn=
zBrax5&R7cbHth)24T+fXEDCUnFeJ<;fS&qlL}Z#Vh3M0a5gd~6DFHkyNPsDs0RCay
zqbZ3w;AN7~I54=7=ZNhkP@oXO{TYi{iX%ebFg{a=^SKr51(bL{a-4(*z?Lix<??{X
zl3fC;uddaQQ}Hh4Su!F65LRSGdo!OVbP`6P1deD15fY?4$*())&GE6i2AYEpakTu%
zx%>x6hFA(9sKSsmi{FS79%F;%;~#-LAO(gL#V8y>E)!tsK?FL=(xWj70#BjyD`*DO
z2N_UAu^7cJ7?CNB1Y)Hzu#?J=$HL46M>@|YER7k;U&y<rzX!4lSPDs7Z73trq5d3Y
z28ni|(ToeJMn(qU&4?&<>99)*YrwpS`!rJTfn+LYS}b8gQGWFpy9y<<C%9O31RZE-
zI9v|)SmW!ojs*%OK*xM0inaSU11ZU96fI$Kd_JEukS&xm5Iv#9d`SYM{6%jifY2af
zbO9oTx=&H}ec+`Z@=TNE&p665+6ojw5aiU;h5}ZAgUX`_3%~}X#=icWN`Z?_cnk}+
z2vZ&dLGbJ%lrsVnCL<#dIVmrR$ov@&|2~XEToeyA1xyJEIJuy4Z6=j&S*&L(wSMp@
z;uo;o3VRgB*n|eZf>7c6ISvpr=qPBqe5vN2vN>0?2My0s;NK*riZ@e`L-Mp_^;6Fv
zormQb`AMc^d2a6KfDMgVfAH#kXr}lZnA&Z7I57{{DT|m7Mp3P<BYA{&Knpm?lS8Ld
z;E`Oa*WY6Q3sc`MtaJC|!>6~Wp1hQI<YR8||2w_C-G=`k?hOal|KA7nJ@SreMWKmu
z$tYFi$B)NkvP6B2jh_*q3!qh?9w4??R~-^giT7E@jJYi}hL~Jms}?DZ&lq`v28@he
zue4T%4cih@w)T{{)K6zpCRbND(356gu#eD2z*{tG*Vm(N7p~P%3NJi@d#}W<n>o!(
z@E3?5ted1^EQosox;6$U;}+x^f8?Pv()idVx*>A%;qdL3@rRF}UO#z;*2$L<IA}>a
z9dy4U0h2+Hh>xJUU<|#J;_3A@>2UI^;4#kjwR`2E74s0Q___Cs7aJn3-8^g%hzZPU
zlm(2qWqg)9e^<@*d4ss4af38OEN(?$2<Ac22I?X+;n5(#g<$HLxw&=~0pJ|e(!rWM
zF=ULM6wF$~_hU|jztaf4MY@Ui0BD{d43uO}mqgNYkX$ll7i1pBnKThB%5xPZIU1X&
zlrCr(p_qEcKP&hNoQh9l@G25qj*8dRJTZE!=)u!(UT3lJN#|m#)q7g5-s#(qpN|e&
z7EqzvX54KC1WdWnC+^i1{4+}UEQ|woN%FOhDvZoEko2A_9rKi;X_a!XTO^>I$_R;V
zEUcRCT4gLEzb&+J{NeD+$(#3Y8w`UGcw2#whzlmrt4Dv>@pU^hOGdt2?FaNrWZ3KG
zc*v)<$~9+_22@goyTVNOa|kI>&eQ&2-|NAD{n4x5tDeaubc$86;TWjqoY;y1$VN=>
zE@&E%CpkX}jsXKzP3J>9Eem%BZSmh1c$lyhyliqOrJ$SQzuo>$BmUdn-Rax-?>^w_
zs{4X0LP*rH`hX=Jw5+e^$QFMFdFhL;GSA%?&fCjGC5Mf|hA9-8b{$M9A;(%Zl%4Xu
zN;$m)^-|fy+`3n5G~_E531Xk@?WoIeewsm+b4lDzi3|-AUTX>ubm4>+W1zoVlHVW+
z#+pum=26k^IglJH?5e%QF_2aP5rR+AnhFkN{i`tPdd7ew0(XMNE|u~zl`5+w`58nB
z$c@93Q*4XD0>*UDJqJ?ORGV9kq;PMFIi|EDAq|cqj88JGnW>Z;i8s`4U~cKsbDmTJ
z^Jd+vXtTD#R!m1no!>lB6M*o3>vgTrS@1$*sXNMo*4oo=CNN3ESWb!igXsJq+y*v1
z?zc$Vy6c(*R+bi324*fWtAb@!%WGssw}N1lMH`n`{km%>ROPq6{%pqkipA6j-Mjl&
zm$+Zt+vpS|eSk_)DK=55TWB=+)DyF=dNW!RjGAeAI{s^GAxzQZ*r4`EMa1<~-y}&s
zTX?q`hZ)u@8dke}1>3+SYh;G2SRn1CXDsMUmZMtybZUyat(?nCHe2wnInhol6{@Pc
zhM8qB+R`x(Mn@~bUpwVSikp_cy@b7aUeyZw$vQJtZ|0f$cgG}rKyz+eo^8%)p0C3g
zSErgAhX!ufT&(08tw>rdz(c$8TR~g=7l6^=ODv$?&2HdL@n3(~-2dAf?C#k3?>>Mg
z;pf~$g5eO|Mc+Ax^nXMS3n_5&v~-kjEp1g^fX3SLjf|>w+WJI=ZU0JQtUG{V8Deh?
zpUi$BrnEvEFQb~(?L$3OZbJ27bFAYWS4Lku{;H2D>Dbe#bImZQE6hNMYNOn0oL6~m
zE1$E*qIO1#%4cJvvnYp=l`YU3DU$yLI@~^7#pme`tM+=`Qny)luZpO?pV&&0nc3<t
zWgD#|4;DdMOLU!59;<Os(PtwqYv>VciRlmOnDw4D*3Rn7<du8aSetGQJ+80aCZ=&^
zmwN?exdmRQK^2YbbIO^5<)Ye)3J=HmMr!?il5)v?9*xMSgK_0u6fRiIgczrM!s?^p
zDDPN<t$N#YM7qtVYS;#0xOE)<f!Ooix|<fh+yrf3@)ez|Zp@X<YTI>N>*9(wu8fxN
z@s&M_UBBCE{K^=Wjm2`9>Tct0MtW!;XJI|G#eexG+g%+6yXpK_uRmC=|LxiM?>^v$
zo!p|zgQ4Atsr1|s`4xS{!bdk#-TSTW`&2SP!RC;uAMkmC#WnYDulrtq*y&+)qjCbt
z!-AY~px(Ps=Dt*?%Vi)7iSGqZA&foq&R^*=Kz{;ZTfd$FR=a?sXE9!idRuM5bVPil
znbRH)mmK=tk#Ae{XV#^1vPrkB9(8gy*yRdhGbbHuu33M*ziv(})i>zZwam{#)dFtQ
zr?S<rp`!wvYW=0v2a?(mDeO|-Z`#`jub)Ni2Fhzh<>$C?40V8Dg*3JKR!l&j>Z*Ce
z)dLLWY<0X+9!V%+Lj7}~x*6aYMLAg`UM)>^M2Agty{ojW@ur<;4{eDoJOs4)|J+F5
zlmGAS?(VPn|6$Mi|NDTd4=hSQrmX$2bsv5Bx8=-8dGw=_`*uw7x8aP5NoHtz#^kt}
zDYhlPwJf?`U%Ew+XZWWyvK#c@l=*+Z8MsORcLvS<|9!Zy`hOp=^-jztLt&b4Z7((y
z4|B`W-f^wb`0n>%9tzs@U*g$x_1p1z9D_x}eCzgR;3oaw>ov}Q4|+Sh*8krNw5s)(
z2Q9knZsYtr4Y6@=uhT8bt(zY#m~npYj))peWIleqQ3MXneS*9kegS^Jx@9sVlT0ip
z{Ib|zP{-Rx<mac@^yx2ol{GyRBLYving51Et_mS!o*-{BFY}+U1xp{&VwL*u;bnLh
z^OW837&pfMgT0mSKZn-;-wQk@WBi&kjn!A1din9w#~73&i~>BzmQep3)I}5@gNiIs
zkv9<_G7&k8_(X5GLhF}!*bP*6!Bowo@*GqP5X9_Ee_`@0N!c{KWPvVp{pGnw@bf{!
zW7QK$A_+^?2V0)w9iDzUg}|Bt3Ueaq^T8<z!c;ikStz^eSCj8}lmDb$^_xGKoptdi
zzZHwPTOz^=OqQs#kHUH3iHih&C-fYC<s7d63r#=M6hD3=M~81=Ku8vT1@q>3VZdlt
zw}VHHw-7!LSob>$K}!9nf5fNX3U1Q>Ueo{g2Rl7m|GyWY;03=UakX&AQ0o8W&!zwN
z|Nn3=Fc}fw>i_>Ql=|=gsr0{Z^Z$DR(Eq^d|Nk$P`mawY{t-4n>HnV6|Nj1NuliTP
zpojZ^yL-F+{&29fkNbc7{rmp@FPmhs%r>;U;r(~2|F!zx0KXk6Zu?$;&+9n>6Mh;d
zQayV^{s{tOzFfi&?aNQ(99?Deye|C1%3-&VEl2O=RX$F3itloIULOW|Xf{}|V8Ma~
z3l=O`uwcQ01q&7|Sg>Hhf&~i}ELgB$!GZ+~7A#n>V8Ma~3l=O`u<%{L{{T|po*Dpn
F008n!uUP;9

literal 0
HcmV?d00001