From ee1cb49b0c3744b2417092883a35545f307e6dc9 Mon Sep 17 00:00:00 2001 From: Hidde Beydals Date: Tue, 23 Nov 2021 09:33:04 +0100 Subject: [PATCH] internal/helm: check size of meta files in package Signed-off-by: Hidde Beydals --- internal/helm/chart/metadata.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/internal/helm/chart/metadata.go b/internal/helm/chart/metadata.go index 673ee0ae..e3c91ac6 100644 --- a/internal/helm/chart/metadata.go +++ b/internal/helm/chart/metadata.go @@ -228,6 +228,9 @@ func LoadChartMetadataFromArchive(archive string) (*helmchart.Metadata, error) { switch parts[1] { case chartutil.ChartfileName, "requirements.yaml": + if hd.Size > helm.MaxChartFileSize { + return nil, fmt.Errorf("size of '%s' exceeds '%d' bytes limit", hd.Name, helm.MaxChartFileSize) + } b, err := io.ReadAll(tr) if err != nil { return nil, err