feat: forbid credentials in git url

This is to minimize the risk of credential leaks, see discussion: helm/community#321 (comment) Signed-off-by: Dominykas Blyžė <[email protected]>
dominykas · Dec 20, 2023 · f9c3364 · f9c3364
1 parent 5002866
commit f9c3364
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 0 deletions.
diff --git a/pkg/downloader/chart_downloader.go b/pkg/downloader/chart_downloader.go
@@ -214,6 +214,9 @@ func (c *ChartDownloader) ResolveChartVersion(ref, version string) (*url.URL, er
 		if err != nil {
 			return nil, errors.Errorf("invalid git URL format: %s", gitURL)
 		}
+		if u.User != nil {
+			return nil, errors.Errorf("git repository URL should not contain credentials - please use git credential helpers")
+		}
 		return u, nil
 	}
 	u, err := url.Parse(ref)

diff --git a/pkg/downloader/chart_downloader_test.go b/pkg/downloader/chart_downloader_test.go
@@ -43,6 +43,7 @@ func TestResolveChartRef(t *testing.T) {
 		{name: "full URL, with authentication", ref: "http://username:[email protected]/foo-1.2.3.tgz", expect: "http://username:[email protected]/foo-1.2.3.tgz"},
 		{name: "helmchart", ref: "git+https://github.com/helmchart/helmchart.git", expect: "https://github.com/helmchart/helmchart.git"},
 		{name: "helmchart", ref: "git://github.com/helmchart/helmchart.git", expect: "git://github.com/helmchart/helmchart.git"},
+		{name: "helmchart", ref: "git+https://username:[email protected]/helmchart/helmchart.git", expectError: "git repository URL should not contain credentials - please use git credential helpers"},
 		{name: "reference, testing repo", ref: "testing/alpine", expect: "http://example.com/alpine-1.2.3.tgz"},
 		{name: "reference, version, testing repo", ref: "testing/alpine", version: "0.2.0", expect: "http://example.com/alpine-0.2.0.tgz"},
 		{name: "reference, version, malformed repo", ref: "malformed/alpine", version: "1.2.3", expect: "http://dl.example.com/alpine-1.2.3.tgz"},