feat: support disabling insecure template functions only#2689
Open
fabiobaiao wants to merge 1 commit into
Open
feat: support disabling insecure template functions only#2689fabiobaiao wants to merge 1 commit into
fabiobaiao wants to merge 1 commit into
Conversation
56d7470 to
1aa2144
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds a new environment variable gate to disable only “insecure” template functions (exec/readFile/readDir, etc.) while preserving the existing broader HELMFILE_DISABLE_INSECURE_FEATURES behavior, supporting safer templating without necessarily blocking other functionality like remote charts.
Changes:
- Introduces
HELMFILE_DISABLE_INSECURE_TEMPLATE_FUNCTIONSenv var and wires it into template function-map creation. - Renames the error type/variable used when insecure template functions are disabled.
- Adds/updates unit tests for both disable modes.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| pkg/tmpl/context_funcs.go | Adds new env-var flag and applies it to disabling insecure template functions; updates error type/name. |
| pkg/tmpl/context_funcs_test.go | Updates existing test expectations and adds a new test for the new env-var gate. |
| pkg/envvar/const.go | Adds the new HELMFILE_DISABLE_INSECURE_TEMPLATE_FUNCTIONS constant. |
| type Values = map[string]any | ||
|
|
||
| var DisableInsecureFeaturesErr = DisableInsecureFeaturesError{envvar.DisableInsecureFeatures + " is active, insecure function calls are disabled"} | ||
| var DisableInsecureFunctionsErr = DisableInsecureFunctionsError{envvar.DisableInsecureFeatures + "/" DisableInsecureTemplateFunctions + " is active, insecure function calls are disabled"} |
Comment on lines
95
to
100
| funcMap["readDir"] = func(string) ([]string, error) { | ||
| return nil, DisableInsecureFeaturesErr | ||
| return nil, DisableInsecureFunctionsErr | ||
| } | ||
| funcMap["readDirEntries"] = func(string) ([]string, error) { | ||
| return nil, DisableInsecureFeaturesErr | ||
| return nil, DisableInsecureFunctionsErr | ||
| } |
Comment on lines
+49
to
+64
| func TestCreateFuncMap_DisabledInsecureTemplateFunctions(t *testing.T) { | ||
| currentVal := disableInsecureFunctions | ||
|
|
||
| { | ||
| disableInsecureFunctions = true | ||
| ctx := &Context{basePath: "."} | ||
| funcMaps := ctx.createFuncMap() | ||
| args := make([]any, 0) | ||
| _, err1 := funcMaps["exec"].(func(command string, args []any, inputs ...string) (string, error))("ls", args) | ||
| require.ErrorIs(t, err1, DisableInsecureFunctionsErr) | ||
| _, err2 := funcMaps["readFile"].(func(filename string) (string, error))("context_funcs_test.go") | ||
| require.ErrorIs(t, err2, DisableInsecureFunctionsErr) | ||
| } | ||
|
|
||
| disableInsecureFunctions = currentVal | ||
| } |
1aa2144 to
03b91b1
Compare
Comment on lines
27
to
31
| var DisableInsecureFunctionsErr = DisableInsecureFunctionsError{envvar.DisableInsecureFeatures + " or " DisableInsecureTemplateFunctions + " is active, insecure function calls are disabled"} | ||
|
|
||
| type DisableInsecureFeaturesError struct { | ||
| type DisableInsecureFunctionsError struct { | ||
| err string | ||
| } |
Comment on lines
+49
to
+64
| func TestCreateFuncMap_DisabledInsecureTemplateFunctions(t *testing.T) { | ||
| currentVal := disableInsecureTemplateFunctions | ||
|
|
||
| { | ||
| disableInsecureTemplateFunctions = true | ||
| ctx := &Context{basePath: "."} | ||
| funcMaps := ctx.createFuncMap() | ||
| args := make([]any, 0) | ||
| _, err1 := funcMaps["exec"].(func(command string, args []any, inputs ...string) (string, error))("ls", args) | ||
| require.ErrorIs(t, err1, DisableInsecureFunctionsErr) | ||
| _, err2 := funcMaps["readFile"].(func(filename string) (string, error))("context_funcs_test.go") | ||
| require.ErrorIs(t, err2, DisableInsecureFunctionsErr) | ||
| } | ||
|
|
||
| disableInsecureTemplateFunctions = currentVal | ||
| } |
03b91b1 to
5927eb0
Compare
Comment on lines
+27
to
31
| var DisableInsecureFunctionsErr = DisableInsecureFunctionsError{envvar.DisableInsecureFeatures + " or " + envvar.DisableInsecureTemplateFunctions + " is active, insecure function calls are disabled"} | ||
|
|
||
| type DisableInsecureFeaturesError struct { | ||
| type DisableInsecureFunctionsError struct { | ||
| err string | ||
| } |
Comment on lines
95
to
100
| funcMap["readDir"] = func(string) ([]string, error) { | ||
| return nil, DisableInsecureFeaturesErr | ||
| return nil, DisableInsecureFunctionsErr | ||
| } | ||
| funcMap["readDirEntries"] = func(string) ([]string, error) { | ||
| return nil, DisableInsecureFeaturesErr | ||
| return nil, DisableInsecureFunctionsErr | ||
| } |
|
|
||
| func init() { | ||
| disableInsecureFeatures, _ = strconv.ParseBool(os.Getenv(envvar.DisableInsecureFeatures)) | ||
| disableInsecureFeatures, _ = strconv.ParseBool(os.Getenv(envvar.DisableInsecureFeatures)) |
Comment on lines
40
to
+43
| _, err1 := funcMaps["exec"].(func(command string, args []any, inputs ...string) (string, error))("ls", args) | ||
| require.ErrorIs(t, err1, DisableInsecureFeaturesErr) | ||
| require.ErrorIs(t, err1, DisableInsecureFunctionsErr) | ||
| _, err2 := funcMaps["readFile"].(func(filename string) (string, error))("context_funcs_test.go") | ||
| require.ErrorIs(t, err2, DisableInsecureFeaturesErr) | ||
| require.ErrorIs(t, err2, DisableInsecureFunctionsErr) |
Comment on lines
+49
to
+64
| func TestCreateFuncMap_DisabledInsecureTemplateFunctions(t *testing.T) { | ||
| currentVal := disableInsecureTemplateFunctions | ||
|
|
||
| { | ||
| disableInsecureTemplateFunctions = true | ||
| ctx := &Context{basePath: "."} | ||
| funcMaps := ctx.createFuncMap() | ||
| args := make([]any, 0) | ||
| _, err1 := funcMaps["exec"].(func(command string, args []any, inputs ...string) (string, error))("ls", args) | ||
| require.ErrorIs(t, err1, DisableInsecureFunctionsErr) | ||
| _, err2 := funcMaps["readFile"].(func(filename string) (string, error))("context_funcs_test.go") | ||
| require.ErrorIs(t, err2, DisableInsecureFunctionsErr) | ||
| } | ||
|
|
||
| disableInsecureTemplateFunctions = currentVal | ||
| } |
1f5cccb to
77b4377
Compare
Signed-off-by: fabiobaiao <53570695+fabiobaiao@users.noreply.github.com>
77b4377 to
98ca978
Compare
Comment on lines
+27
to
+29
| var DisableInsecureFunctionsErr = DisableInsecureFunctionsError{envvar.DisableInsecureFeatures + " or " + envvar.DisableInsecureTemplateFunctions + " is active, insecure function calls are disabled"} | ||
|
|
||
| type DisableInsecureFeaturesError struct { | ||
| type DisableInsecureFunctionsError struct { |
Comment on lines
98
to
100
| funcMap["readDirEntries"] = func(string) ([]string, error) { | ||
| return nil, DisableInsecureFeaturesErr | ||
| return nil, DisableInsecureFunctionsErr | ||
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds support to disable insecure template functions only, still allowing remote charts
Closes #2687