Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Possible injection ? exec.Command() #63

Open
AYDEV-FR opened this issue Sep 21, 2020 · 2 comments
Open

Possible injection ? exec.Command() #63

AYDEV-FR opened this issue Sep 21, 2020 · 2 comments
Labels
enhancement New feature or request good first issue Good for newcomers

Comments

@AYDEV-FR
Copy link
Contributor

Hi,
I have already posted an issue on your project, and while re-reading the code, I wonder about possible injections.
By using exec.Command(), especially the line exec.Command("sh -c", params).

helm-spray/pkg/helm/helm.go

Line 184 in 945927b

cmd = exec.Command("sh", "-c", command)

Also in the UpgradeWithValues function, even if the use of the bianire helm in the first argument of exec.Command() prevents some injection.

helm-spray/pkg/helm/helm.go

Line 136 in 945927b

cmd := exec.Command("helm", myargs...)

Why not use the Helm Go SDK for most actions on Helm. https://pkg.go.dev/helm.sh/helm/[email protected]/pkg/action#Upgrade for example.
@cvila84 cvila84 added enhancement New feature or request good first issue Good for newcomers labels Sep 21, 2020
@cvila84
Copy link
Member

cvila84 commented Sep 21, 2020

Hello,

I agree there is room for improvement here. I would be happy to review any PR for this :)

@AYDEV-FR
Copy link
Contributor Author

Hi,

I will fork and try to change only the functions:

helm-spray/pkg/helm/helm.go

Line 69 in 945927b

func List(namespace string) (map[string]Release, error) {

helm-spray/pkg/helm/helm.go

Line 98 in 945927b

func UpgradeWithValues(namespace string, releaseName string, chartPath string, resetValues bool, reuseValues bool, valueFiles []string, valuesSet []string, valuesSetString []string, valuesSetFile []string, force bool, timeout int, dryRun bool, debug bool) (Status, error) {

helm-spray/pkg/helm/helm.go

Line 158 in 945927b

func Fetch(chart string, version string) (string, error) {

from /pkg/helm/helm.go

For the List() function we can probably use : https://pkg.go.dev/helm.sh/helm/[email protected]/pkg/action#List
For the UpgradeWithValues()we can probably use : https://pkg.go.dev/helm.sh/helm/[email protected]/pkg/action#Upgrade
For the Fetch()function we can probably use : https://pkg.go.dev/helm.sh/helm/[email protected]/pkg/action#ChartPull

I think a work is to be considered also on the /pkg/kubectl/kubectl.go file, which also uses a lot of exec.Command(), while there is the Kubernetes Client SDK here : https://github.com/kubernetes/client-go

I will surely propose a PR if I have the time.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@AYDEV-FR @cvila84