Fix command injection vulnerability in HelmInstallService

nicolst · fcomte · commit f5186ec47089 · 2024-12-18T14:16:48.000+01:00
diff --git a/helm-wrapper/src/main/java/io/github/inseefrlab/helmwrapper/service/HelmInstallService.java b/helm-wrapper/src/main/java/io/github/inseefrlab/helmwrapper/service/HelmInstallService.java
@@ -28,6 +28,9 @@ public class HelmInstallService {
     private static final Logger LOGGER = LoggerFactory.getLogger(HelmInstallService.class);
     private final Pattern helmNamePattern =
             Pattern.compile("^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$");
+    private final Pattern semverPattern =
+            Pattern.compile(
+                    "^(0|[1-9]\\d*)\\.(0|[1-9]\\d*)\\.(0|[1-9]\\d*)(?:-((?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\\.(?:0|[1-9]\\d*|\\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?(?:\\+([0-9a-zA-Z-]+(?:\\.[0-9a-zA-Z-]+)*))?$");
 
     private final HelmReleaseInfoParser helmReleaseInfoParser = new HelmReleaseInfoParser();
     private static final String VALUES_INFO_TYPE = "values";
@@ -173,6 +176,10 @@ public HelmInstaller installChart(
         command.append("-n ");
         safeConcat(command, namespace);
         if (StringUtils.isNotBlank(version)) {
+            if (!semverPattern.matcher(version).matches()) {
+                throw new IllegalArgumentException(
+                        "Invalid release version " + version + ", must be a SemVer 2 string");
+            }
             command.append(" --version ");
             safeConcat(command, version);
         }
diff --git a/onyxia-api/src/main/java/fr/insee/onyxia/api/controller/api/mylab/MyLabController.java b/onyxia-api/src/main/java/fr/insee/onyxia/api/controller/api/mylab/MyLabController.java
@@ -524,7 +524,8 @@ private Collection<Object> publishApps(
 
         Pkg pkg =
                 catalog.getCatalog()
-                        .getPackageByName(requestDTO.getPackageName())
+                        .getPackageByNameAndVersion(
+                                requestDTO.getPackageName(), requestDTO.getPackageVersion())
                         .orElseThrow(NotFoundException::new);
 
         Map<String, Object> fusion = new HashMap<>();
diff --git a/onyxia-api/src/main/java/fr/insee/onyxia/api/services/impl/HelmAppsService.java b/onyxia-api/src/main/java/fr/insee/onyxia/api/services/impl/HelmAppsService.java
@@ -119,7 +119,7 @@ public Collection<Object> installApp(
                                     catalogId + "/" + pkg.getName(),
                                     namespaceId,
                                     requestDTO.getName(),
-                                    requestDTO.getPackageVersion(),
+                                    pkg.getVersion(),
                                     requestDTO.isDryRun(),
                                     values,
                                     null,
