From b4e105968714861fe96826e30e54e6cc76925703 Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Mon, 30 Jan 2023 09:13:51 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-6-stable-ee

---
 .../packages/helm/extract_file_metadata_service.rb    |   5 +++++
 spec/fixtures/packages/helm/corrupted_chart.tgz       | Bin 0 -> 2084191 bytes
 .../helm/extract_file_metadata_service_spec.rb        |  13 +++++++++++++
 3 files changed, 18 insertions(+)
 create mode 100644 spec/fixtures/packages/helm/corrupted_chart.tgz

diff --git a/app/services/packages/helm/extract_file_metadata_service.rb b/app/services/packages/helm/extract_file_metadata_service.rb
index e7373d8ea8f..77efa65f1d1 100644
--- a/app/services/packages/helm/extract_file_metadata_service.rb
+++ b/app/services/packages/helm/extract_file_metadata_service.rb
@@ -7,6 +7,10 @@ module Packages
     class ExtractFileMetadataService
       ExtractionError = Class.new(StandardError)
 
+      # Charts must be smaller than 1M because of the storage limitations of Kubernetes objects.
+      # based on https://helm.sh/docs/chart_template_guide/accessing_files/
+      MAX_FILE_SIZE = 1.megabytes.freeze
+
       def initialize(package_file)
         @package_file = package_file
       end
@@ -42,6 +46,7 @@ module Packages
           end
 
           raise ExtractionError, 'Chart.yaml not found within a directory' unless chart_yaml
+          raise ExtractionError, 'Chart.yaml too big' if chart_yaml.size > MAX_FILE_SIZE
 
           chart_yaml.read
         ensure
diff --git a/spec/fixtures/packages/helm/corrupted_chart.tgz b/spec/fixtures/packages/helm/corrupted_chart.tgz
new file mode 100644
index 00000000000..b2ac93b271e
Binary files /dev/null and b/spec/fixtures/packages/helm/corrupted_chart.tgz differ
diff --git a/spec/services/packages/helm/extract_file_metadata_service_spec.rb b/spec/services/packages/helm/extract_file_metadata_service_spec.rb
index 273f679b736..f4c61c12344 100644
--- a/spec/services/packages/helm/extract_file_metadata_service_spec.rb
+++ b/spec/services/packages/helm/extract_file_metadata_service_spec.rb
@@ -54,4 +54,17 @@ RSpec.describe Packages::Helm::ExtractFileMetadataService do
 
     it { expect { subject }.to raise_error(described_class::ExtractionError, 'Error while parsing Chart.yaml: (<unknown>): did not find expected node content while parsing a flow node at line 2 column 1') }
   end
+
+  context 'with a corrupted Chart.yaml of incorrect size' do
+    let(:helm_fixture_path) { expand_fixture_path('packages/helm/corrupted_chart.tgz') }
+    let(:expected_error_message) { 'Chart.yaml too big' }
+
+    before do
+      allow(Zlib::GzipReader).to receive(:new).and_return(Zlib::GzipReader.new(File.open(helm_fixture_path)))
+    end
+
+    it 'raises an error with the expected message' do
+      expect { subject }.to raise_error(::Packages::Helm::ExtractFileMetadataService::ExtractionError, expected_error_message)
+    end
+  end
 end
-- 
cgit v1.2.1