Bump helm.sh/helm/v3 from 3.16.4 to 3.17.3

dependabot[bot] · web-flow · commit 1b77fe68ca4a · 2025-04-28T17:29:47.000Z
Bumps [helm.sh/helm/v3](https://github.com/helm/helm) from 3.16.4 to 3.17.3. - [Release notes](https://github.com/helm/helm/releases) - [Commits](helm/helm@v3.16.4...v3.17.3) --- updated-dependencies: - dependency-name: helm.sh/helm/v3 dependency-version: 3.17.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
diff --git a/go.mod b/go.mod
@@ -162,7 +162,7 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	helm.sh/helm/v3 v3.17.1 // indirect
+	helm.sh/helm/v3 v3.17.3 // indirect
 	k8s.io/apiserver v0.32.3 // indirect
 	k8s.io/cli-runtime v0.32.2 // indirect
 	k8s.io/component-base v0.32.3 // indirect
diff --git a/go.sum b/go.sum
@@ -480,8 +480,8 @@ gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o=
 gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g=
-helm.sh/helm/v3 v3.17.1 h1:gzVoAD+qVuoJU6KDMSAeo0xRJ6N1znRxz3wyuXRmJDk=
-helm.sh/helm/v3 v3.17.1/go.mod h1:nvreuhuR+j78NkQcLC3TYoprCKStLyw5P4T7E5itv2w=
+helm.sh/helm/v3 v3.17.3 h1:3n5rW3D0ArjFl0p4/oWO8IbY/HKaNNwJtOQFdH2AZHg=
+helm.sh/helm/v3 v3.17.3/go.mod h1:+uJKMH/UiMzZQOALR3XUf3BLIoczI2RKKD6bMhPh4G8=
 k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
 k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
 k8s.io/apiextensions-apiserver v0.32.3 h1:4D8vy+9GWerlErCwVIbcQjsWunF9SUGNu7O7hiQTyPY=
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/archive.go
@@ -33,6 +33,15 @@ import (
 	"helm.sh/helm/v3/pkg/chart"
 )
 
+// MaxDecompressedChartSize is the maximum size of a chart archive that will be
+// decompressed. This is the decompressed size of all the files.
+// The default value is 100 MiB.
+var MaxDecompressedChartSize int64 = 100 * 1024 * 1024 // Default 100 MiB
+
+// MaxDecompressedFileSize is the size of the largest file that Helm will attempt to load.
+// The size of the file is the decompressed version of it when it is stored in an archive.
+var MaxDecompressedFileSize int64 = 5 * 1024 * 1024 // Default 5 MiB
+
 var drivePathPattern = regexp.MustCompile(`^[a-zA-Z]:/`)
 
 // FileLoader loads a chart from a file
@@ -119,6 +128,7 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
 
 	files := []*BufferedFile{}
 	tr := tar.NewReader(unzipped)
+	remainingSize := MaxDecompressedChartSize
 	for {
 		b := bytes.NewBuffer(nil)
 		hd, err := tr.Next()
@@ -178,10 +188,30 @@ func LoadArchiveFiles(in io.Reader) ([]*BufferedFile, error) {
 			return nil, errors.New("chart yaml not in base directory")
 		}
 
-		if _, err := io.Copy(b, tr); err != nil {
+		if hd.Size > remainingSize {
+			return nil, fmt.Errorf("decompressed chart is larger than the maximum file size %d", MaxDecompressedChartSize)
+		}
+
+		if hd.Size > MaxDecompressedFileSize {
+			return nil, fmt.Errorf("decompressed chart file %q is larger than the maximum file size %d", hd.Name, MaxDecompressedFileSize)
+		}
+
+		limitedReader := io.LimitReader(tr, remainingSize)
+
+		bytesWritten, err := io.Copy(b, limitedReader)
+		if err != nil {
 			return nil, err
 		}
 
+		remainingSize -= bytesWritten
+		// When the bytesWritten are less than the file size it means the limit reader ended
+		// copying early. Here we report that error. This is important if the last file extracted
+		// is the one that goes over the limit. It assumes the Size stored in the tar header
+		// is correct, something many applications do.
+		if bytesWritten < hd.Size || remainingSize <= 0 {
+			return nil, fmt.Errorf("decompressed chart is larger than the maximum file size %d", MaxDecompressedChartSize)
+		}
+
 		data := bytes.TrimPrefix(b.Bytes(), utf8bom)
 
 		files = append(files, &BufferedFile{Name: n, Data: data})
diff --git a/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go b/vendor/helm.sh/helm/v3/pkg/chart/loader/directory.go
@@ -101,6 +101,10 @@ func LoadDir(dir string) (*chart.Chart, error) {
 			return fmt.Errorf("cannot load irregular file %s as it has file mode type bits set", name)
 		}
 
+		if fi.Size() > MaxDecompressedFileSize {
+			return fmt.Errorf("chart file %q is larger than the maximum file size %d", fi.Name(), MaxDecompressedFileSize)
+		}
+
 		data, err := os.ReadFile(name)
 		if err != nil {
 			return errors.Wrapf(err, "error reading %s", n)
diff --git a/vendor/modules.txt b/vendor/modules.txt
@@ -751,7 +751,7 @@ gopkg.in/inf.v0
 # gopkg.in/yaml.v3 v3.0.1
 ## explicit
 gopkg.in/yaml.v3
-# helm.sh/helm/v3 v3.17.1
+# helm.sh/helm/v3 v3.17.3
 ## explicit; go 1.23.0
 helm.sh/helm/v3/internal/fileutil
 helm.sh/helm/v3/internal/resolver
