console
console copied to clipboard
openshift
Backend should enforce HTTPS requirement when basicAuthConfig is used for Helm repositories
Background
While adding basic authentication support for Helm repositories in PR #15624, frontend validation was implemented to require HTTPS when basicAuthConfig is present (see comment thread).
However, the backend does not currently enforce this security requirement, allowing users to bypass the frontend validation by directly creating or modifying repository resources via the API.
Current State
- Frontend validation: Correctly requires HTTPS when basicAuthConfig is present (
frontend/packages/helm-plugin/src/components/forms/HelmChartRepository/helmchartrepository-validation-utils.ts) - Backend validation: Missing in
pkg/helm/chartproxy/repos.go(lines 169-246) where basicAuthConfig is extracted and applied without URL scheme validation - Test files confirm backend accepts HTTP URLs with basicAuthConfig
Required Action
Add server-side validation in pkg/helm/chartproxy/repos.go to reject repository create/update requests when:
basicAuthConfigis provided, AND- Repository URL does not use HTTPS scheme
The validation should return a clear HTTP 400 error when this constraint is violated.
Additional Context
- The backend code in question is approximately 3 years old
- This issue was identified during PR review but deemed out of scope for #15624
- Related Jira: https://issues.redhat.com/browse/RFE-7965
Requested by: @webbnh Tracked from: https://github.com/openshift/console/pull/15624#discussion_r2547581524
![coderabbitai[bot] avatar](https://avatars.githubusercontent.com/in/347564?v=4 "Published by a pub.dev verified publisher"){kind=small}
