You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
From the pre-1.0 security review. Decisions: REST gets opt-in auth (deny-by-default); plugins ship disabled-by-default (full sandbox is a post-1.0 track).
Blockers
REST authentication — jhelm-rest is fully unauthenticated while mutating a live cluster. Add jhelm.rest.security.* opt-in (API-key/basic), deny-by-default; document that it must never be exposed unauthenticated.
install --verify enforcement — pulled charts install with no signature check; wire --verify/--keyring through install/upgrade and abort on SignatureVerificationException (InstallAction/ChartLoader).
Plugins disabled-by-default — jhelm.plugins.enabled=false default with a clear "untrusted code, no sandbox" warning. (Real sandbox: memory cap, hard wall-clock kill, manifest-limit clamping, plugin signing — tracked post-1.0.)
High
SSRF guards on chart-URL fetch (RepoManager.java:628,266) and OCI redirect follow (OciRegistryClient.java:194): scheme allowlist, block private/link-local/metadata IPs, null-check Location.
Repo-name path traversal — sanitize name before using as a file path (RepoManager.java:186).
From the pre-1.0 security review. Decisions: REST gets opt-in auth (deny-by-default); plugins ship disabled-by-default (full sandbox is a post-1.0 track).
Blockers
jhelm-restis fully unauthenticated while mutating a live cluster. Addjhelm.rest.security.*opt-in (API-key/basic), deny-by-default; document that it must never be exposed unauthenticated.--verify/--keyringthrough install/upgrade and abort onSignatureVerificationException(InstallAction/ChartLoader).jhelm.plugins.enabled=falsedefault with a clear "untrusted code, no sandbox" warning. (Real sandbox: memory cap, hard wall-clock kill, manifest-limit clamping, plugin signing — tracked post-1.0.)High
RepoManager.java:628,266) and OCI redirect follow (OciRegistryClient.java:194): scheme allowlist, block private/link-local/metadata IPs, null-check Location.namebefore using as a file path (RepoManager.java:186).0600(RegistryManager.java:67); add--password-stdin/prompt (RegistryCommand.java:49).Medium (REST maturity)
@Valid/@NotBlank) replacing hand-rolled null checks.ProblemDetailerror bodies; add aNotFoundException→404 (currently "not found on upgrade" returns 400,ReleaseController:223).spring-boot-starter-actuator+ cluster-connectivity health indicator; explicit multipart size limits.