This tool will attempt to detect any charts that may have been uploaded via this vulnerability, affecting all versions of ChartMuseum <= 0.8.0.
The following shows detection of the test chart evil-1.0.0.tgz
found in this repo:
$ git clone git@github.com:chartmuseum/chart-scanner.git
$ cd chart-scanner
$ chart-scanner --debug --storage=local --storage-local-rootdir=$(pwd)/testdata/charts
2019/01/14 13:34:55 DEBUG org1/repo1/acs-engine-autoscaler-2.2.2.tgz is valid
2019/01/14 13:34:55 DEBUG org1/repo1/acs-engine-autoscaler-2.2.2.tgz.prov is valid
2019/01/14 13:34:55 DEBUG org1/repo2/aerospike-0.1.7.tgz is valid
2019/01/14 13:34:55 DEBUG org2/repo1/apm-server-0.1.0.tgz is valid
2019/01/14 13:34:55 DEBUG org2/repo2/ark-1.2.3.tgz is valid
2019/01/14 13:34:55 ERROR org2/repo2/evil-1.0.0.tgz has bad chart name "../../../../charts/org2/repo2/evil"
2019/01/14 13:34:55 ERROR org2/repo2/evil-1.0.0.tgz.prov has bad chart name "../../../../charts/org2/repo2/evil"
$ echo $?
1
Install from the latest release artifacts:
# Linux
curl -LO https://github.com/chartmuseum/chart-scanner/releases/download/v0.1.0/chart-scanner_0.1.0_linux_amd64.tar.gz
# macOS
curl -LO https://github.com/chartmuseum/chart-scanner/releases/download/v0.1.0/chart-scanner_0.1.0_darwin_amd64.tar.gz
# unpack, install, dispose
mkdir -p chart-scanner-install/
tar -zxf chart-scanner_0.1.0_*.tar.gz -C chart-scanner-install/
mv chart-scanner-install/chart-scanner /usr/local/bin/
rm -rf chart-scanner_0.1.0_*.tar.gz chart-scanner-install/
or via go get:
go get -u github.com/chartmuseum/chart-scanner/cmd/chart-scanner
Then, to run:
chart-scanner --help
A public Docker image containing the CLI is available on Docker Hub:
docker run -it --rm chartmuseum/chart-scanner:v0.1.0 --help
Command-line storage options are identical to the ones used in ChartMuseum (the package is imported and re-used).
Make sure your environment is properly setup to access my-s3-bucket
chart-scanner --debug \
--storage="amazon" \
--storage-amazon-bucket="my-s3-bucket" \
--storage-amazon-prefix="" \
--storage-amazon-region="us-east-1"
You need at least the following permissions inside your IAM Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowListObjects",
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": "arn:aws:s3:::my-s3-bucket"
},
{
"Sid": "AllowObjectsCRUD",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::my-s3-bucket/*"
}
]
}
Make sure your environment is properly setup to access my-gcs-bucket
.
One way to do so is to set the GOOGLE_APPLICATION_CREDENTIALS
var in your environment, pointing to the JSON file containing your service account key:
export GOOGLE_APPLICATION_CREDENTIALS="/home/user/Downloads/[FILE_NAME].json"
More info on Google Cloud authentication can be found here.
chart-scanner --debug \
--storage="google" \
--storage-google-bucket="my-gcs-bucket" \
--storage-google-prefix=""
Make sure your environment is properly setup to access mycontainer
.
To do so, you must set the following env vars:
AZURE_STORAGE_ACCOUNT
AZURE_STORAGE_ACCESS_KEY
chart-scanner --debug \
--storage="microsoft" \
--storage-microsoft-container="mycontainer" \
--storage-microsoft-prefix=""
Make sure your environment is properly setup to access my-oss-bucket
.
To do so, you must set the following env vars:
ALIBABA_CLOUD_ACCESS_KEY_ID
ALIBABA_CLOUD_ACCESS_KEY_SECRET
chart-scanner --debug \
--storage="alibaba" \
--storage-alibaba-bucket="my-oss-bucket" \
--storage-alibaba-prefix="" \
--storage-alibaba-endpoint="oss-cn-beijing.aliyuncs.com"
Make sure your environment is properly setup to access mycontainer
.
To do so, you must set the following env vars (depending on your openstack version):
OS_AUTH_URL
- either
OS_PROJECT_NAME
orOS_TENANT_NAME
orOS_PROJECT_ID
orOS_TENANT_ID
- either
OS_DOMAIN_NAME
orOS_DOMAIN_ID
- either
OS_USERNAME
orOS_USERID
OS_PASSWORD
chart-scanner --debug \
--storage="openstack" \
--storage-openstack-container="mycontainer" \
--storage-openstack-prefix="" \
--storage-openstack-region="myregion"
Make sure your environment is properly setup to access my-ocs-bucket
.
More info on Oracle Cloud Infrastructure authentication can be found here.
chart-scanner --debug \
--storage="oracle" \
--storage-oracle-bucket="my-ocs-bucket" \
--storage-oracle-prefix="" \
--storage-oracle-compartmentid="ocid1.compartment.oc1..1234"
Make sure your environment is properly setup to access my-bos-bucket
.
To do so, you must set the following env vars:
BAIDU_CLOUD_ACCESS_KEY_ID
BAIDU_CLOUD_ACCESS_KEY_SECRET
chart-scanner --debug \
--storage="baidu" \
--storage-baidu-bucket="my-bos-bucket" \
--storage-baidu-prefix="" \
--storage-baidu-endpoint="bj.bcebos.com"
Make sure you have read access to ./chartstorage
.
chart-scanner --debug \
--storage="local" \
--storage-local-rootdir="./chartstorage"
All command-line options can be specified as environment variables, which are defined by the command-line option, capitalized, with all -
's replaced with _
's.
For example, the env var STORAGE_AMAZON_BUCKET
can be used in place of --storage-amazon-bucket
.
If you discover a security issue in Helm or ChartMuseum, please follow the instructions found here.