From 459984c33ddb0ea98c79c4d7fc88616ff29de594 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 12 Nov 2021 13:03:42 +0200
Subject: [PATCH 1/2] Verify artifacts integrity After downloading an artifact,
 compute its checksum and verify that it matches the original checksum
 advertised by source-controller.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 controllers/helmrelease_controller_chart.go | 30 ++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/controllers/helmrelease_controller_chart.go b/controllers/helmrelease_controller_chart.go
index 8a15d3f85..48a706c99 100644
--- a/controllers/helmrelease_controller_chart.go
+++ b/controllers/helmrelease_controller_chart.go
@@ -18,9 +18,10 @@ package controllers
 
 import (
 	"context"
+	"crypto/sha1"
+	"crypto/sha256"
 	"fmt"
 	"io"
-	"io/ioutil"
 	"net/http"
 	"net/url"
 	"os"
@@ -94,7 +95,7 @@ func (r *HelmReleaseReconciler) getHelmChart(ctx context.Context, hr *v2.HelmRel
 // loads it into a chart.Chart, and removes the downloaded artifact.
 // It returns the loaded chart.Chart on success, or an error.
 func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*chart.Chart, error) {
-	f, err := ioutil.TempFile("", fmt.Sprintf("%s-%s-*.tgz", source.GetNamespace(), source.GetName()))
+	f, err := os.CreateTemp("", fmt.Sprintf("%s-%s-*.tgz", source.GetNamespace(), source.GetName()))
 	if err != nil {
 		return nil, err
 	}
@@ -126,13 +127,36 @@ func (r *HelmReleaseReconciler) loadHelmChart(source *sourcev1.HelmChart) (*char
 		return nil, fmt.Errorf("artifact '%s' download failed (status code: %s)", source.GetArtifact().URL, resp.Status)
 	}
 
-	if _, err = io.Copy(f, resp.Body); err != nil {
+	// verify checksum matches origin
+	if err := r.copyAndVerifyArtifact(source.GetArtifact(), resp.Body, f); err != nil {
 		return nil, err
 	}
 
 	return loader.Load(f.Name())
 }
 
+func (r *HelmReleaseReconciler) copyAndVerifyArtifact(artifact *sourcev1.Artifact, reader io.Reader, writer io.Writer) error {
+	hasher := sha256.New()
+
+	// for backwards compatibility with source-controller v0.17.2 and older
+	if len(artifact.Checksum) == 40 {
+		hasher = sha1.New()
+	}
+
+	// compute checksum
+	mw := io.MultiWriter(hasher, writer)
+	if _, err := io.Copy(mw, reader); err != nil {
+		return err
+	}
+
+	if checksum := fmt.Sprintf("%x", hasher.Sum(nil)); checksum != artifact.Checksum {
+		return fmt.Errorf("failed to verify artifact: computed checksum '%s' doesn't match advertised '%s'",
+			checksum, artifact.Checksum)
+	}
+
+	return nil
+}
+
 // deleteHelmChart deletes the v1beta1.HelmChart of the v2beta1.HelmRelease.
 func (r *HelmReleaseReconciler) deleteHelmChart(ctx context.Context, hr *v2.HelmRelease) error {
 	if hr.Status.HelmChart == "" {

From 59d3d88f6033385a4c255c3129f1cce771d6983b Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 12 Nov 2021 15:34:28 +0200
Subject: [PATCH 2/2] Update source-controller/api to v0.18.0

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 config/default/kustomization.yaml | 4 ++--
 go.mod                            | 2 +-
 go.sum                            | 4 ++--
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/config/default/kustomization.yaml b/config/default/kustomization.yaml
index f6fe7ccd6..d6194fc44 100644
--- a/config/default/kustomization.yaml
+++ b/config/default/kustomization.yaml
@@ -2,8 +2,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: helm-system
 resources:
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.crds.yaml
-- https://github.com/fluxcd/source-controller/releases/download/v0.16.0/source-controller.deployment.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.crds.yaml
+- https://github.com/fluxcd/source-controller/releases/download/v0.18.0/source-controller.deployment.yaml
 - ../crd
 - ../rbac
 - ../manager
diff --git a/go.mod b/go.mod
index 145448a2d..3330ff649 100644
--- a/go.mod
+++ b/go.mod
@@ -9,7 +9,7 @@ require (
 	github.com/fluxcd/pkg/apis/kustomize v0.1.0
 	github.com/fluxcd/pkg/apis/meta v0.10.0
 	github.com/fluxcd/pkg/runtime v0.12.0
-	github.com/fluxcd/source-controller/api v0.16.0
+	github.com/fluxcd/source-controller/api v0.18.0
 	github.com/go-logr/logr v0.4.0
 	github.com/hashicorp/go-retryablehttp v0.6.8
 	github.com/onsi/ginkgo v1.16.4
diff --git a/go.sum b/go.sum
index 8a8051f4e..a21eb1a29 100644
--- a/go.sum
+++ b/go.sum
@@ -245,8 +245,8 @@ github.com/fluxcd/pkg/apis/meta v0.10.0 h1:N7wVGHC1cyPdT87hrDC7UwCwRwnZdQM46PBSL
 github.com/fluxcd/pkg/apis/meta v0.10.0/go.mod h1:CW9X9ijMTpNe7BwnokiUOrLl/h13miwVr/3abEQLbKE=
 github.com/fluxcd/pkg/runtime v0.12.0 h1:BPZZ8bBkimpqGAPXqOf3LTaw+tcw6HgbWyCuzbbsJGs=
 github.com/fluxcd/pkg/runtime v0.12.0/go.mod h1:EyaTR2TOYcjL5U//C4yH3bt2tvTgIOSXpVRbWxUn/C4=
-github.com/fluxcd/source-controller/api v0.16.0 h1:xFz+K7lLg/82uOQp+a0g04GsgoWNfyzwXAoVQy4T/oI=
-github.com/fluxcd/source-controller/api v0.16.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
+github.com/fluxcd/source-controller/api v0.18.0 h1:cK1uWHCujeEm9mjPPum5gogbMXOo0C6ieVZtTTxDNkY=
+github.com/fluxcd/source-controller/api v0.18.0/go.mod h1:guUCCapjzE2kocwFreQTM/IGvtAglIJc4L97mokairo=
 github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/form3tech-oss/jwt-go v3.2.3+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/franela/goblin v0.0.0-20200105215937-c9ffbefa60db/go.mod h1:7dvUGVsVBjqR7JHJk0brhHOZYGmfBYOrK0ZhYMEtBr4=