charmhub should reject uploads of bundles containing overlays

Bug #1921933 reported by Achilleas Anagnostopoulos
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Snap Store Server
New
Undecided
Unassigned

Bug Description

When juju first implemented multi-document bundles, we ensured (via https://github.com/juju/charmstore/pull/884) that the store rejected uploads of bundles containing overlays as this poses a security risk. For example:

```
series: focal
applications:
  percona-cluster:
    charm: percona-cluster
    num_units:1
--- # overlay.yaml
applications:
  percona-cluster:
    expose: true
```

(alternatively, replace the overlay contents with a bitcoin miner charm)

I can't seem to be able to find an actual bundle on charmhub at the moment but judging by the template used for rendering regular charms, there isn't a way to inspect the charm (or bundle for that matter) metadata.

Can you please double-check that charmhub also applies the same validation checks and rejects bundles with overlays just as the charmstore did?

Revision history for this message
Facundo Batista (facundo) wrote :

Currently `charmcraft` crashes if trying to pack a bundle with overlay, as stated here: https://github.com/canonical/charmcraft/issues/549

We need this issue to be fixed before we actually fix charmcraft to not crash in this situation, to ensure that there will no bundle with overlay even by mistake (charmcraft will have a linter that stops the packing if a bundle with overlay, but linters can be ignored, so...).

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.