Snap Store Server

charmhub should reject uploads of bundles containing overlays

Bug #1921933 reported by Achilleas Anagnostopoulos on 2021-03-30

This bug affects 2 people

Affects		Status	Importance	Assigned to	Milestone
	Snap Store Server	New	Undecided	Unassigned

Bug Description

When juju first implemented multi-document bundles, we ensured (via https://github.com/juju/charmstore/pull/884) that the store rejected uploads of bundles containing overlays as this poses a security risk. For example:

```
series: focal
applications:
  percona-cluster:
    charm: percona-cluster
    num_units:1
--- # overlay.yaml
applications:
  percona-cluster:
    expose: true
```

(alternatively, replace the overlay contents with a bitcoin miner charm)

I can't seem to be able to find an actual bundle on charmhub at the moment but judging by the template used for rendering regular charms, there isn't a way to inspect the charm (or bundle for that matter) metadata.

Can you please double-check that charmhub also applies the same validation checks and rejects bundles with overlays just as the charmstore did?

Revision history for this message

Facundo Batista (facundo) wrote on 2021-10-12:

Currently `charmcraft` crashes if trying to pack a bundle with overlay, as stated here: https://github.com/canonical/charmcraft/issues/549

We need this issue to be fixed before we actually fix charmcraft to not crash in this situation, to ensure that there will no bundle with overlay even by mistake (charmcraft will have a linter that stops the packing if a bundle with overlay, but linters can be ignored, so...).

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-canonical-charmcraft #549
[open triaged] Edit

Bug watches keep track of this bug in other bug trackers.