From 3df6442bd16ac7bc3d38ebda016dcb43b766d44e Mon Sep 17 00:00:00 2001
From: anontrex <43818977+anontrex@users.noreply.github.com>
Date: Mon, 9 Jun 2025 19:08:10 +1000
Subject: [PATCH] fix-insecure-flag (#2072)

Signed-off-by: tcase44 <toblerone.tc@gmail.com>
Co-authored-by: tcase44 <toblerone.tc@gmail.com>
---
 pkg/remote/remote.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkg/remote/remote.go b/pkg/remote/remote.go
index b99277ee..c0845f23 100644
--- a/pkg/remote/remote.go
+++ b/pkg/remote/remote.go
@@ -190,6 +190,11 @@ func (r *Remote) Fetch(path string, cacheDirOpt ...string) (string, error) {
 		return "", err
 	}
 
+	// Block remote access if insecure features are disabled and the source is remote
+	if disableInsecureFeatures && IsRemote(path) {
+		return "", fmt.Errorf("remote sources are disabled due to 'HELMFILE_DISABLE_INSECURE_FEATURES'")
+	}
+
 	srcDir := fmt.Sprintf("%s://%s/%s", u.Scheme, u.Host, u.Dir)
 	file := u.File
 
@@ -532,9 +537,6 @@ func ParseS3Url(s3URL string) (string, string, error) {
 }
 
 func NewRemote(logger *zap.SugaredLogger, homeDir string, fs *filesystem.FileSystem) *Remote {
-	if disableInsecureFeatures {
-		panic("Remote sources are disabled due to 'DISABLE_INSECURE_FEATURES'")
-	}
 	remote := &Remote{
 		Logger:     logger,
 		Home:       homeDir,