Add shell escaping for kubeContext in TemplateArgs

Addressed code review feedback to properly quote the kubeContext value using shellescape.Quote() to prevent potential command injection if the context name contains spaces or special characters. Also added clearer comments explaining the string matching logic for existing flags. Co-authored-by: yxxhero <11087727+yxxhero@users.noreply.github.com>
2025-12-08 07:55:36 +00:00 · 2025-12-08 07:55:36 +00:00 · e11ef412f5
parent 3ef595ba19
commit e11ef412f5
1 changed files with 8 additions and 2 deletions
--- a/pkg/state/state.go
+++ b/pkg/state/state.go
@ -20,6 +20,7 @@ import (
 	"text/template"
 	"time"

+	shellescape "al.essio.dev/pkg/shellescape"
 	"dario.cat/mergo"
 	"github.com/Masterminds/semver/v3"
 	"github.com/gofrs/flock"
@ -1433,12 +1434,17 @@ func (st *HelmState) processChartification(chartification *Chartify, release *Re
 		}

 		if kubeContext != "" {
+			// Build the template args with proper quoting for the kubeContext value
+			// Use shellescape to safely quote the context name in case it contains special characters
+			quotedContext := shellescape.Quote(kubeContext)
 			if chartifyOpts.TemplateArgs == "" {
-				chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s --dry-run=server", kubeContext)
+				chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s --dry-run=server", quotedContext)
 			} else {
+				// Only add --kube-context if not already present
 				if !strings.Contains(chartifyOpts.TemplateArgs, "--kube-context") {
-					chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s %s", kubeContext, chartifyOpts.TemplateArgs)
+					chartifyOpts.TemplateArgs = fmt.Sprintf("--kube-context %s %s", quotedContext, chartifyOpts.TemplateArgs)
 				}
+				// Add --dry-run if not already present
 				if !strings.Contains(chartifyOpts.TemplateArgs, "--dry-run") {
 					chartifyOpts.TemplateArgs += " --dry-run=server"
 				}