Skip to content

Backend should enforce HTTPS requirement when basicAuthConfig is used for Helm repositories #15755

Open
Open
Backend should enforce HTTPS requirement when basicAuthConfig is used for Helm repositories#15755
Labels
lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.
@coderabbitai

Description

@coderabbitai
coderabbitai
bot
opened on Nov 21, 2025

Background

While adding basic authentication support for Helm repositories in PR #15624, frontend validation was implemented to require HTTPS when basicAuthConfig is present (see comment thread).

However, the backend does not currently enforce this security requirement, allowing users to bypass the frontend validation by directly creating or modifying repository resources via the API.

Current State

  • Frontend validation: Correctly requires HTTPS when basicAuthConfig is present (frontend/packages/helm-plugin/src/components/forms/HelmChartRepository/helmchartrepository-validation-utils.ts)
  • Backend validation: Missing in pkg/helm/chartproxy/repos.go (lines 169-246) where basicAuthConfig is extracted and applied without URL scheme validation
  • Test files confirm backend accepts HTTP URLs with basicAuthConfig

Required Action

Add server-side validation in pkg/helm/chartproxy/repos.go to reject repository create/update requests when:

  • basicAuthConfig is provided, AND
  • Repository URL does not use HTTPS scheme

The validation should return a clear HTTP 400 error when this constraint is violated.

Additional Context

Requested by: @webbnh
Tracked from: #15624 (comment)

Metadata

Metadata

Assignees

No one assigned

    Labels

    lifecycle/frozenIndicates that an issue or PR should not be auto-closed due to staleness.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions