From 5425087730f5fe9f4ced73373055269f58fd05f7 Mon Sep 17 00:00:00 2001
From: Immanuel Tikhonov <pchpr.00@list.ru>
Date: Fri, 22 May 2026 08:56:53 +0400
Subject: [PATCH] Validate Helm source URL schemes

Reject HelmRepository source URLs with schemes unsupported by the
source-controller API before generating or applying the object.

Signed-off-by: Immanuel Tikhonov <pchpr.00@list.ru>
Assisted-by: codex/gpt-5
---
 cmd/flux/create_source_helm.go      | 15 +++++++++------
 cmd/flux/create_source_helm_test.go |  6 ++++++
 2 files changed, 15 insertions(+), 6 deletions(-)

diff --git a/cmd/flux/create_source_helm.go b/cmd/flux/create_source_helm.go
index 0934228b..8c8335b5 100644
--- a/cmd/flux/create_source_helm.go
+++ b/cmd/flux/create_source_helm.go
@@ -114,9 +114,16 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	if _, err := url.Parse(sourceHelmArgs.url); err != nil {
+	helmURL, err := url.Parse(sourceHelmArgs.url)
+	if err != nil {
 		return fmt.Errorf("url parse failed: %w", err)
 	}
+	if helmURL.Scheme != "http" && helmURL.Scheme != "https" && helmURL.Scheme != sourcev1.HelmRepositoryTypeOCI {
+		return fmt.Errorf("url scheme '%s' not supported, can be: http, https and oci", helmURL.Scheme)
+	}
+	if helmURL.Host == "" {
+		return fmt.Errorf("url host is required")
+	}
 
 	helmRepository := &sourcev1.HelmRepository{
 		ObjectMeta: metav1.ObjectMeta{
@@ -132,11 +139,7 @@ func createSourceHelmCmdRun(cmd *cobra.Command, args []string) error {
 		},
 	}
 
-	url, err := url.Parse(sourceHelmArgs.url)
-	if err != nil {
-		return fmt.Errorf("failed to parse URL: %w", err)
-	}
-	if url.Scheme == sourcev1.HelmRepositoryTypeOCI {
+	if helmURL.Scheme == sourcev1.HelmRepositoryTypeOCI {
 		helmRepository.Spec.Type = sourcev1.HelmRepositoryTypeOCI
 		helmRepository.Spec.Provider = sourceHelmArgs.ociProvider
 	}
diff --git a/cmd/flux/create_source_helm_test.go b/cmd/flux/create_source_helm_test.go
index ceaa959f..e8213797 100644
--- a/cmd/flux/create_source_helm_test.go
+++ b/cmd/flux/create_source_helm_test.go
@@ -36,6 +36,12 @@ func TestCreateSourceHelm(t *testing.T) {
 			resultFile: "name is required",
 			assertFunc: "assertError",
 		},
+		{
+			name:       "unsupported URL scheme",
+			args:       "create source helm podinfo --url=git://example.com/charts --export",
+			resultFile: "url scheme 'git' not supported, can be: http, https and oci",
+			assertFunc: "assertError",
+		},
 		{
 			name:       "OCI repo",
 			args:       "create source helm podinfo --url=oci://ghcr.io/stefanprodan/charts/podinfo --interval 5m --export",