From ab65a7872b1a530905afb96eac4d18f7d402a432 Mon Sep 17 00:00:00 2001
From: Tarashish Mishra <sunu@sunu.in>
Date: Thu, 3 Jul 2025 19:16:09 +0530
Subject: [PATCH] Skip GDAL VRT driver to mitigate security issue

Skip VRT driver to prevent arbitrary file reading vulnerability
reported in GDAL issue https://github.com/OSGeo/gdal/issues/12645
and https://github.com/developmentseed/titiler/issues/1180.
This configuration prevents exploitation of GDAL's VRT driver
which can be used to read arbitrary files from the filesystem.
---
 helm-chart/eoapi/values.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/helm-chart/eoapi/values.yaml b/helm-chart/eoapi/values.yaml
index 6a7e0ee..167de38 100644
--- a/helm-chart/eoapi/values.yaml
+++ b/helm-chart/eoapi/values.yaml
@@ -247,6 +247,7 @@ raster:
       GDAL_HTTP_MERGE_CONSECUTIVE_RANGES: "YES"
       GDAL_HTTP_MULTIPLEX: "YES"
       GDAL_HTTP_VERSION: "2"
+      GDAL_SKIP: "VRT" # skip VRT driver to avoid https://github.com/OSGeo/gdal/issues/12645
       PYTHONWARNINGS: "ignore"
       VSI_CACHE: "TRUE"
       VSI_CACHE_SIZE: "5000000"  # 5 MB (per file-handle)