fix: Prevent possible OOB access when loading RBAC policies

[jannfis]

Fixes possible out-of-bounds access for slices returned by CSV reader. Also adds proper unit tests for loadPolicyLine

Ref: https://oss-fuzz.com/testcase-detail/6031472681680896

/cc @terrytangyuan @hblixt @AdamKorcz @DavidKorczynski

Signed-off-by: jannfis jann@mistrust.net

Note on DCO:

If the DCO action in the integration test fails, one or more of your commits are not signed off. Please click on the Details link next to the DCO action for instructions on how to resolve this.

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• Optional. My organization is added to USERS.md.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).

[DavidKorczynski]

Great @jannfis ! Super fast.

FYI, in the PR/commit it might be smarter to reference the Monorail issues rather than the oss-fuzz.com reports. This is because only the monorail issues will become public, and not the oss-fuzz issue. So down the line someone who might not have access to the oss-fuzz dashboard won't be able to follow the link. In this case the monorail and oss-fuzz issues are, respectively:

• monorail issue: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=43657
• oss-fuzz issue: https://oss-fuzz.com/testcase-detail/6031472681680896
  You can easily access the Monorail issue from the oss-fuzz issue (the link of the issue label).
  Likewise, you can easily access the oss-fuzz report from the Monorail issue.

Just a thought!

[jannfis]

reference the Monorail issues rather than the oss-fuzz.com reports

Makes sense @DavidKorczynski. I will refer to both in the future. Thanks.

[pasha-codefresh]

LGTM

[terrytangyuan]

LGTM

[codecov]

Codecov Report

Merging #8186 (88744d8) into master (f652897) will increase coverage by 0.01%.
The diff coverage is 100.00%.

@@            Coverage Diff             @@
##           master    #8186      +/-   ##
==========================================
+ Coverage   41.53%   41.54%   +0.01%     
==========================================
  Files         174      174              
  Lines       22707    22715       +8     
==========================================
+ Hits         9432     9438       +6     
- Misses      11921    11923       +2     
  Partials     1354     1354              

Impacted Files	Coverage Δ
util/rbac/rbac.go	76.69% <100.00%> (+0.22%)	⬆️
util/helm/cmd.go	28.65% <0.00%> (ø)
pkg/apis/application/v1alpha1/types.go	55.32% <0.00%> (ø)
reposerver/repository/repository.go	57.85% <0.00%> (+0.04%)	⬆️
cmd/util/app.go	47.10% <0.00%> (+0.16%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f652897...88744d8. Read the comment docs.