fix(kptfile): validate and sanitize Kptfile updates

Reuse DecodeKptfile validation in UpdateKptfileContent so invalid,
deprecated, or unknown-field Kptfiles fail before SDK processing.

Strip SDK-internal metadata annotations before applying mutations to
avoid writing internal config.kubernetes.io fields back to user
Kptfiles.

Add regression tests covering validation parity, annotation stripping,
empty annotation cleanup, and nil-safe handling.

Signed-off-by: Jaisheesh-2006 <jaicodes2006@gmail.com>

Author: Jaisheesh-2006

pkg/kptfile/kptfileutil/util.go

@@ -473,13 +473,7 @@ func DecodeKptfile(in io.Reader) (*kptfilev1.KptFile, error) {
 	if err != nil {
 		return kf, err
 	}
-	if err := checkKptfileVersion(c); err != nil {
-		return kf, err
-	}
-
-	d := yaml.NewDecoder(bytes.NewBuffer(c))
-	d.KnownFields(true)
-	if err := d.Decode(&kptfilev1.KptFile{}); err != nil {
+	if err := validateKptfileContent(c); err != nil {
 		return kf, err
 	}
 
@@ -497,19 +491,18 @@ func DecodeKptfile(in io.Reader) (*kptfilev1.KptFile, error) {
 		return kf, err
 	}
 
-	for _, key := range sdkInternalKptfileAnnotations {
-		delete(kf.Annotations, key)
-	}
-	if len(kf.Annotations) == 0 {
-		kf.Annotations = nil
-	}
+	stripSDKInternalKptfileAnnotations(kf)
 
 	return kf, nil
 }
 
 // UpdateKptfileContent updates Kptfile YAML content in-memory using SDK Kptfile
 // read/write APIs while preserving existing YAML document structure and comments.
 func UpdateKptfileContent(content string, mutator func(*kptfilev1.KptFile)) (string, error) {
+	if err := validateKptfileContent([]byte(content)); err != nil {
+		return "", err
+	}
+
 	resources := map[string]string{kptfilev1.KptFileName: content}
 	sdkKptfile, err := fn.NewKptfileFromPackage(resources)
 	if err != nil {
@@ -520,6 +513,7 @@ func UpdateKptfileContent(content string, mutator func(*kptfilev1.KptFile)) (str
 	if err := sdkKptfile.Obj.As(typedKptfile); err != nil {
 		return "", err
 	}
+	stripSDKInternalKptfileAnnotations(typedKptfile)
 
 	mutator(typedKptfile)
 
@@ -534,6 +528,33 @@ func UpdateKptfileContent(content string, mutator func(*kptfilev1.KptFile)) (str
 	return resources[kptfilev1.KptFileName], nil
 }
 
+func validateKptfileContent(content []byte) error {
+	if err := checkKptfileVersion(content); err != nil {
+		return err
+	}
+
+	d := yaml.NewDecoder(bytes.NewBuffer(content))
+	d.KnownFields(true)
+	if err := d.Decode(&kptfilev1.KptFile{}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func stripSDKInternalKptfileAnnotations(kf *kptfilev1.KptFile) {
+	if kf == nil || kf.ObjectMeta.Annotations == nil {
+		return
+	}
+
+	for _, key := range sdkInternalKptfileAnnotations {
+		delete(kf.ObjectMeta.Annotations, key)
+	}
+	if len(kf.ObjectMeta.Annotations) == 0 {
+		kf.ObjectMeta.Annotations = nil
+	}
+}
+
 // checkKptfileVersion verifies the apiVersion and kind of the resource
 // within the Kptfile. If the legacy version is found, the DeprecatedKptfileError
 // is returned. If the currently supported apiVersion and kind is found, no

pkg/kptfile/kptfileutil/util_test.go

@@ -836,6 +836,149 @@ metadata: [bad
 	assert.Error(t, err)
 }
 
+func TestUpdateKptfileContent_UsesDecodeValidation(t *testing.T) {
+	testCases := map[string]struct {
+		content             string
+		expectedErr         any
+		expectedDecodeError string
+	}{
+		"deprecated version": {
+			content: `
+apiVersion: kpt.dev/v1alpha2
+kind: Kptfile
+metadata:
+  name: sample
+`,
+			expectedErr:         &DeprecatedKptfileError{},
+			expectedDecodeError: "old resource version \"v1alpha2\" found in Kptfile",
+		},
+		"unknown kind": {
+			content: `
+apiVersion: kpt.dev/v1
+kind: ConfigMap
+metadata:
+  name: sample
+`,
+			expectedErr:         &UnknownKptfileResourceError{},
+			expectedDecodeError: "unknown resource type \"kpt.dev/v1, Kind=ConfigMap\" found in Kptfile",
+		},
+		"unknown field": {
+			content: `
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: sample
+unexpectedField: true
+`,
+			expectedDecodeError: "yaml: unmarshal errors:\n  line 6: field unexpectedField not found in type v1.KptFile",
+		},
+	}
+
+	for tn, tc := range testCases {
+		t.Run(tn, func(t *testing.T) {
+			_, decodeErr := DecodeKptfile(strings.NewReader(tc.content))
+			_, updateErr := UpdateKptfileContent(tc.content, func(*kptfilev1.KptFile) {})
+
+			if !assert.EqualError(t, decodeErr, tc.expectedDecodeError) {
+				t.FailNow()
+			}
+			if !assert.EqualError(t, updateErr, decodeErr.Error()) {
+				t.FailNow()
+			}
+			if tc.expectedErr != nil {
+				assert.IsType(t, tc.expectedErr, decodeErr)
+				assert.IsType(t, tc.expectedErr, updateErr)
+			}
+		})
+	}
+}
+
+func TestUpdateKptfileContent_StripsSDKInternalAnnotations(t *testing.T) {
+	t.Run("preserves user annotations", func(t *testing.T) {
+		content := `
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: sample
+  annotations:
+    config.kubernetes.io/index: "0"
+    internal.config.kubernetes.io/path: Kptfile
+    user.example.com/keep: value
+`
+
+		updatedContent, err := UpdateKptfileContent(content, func(kf *kptfilev1.KptFile) {
+			kf.Name = "updated-sample"
+		})
+		if !assert.NoError(t, err) {
+			t.FailNow()
+		}
+
+		updatedKf, err := DecodeKptfile(strings.NewReader(updatedContent))
+		if !assert.NoError(t, err) {
+			t.FailNow()
+		}
+
+		assert.Equal(t, "updated-sample", updatedKf.Name)
+		if assert.NotNil(t, updatedKf.Annotations) {
+			assert.Equal(t, "value", updatedKf.Annotations["user.example.com/keep"])
+			for _, key := range sdkInternalKptfileAnnotations {
+				assert.NotContains(t, updatedKf.Annotations, key)
+			}
+		}
+		assert.NotContains(t, updatedContent, "config.kubernetes.io/index")
+		assert.NotContains(t, updatedContent, "internal.config.kubernetes.io/path")
+	})
+
+	t.Run("removes empty annotation map", func(t *testing.T) {
+		content := `
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: sample
+  annotations:
+    config.kubernetes.io/index: "0"
+    internal.config.kubernetes.io/index: "0"
+`
+
+		updatedContent, err := UpdateKptfileContent(content, func(*kptfilev1.KptFile) {})
+		if !assert.NoError(t, err) {
+			t.FailNow()
+		}
+
+		updatedKf, err := DecodeKptfile(strings.NewReader(updatedContent))
+		if !assert.NoError(t, err) {
+			t.FailNow()
+		}
+
+		assert.Nil(t, updatedKf.Annotations)
+		assert.NotContains(t, updatedContent, "annotations:")
+	})
+
+	t.Run("handles missing annotations safely", func(t *testing.T) {
+		content := `
+apiVersion: kpt.dev/v1
+kind: Kptfile
+metadata:
+  name: sample
+`
+
+		updatedContent, err := UpdateKptfileContent(content, func(kf *kptfilev1.KptFile) {
+			kf.Name = "updated-sample"
+		})
+		if !assert.NoError(t, err) {
+			t.FailNow()
+		}
+
+		updatedKf, err := DecodeKptfile(strings.NewReader(updatedContent))
+		if !assert.NoError(t, err) {
+			t.FailNow()
+		}
+
+		assert.Equal(t, "updated-sample", updatedKf.Name)
+		assert.Nil(t, updatedKf.Annotations)
+	})
+}
+
 func TestMerge(t *testing.T) {
 	testCases := map[string]struct {
 		origin   string