topdown/json: Fix panic in json.filter on empty JSON paths. #5200
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
✅ Deploy Preview for openpolicyagent ready!
To edit notification comments on pull requests, go to your Netlify site settings. |
philipaconrad
force-pushed
the
issue-5199-fix-json-filter-panic
branch
from
19fee81
to
388b9c4
Compare
This commit fixes a panic discovered in the `json.filter` builtin that could be triggered with an empty JSON path parameter, such as `""`. This panic was caused by indexing logic in a helper function always assuming it had at least one path segment to work with, and thus indexing out-of-bounds when no path segment was present. The issue was fixed by adding an extra check to the helper function for the null path case, and adding new unit tests to check for the issue. Fixes: open-policy-agent#5199 Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
philipaconrad
force-pushed
the
issue-5199-fix-json-filter-panic
branch
from
388b9c4
to
d1acc16
Compare
anderseknert
previously approved these changes
Sep 29, 2022
topdown/json.go
Outdated
| @@ -203,6 +203,11 @@ func pathsToObject(paths []ast.Ref) ast.Object { | |||
| node := root | |||
| var done bool | |||
|
|
|||
| // If it's a null JSON path, skip all further processing. | |||
There was a problem hiding this comment.
nit, but it's an empty string, not null.. right?
There was a problem hiding this comment.
When I wrote that, I was thinking about how the empty string in the list of paths-to-be-filtered is translated into a blank ast.Ref, which is basically a null/nil value. I'll embellish the comment with more details.
Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
ashutosh-narkar
approved these changes
Sep 29, 2022
anderseknert
approved these changes
Sep 30, 2022
byronic
pushed a commit
to byronic/opa
that referenced
this pull request
Oct 17, 2022
…icy-agent#5200) This commit fixes a panic discovered in the `json.filter` builtin that could be triggered with an empty JSON path parameter, such as `""`. This panic was caused by indexing logic in a helper function always assuming it had at least one path segment to work with, and thus indexing out-of-bounds when no path segment was present. The issue was fixed by adding an extra check to the helper function for the null path case, and adding new unit tests to check for the issue. Fixes: open-policy-agent#5199 Signed-off-by: Philip Conrad <philipaconrad@gmail.com> Signed-off-by: Byron Lagrone <byron.lagrone@seqster.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This commit fixes a panic discovered in the
json.filterbuiltin that could be triggered with an empty JSON path parameter, such as"". This panic was caused by indexing logic in a helper function always assuming it had at least one path segment to work with, and thus indexing out-of-bounds when no path segment was present.The issue was fixed by adding an extra check to the helper function for the null path case, and adding new unit tests to check for the issue.
Fixes: #5199