From d1acc16647a7bc0a98bebd8016b4cadfa25408a2 Mon Sep 17 00:00:00 2001
From: Philip Conrad <philipaconrad@gmail.com>
Date: Thu, 29 Sep 2022 16:53:04 -0400
Subject: [PATCH 1/2] topdown/json: Fix panic in json.filter on empty JSON
 paths.

This commit fixes a panic discovered in the `json.filter` builtin that
could be triggered with an empty JSON path parameter, such as `""`. This
panic was caused by indexing logic in a helper function always assuming
it had at least one path segment to work with, and thus indexing
out-of-bounds when no path segment was present.

The issue was fixed by adding an extra check to the helper function for
the null path case, and adding new unit tests to check for the issue.

Fixes: #5199

Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
---
 topdown/json.go      |  5 +++++
 topdown/json_test.go | 10 ++++++++++
 2 files changed, 15 insertions(+)

diff --git a/topdown/json.go b/topdown/json.go
index 09a0ea6a93..12175e4476 100644
--- a/topdown/json.go
+++ b/topdown/json.go
@@ -203,6 +203,11 @@ func pathsToObject(paths []ast.Ref) ast.Object {
 		node := root
 		var done bool
 
+		// If it's a null JSON path, skip all further processing.
+		if len(path) == 0 {
+			done = true
+		}
+
 		for i := 0; i < len(path)-1 && !done; i++ {
 
 			k := path[i]
diff --git a/topdown/json_test.go b/topdown/json_test.go
index 53d114e4ae..f1056f0c98 100644
--- a/topdown/json_test.go
+++ b/topdown/json_test.go
@@ -16,6 +16,11 @@ func TestFiltersToObject(t *testing.T) {
 		filters  []string
 		expected string
 	}{
+		{
+			note:     "empty path",
+			filters:  []string{`""`},
+			expected: `{}`,
+		},
 		{
 			note:     "base",
 			filters:  []string{`"a/b/c"`},
@@ -81,6 +86,11 @@ func TestFiltersToObject(t *testing.T) {
 			filters:  []string{`"a/~0b~1c/d~1~0"`},
 			expected: `{"a": {"~b/c": {"d/~": null}}}`,
 		},
+		{
+			note:     "empty strings mixed with normal paths",
+			filters:  []string{`"a/b/c"`, `""`, `"a/b/d"`, `"a/e/f"`, `""`},
+			expected: `{"a": {"b": {"c": null, "d": null}, "e": {"f": null}}}`,
+		},
 	}
 
 	for _, tc := range cases {

From 586185db0de4fd4330d0fae207b88d8a5788f2e9 Mon Sep 17 00:00:00 2001
From: Philip Conrad <philipaconrad@gmail.com>
Date: Thu, 29 Sep 2022 19:19:28 -0400
Subject: [PATCH 2/2] topdown/json: Add clarifying comments.

Signed-off-by: Philip Conrad <philipaconrad@gmail.com>
---
 topdown/json.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/topdown/json.go b/topdown/json.go
index 12175e4476..d1d8897e4d 100644
--- a/topdown/json.go
+++ b/topdown/json.go
@@ -203,11 +203,12 @@ func pathsToObject(paths []ast.Ref) ast.Object {
 		node := root
 		var done bool
 
-		// If it's a null JSON path, skip all further processing.
+		// If the path is an empty JSON path, skip all further processing.
 		if len(path) == 0 {
 			done = true
 		}
 
+		// Otherwise, we should have 1+ path segments to work with.
 		for i := 0; i < len(path)-1 && !done; i++ {
 
 			k := path[i]