Avoid panic in shortcode param handling

Fixes #1337
2024-06-27 21:25:07 +00:00 · 2015-08-07 20:08:23 +02:00 · 2015-08-07 20:08:23 +02:00 · 0f1fb8c7d8
parent 35bb72c83e
commit 0f1fb8c7d8
2 changed files with 32 additions and 6 deletions
--- a/hugolib/shortcode.go
+++ b/hugolib/shortcode.go
@ -271,6 +271,8 @@ func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) (

 }

+var shortCodeIllegalState = errors.New("Illegal shortcode state")
+
 // pageTokens state:
 // - before: positioned just before the shortcode start
 // - after: shortcode(s) consumed (plural when they are nested)
@ -353,8 +355,12 @@ Loop:
 					params[currItem.val] = pt.next().val
 					sc.params = params
 				} else {
-					params := sc.params.(map[string]string)
-					params[currItem.val] = pt.next().val
+					if params, ok := sc.params.(map[string]string); ok {
+						params[currItem.val] = pt.next().val
+					} else {
+						return sc, shortCodeIllegalState
+					}
+
 				}
 			} else {
 				// positional params
@ -363,9 +369,13 @@ Loop:
 					params = append(params, currItem.val)
 					sc.params = params
 				} else {
-					params := sc.params.([]string)
-					params = append(params, currItem.val)
-					sc.params = params
+					if params, ok := sc.params.([]string); ok {
+						params = append(params, currItem.val)
+						sc.params = params
+					} else {
+						return sc, shortCodeIllegalState
+					}
+
 				}
 			}

--- a/hugolib/shortcode_test.go
+++ b/hugolib/shortcode_test.go
@ -18,14 +18,22 @@ func pageFromString(in, filename string) (*Page, error) {
 }

 func CheckShortCodeMatch(t *testing.T, input, expected string, template tpl.Template) {
+	CheckShortCodeMatchAndError(t, input, expected, template, false)
+}
+
+func CheckShortCodeMatchAndError(t *testing.T, input, expected string, template tpl.Template, expectError bool) {

 	p, _ := pageFromString(SIMPLE_PAGE, "simple.md")
 	output, err := HandleShortcodes(input, p, template)

-	if err != nil {
+	if err != nil && !expectError {
 		t.Fatalf("Shortcode rendered error %s. Expected: %q, Got: %q", err, expected, output)
 	}

+	if err == nil && expectError {
+		t.Fatalf("No error from shortcode")
+	}
+
 	if output != expected {
 		t.Fatalf("Shortcode render didn't match. got %q but exxpected %q", output, expected)
 	}
@ -91,6 +99,14 @@ func TestPositionalParamIndexOutOfBounds(t *testing.T) {
 	CheckShortCodeMatch(t, "{{< video 47238zzb >}}", "Playing Video error: index out of range for positional param at position 1", tem)
 }

+// some repro issues for panics in Go Fuzz testing
+func TestShortcodeGoFuzzRepros(t *testing.T) {
+	tt := tpl.New()
+	tt.AddInternalShortcode("inner.html", `Shortcode... {{ with .Get 0 }}{{ . }}{{ end }}-- {{ with .Get 1 }}{{ . }}{{ end }}- {{ with .Inner }}{{ . }}{{ end }}`)
+	// Issue #1337
+	CheckShortCodeMatchAndError(t, "{{%inner\"\"\"\"=\"\"", "", tt, true)
+}
+
 func TestNamedParamSC(t *testing.T) {
 	tem := tpl.New()
 	tem.AddInternalShortcode("img.html", `<img{{ with .Get "src" }} src="{{.}}"{{end}}{{with .Get "class"}} class="{{.}}"{{end}}>`)