From 0f1fb8c7d8e404fc8e395fc7e8e751dfa7af8bb6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bj=C3=B8rn=20Erik=20Pedersen?= Date: Fri, 7 Aug 2015 20:08:23 +0200 Subject: [PATCH] Avoid panic in shortcode param handling Fixes #1337 --- hugolib/shortcode.go | 20 +++++++++++++++----- hugolib/shortcode_test.go | 18 +++++++++++++++++- 2 files changed, 32 insertions(+), 6 deletions(-) diff --git a/hugolib/shortcode.go b/hugolib/shortcode.go index 8b445f0db..3fa136173 100644 --- a/hugolib/shortcode.go +++ b/hugolib/shortcode.go @@ -271,6 +271,8 @@ func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) ( } +var shortCodeIllegalState = errors.New("Illegal shortcode state") + // pageTokens state: // - before: positioned just before the shortcode start // - after: shortcode(s) consumed (plural when they are nested) @@ -353,8 +355,12 @@ Loop: params[currItem.val] = pt.next().val sc.params = params } else { - params := sc.params.(map[string]string) - params[currItem.val] = pt.next().val + if params, ok := sc.params.(map[string]string); ok { + params[currItem.val] = pt.next().val + } else { + return sc, shortCodeIllegalState + } + } } else { // positional params @@ -363,9 +369,13 @@ Loop: params = append(params, currItem.val) sc.params = params } else { - params := sc.params.([]string) - params = append(params, currItem.val) - sc.params = params + if params, ok := sc.params.([]string); ok { + params = append(params, currItem.val) + sc.params = params + } else { + return sc, shortCodeIllegalState + } + } } diff --git a/hugolib/shortcode_test.go b/hugolib/shortcode_test.go index 43c958aff..ecc77f97d 100644 --- a/hugolib/shortcode_test.go +++ b/hugolib/shortcode_test.go @@ -18,14 +18,22 @@ func pageFromString(in, filename string) (*Page, error) { } func CheckShortCodeMatch(t *testing.T, input, expected string, template tpl.Template) { + CheckShortCodeMatchAndError(t, input, expected, template, false) +} + +func CheckShortCodeMatchAndError(t *testing.T, input, expected string, template tpl.Template, expectError bool) { p, _ := pageFromString(SIMPLE_PAGE, "simple.md") output, err := HandleShortcodes(input, p, template) - if err != nil { + if err != nil && !expectError { t.Fatalf("Shortcode rendered error %s. Expected: %q, Got: %q", err, expected, output) } + if err == nil && expectError { + t.Fatalf("No error from shortcode") + } + if output != expected { t.Fatalf("Shortcode render didn't match. got %q but exxpected %q", output, expected) } @@ -91,6 +99,14 @@ func TestPositionalParamIndexOutOfBounds(t *testing.T) { CheckShortCodeMatch(t, "{{< video 47238zzb >}}", "Playing Video error: index out of range for positional param at position 1", tem) } +// some repro issues for panics in Go Fuzz testing +func TestShortcodeGoFuzzRepros(t *testing.T) { + tt := tpl.New() + tt.AddInternalShortcode("inner.html", `Shortcode... {{ with .Get 0 }}{{ . }}{{ end }}-- {{ with .Get 1 }}{{ . }}{{ end }}- {{ with .Inner }}{{ . }}{{ end }}`) + // Issue #1337 + CheckShortCodeMatchAndError(t, "{{%inner\"\"\"\"=\"\"", "", tt, true) +} + func TestNamedParamSC(t *testing.T) { tem := tpl.New() tem.AddInternalShortcode("img.html", ``)