|
func copyObject(data map[string]interface{}) (map[string]interface{}, error) { |
Bug Description
Invoking NewRegoPolicyInterpreter with an empty map as initial data can panic with assignment to entry in nil map due to how the internal copyObject function handles empty input.
Steps to Reproduce
- Call
NewRegoPolicyInterpreter and pass make(map[string]interface{}) (an empty map) for the data parameter.
- The function panics when attempting
data["metadata"] = ... inside the constructor.
Root Cause
- In
copyObject, unmarshaling JSON into a nil map returns a nil map, not an initialized map.
- Later code assumes the map is always initialized and safe to assign fields to.
Impact
- Triggers a runtime panic with valid (but empty) input.
Recommendation
- Modify
copyObject to add check for nil or empty input:
func copyObject(data map[string]interface{}) (map[string]interface{}, error) {
// Handle nil or empty input
if data == nil {
return make(map[string]interface{}), nil
}
objJSON, err := json.Marshal(data)
if err != nil {
return nil, err
}
objCopy := make(map[string]interface{}) // Initialize before unmarshaling!
err = json.Unmarshal(objJSON, &objCopy)
if err != nil {
return nil, err
}
return objCopy, nil
}Fuzzer Identification
- I discovered this issue while fuzzing the regopolicyinterpreter. Here's the test case:
package regopolicyinterpreter
import (
"testing"
)
func FuzzInterpreterLogic(f *testing.F) {
// Seed with a basic Rego package and a query
f.Add("package test\nallow = true", "data.test.allow")
f.Fuzz(func(t *testing.T, moduleCode string, queryStr string) {
// 1. Initialize the interpreter with fuzzed code
rpi, err := NewRegoPolicyInterpreter(moduleCode, nil)
if err != nil {
t.Skip() // Ignore invalid Rego syntax
}
// 2. Try to add a fuzzed module (AddModule returns nothing)
rpi.AddModule("fuzzed.rego", &RegoModule{
Namespace: "fuzzed",
Code: moduleCode,
})
// 3. Attempt a raw query with an empty input map
// want (string, map[string]interface{})
input := make(map[string]interface{})
_, _ = rpi.RawQuery(queryStr, input)
})
}
- Running with:
go test -fuzz=FuzzInterpreterLogic -fuzztime=15m
hcsshim/internal/regopolicyinterpreter/regopolicyinterpreter.go
Line 85 in 18193a4
Bug Description
Invoking
NewRegoPolicyInterpreterwith an empty map as initial data can panic withassignment to entry in nil mapdue to how the internalcopyObjectfunction handles empty input.Steps to Reproduce
NewRegoPolicyInterpreterand passmake(map[string]interface{})(an empty map) for the data parameter.data["metadata"] = ...inside the constructor.Root Cause
copyObject, unmarshaling JSON into a nil map returns a nil map, not an initialized map.Impact
Recommendation
copyObjectto add check for nil or empty input:Fuzzer Identification
go test -fuzz=FuzzInterpreterLogic -fuzztime=15m