diff options
author | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2015-08-07 20:08:23 +0200 |
---|---|---|
committer | Bjørn Erik Pedersen <bjorn.erik.pedersen@gmail.com> | 2015-08-07 20:08:23 +0200 |
commit | 0f1fb8c7d8e404fc8e395fc7e8e751dfa7af8bb6 (patch) | |
tree | 8f568110a38a322e36c74ec5a0b594788d209089 /hugolib | |
parent | 35bb72c83efbdd868af9b32af034993c245b4584 (diff) |
Avoid panic in shortcode param handling
Fixes #1337
Diffstat (limited to 'hugolib')
-rw-r--r-- | hugolib/shortcode.go | 20 | ||||
-rw-r--r-- | hugolib/shortcode_test.go | 18 |
2 files changed, 32 insertions, 6 deletions
diff --git a/hugolib/shortcode.go b/hugolib/shortcode.go index 8b445f0db..3fa136173 100644 --- a/hugolib/shortcode.go +++ b/hugolib/shortcode.go @@ -271,6 +271,8 @@ func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) ( } +var shortCodeIllegalState = errors.New("Illegal shortcode state") + // pageTokens state: // - before: positioned just before the shortcode start // - after: shortcode(s) consumed (plural when they are nested) @@ -353,8 +355,12 @@ Loop: params[currItem.val] = pt.next().val sc.params = params } else { - params := sc.params.(map[string]string) - params[currItem.val] = pt.next().val + if params, ok := sc.params.(map[string]string); ok { + params[currItem.val] = pt.next().val + } else { + return sc, shortCodeIllegalState + } + } } else { // positional params @@ -363,9 +369,13 @@ Loop: params = append(params, currItem.val) sc.params = params } else { - params := sc.params.([]string) - params = append(params, currItem.val) - sc.params = params + if params, ok := sc.params.([]string); ok { + params = append(params, currItem.val) + sc.params = params + } else { + return sc, shortCodeIllegalState + } + } } diff --git a/hugolib/shortcode_test.go b/hugolib/shortcode_test.go index 43c958aff..ecc77f97d 100644 --- a/hugolib/shortcode_test.go +++ b/hugolib/shortcode_test.go @@ -18,14 +18,22 @@ func pageFromString(in, filename string) (*Page, error) { } func CheckShortCodeMatch(t *testing.T, input, expected string, template tpl.Template) { + CheckShortCodeMatchAndError(t, input, expected, template, false) +} + +func CheckShortCodeMatchAndError(t *testing.T, input, expected string, template tpl.Template, expectError bool) { p, _ := pageFromString(SIMPLE_PAGE, "simple.md") output, err := HandleShortcodes(input, p, template) - if err != nil { + if err != nil && !expectError { t.Fatalf("Shortcode rendered error %s. Expected: %q, Got: %q", err, expected, output) } + if err == nil && expectError { + t.Fatalf("No error from shortcode") + } + if output != expected { t.Fatalf("Shortcode render didn't match. got %q but exxpected %q", output, expected) } @@ -91,6 +99,14 @@ func TestPositionalParamIndexOutOfBounds(t *testing.T) { CheckShortCodeMatch(t, "{{< video 47238zzb >}}", "Playing Video error: index out of range for positional param at position 1", tem) } +// some repro issues for panics in Go Fuzz testing +func TestShortcodeGoFuzzRepros(t *testing.T) { + tt := tpl.New() + tt.AddInternalShortcode("inner.html", `Shortcode... {{ with .Get 0 }}{{ . }}{{ end }}-- {{ with .Get 1 }}{{ . }}{{ end }}- {{ with .Inner }}{{ . }}{{ end }}`) + // Issue #1337 + CheckShortCodeMatchAndError(t, "{{%inner\"\"\"\"=\"\"", "", tt, true) +} + func TestNamedParamSC(t *testing.T) { tem := tpl.New() tem.AddInternalShortcode("img.html", `<img{{ with .Get "src" }} src="{{.}}"{{end}}{{with .Get "class"}} class="{{.}}"{{end}}>`) |