Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-11-04 03:27:23 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddyfile: Reject long heredoc markers (#6098)

Browse Source 
Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
This commit is contained in:
Francis Lavoie 2024-02-11 13:30:14 -05:00 committed by GitHub
parent c78ebb3d6a
commit e7a534d0a3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 40 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
caddyconfig/caddyfile/formatter.go
View File

@ -16,6 +16,7 @@ package caddyfile
import ( import (
"bytes" "bytes"
"fmt"
"io" "io"
"unicode" "unicode"
@ -118,6 +119,10 @@ func Format(input []byte) []byte {
heredoc = heredocClosed heredoc = heredocClosed
} else { } else {
heredocMarker = append(heredocMarker, ch) heredocMarker = append(heredocMarker, ch)
if len(heredocMarker) > 32 {
errorString := fmt.Sprintf("heredoc marker too long: <<%s", string(heredocMarker))
panic(errorString)
}
write(ch) write(ch)
continue continue
} }

41
caddyconfig/caddyfile/formatter_test.go
View File

@ -15,6 +15,8 @@
package caddyfile package caddyfile
import ( import (
"fmt"
"os"
"strings" "strings"
"testing" "testing"
) )
@ -24,6 +26,7 @@ func TestFormatter(t *testing.T) {
description string description string
input string input string
expect string expect string
panics bool
}{ }{
{ {
description: "very simple", description: "very simple",
@ -434,18 +437,36 @@ block2 {
} }
`, `,
}, },
{
description: "very long heredoc from fuzzer",
input: func() string {
bs, _ := os.ReadFile("testdata/clusterfuzz-testcase-minimized-fuzz-format-5806400649363456")
return string(bs)
}(),
panics: true,
},
} { } {
// the formatter should output a trailing newline, t.Run(fmt.Sprintf("test case %d: %s", i, tc.description), func(t *testing.T) {
// even if the tests aren't written to expect that if tc.panics {
if !strings.HasSuffix(tc.expect, "\n") { defer func() {
tc.expect += "\n" if r := recover(); r == nil {
} t.Errorf("[TEST %d: %s] Expected panic, but got none", i, tc.description)
}
}()
}
actual := Format([]byte(tc.input)) // the formatter should output a trailing newline,
// even if the tests aren't written to expect that
if !strings.HasSuffix(tc.expect, "\n") {
tc.expect += "\n"
}
if string(actual) != tc.expect { actual := Format([]byte(tc.input))
t.Errorf("\n[TEST %d: %s]\n====== EXPECTED ======\n%s\n====== ACTUAL ======\n%s^^^^^^^^^^^^^^^^^^^^^",
i, tc.description, string(tc.expect), string(actual)) if !tc.panics && string(actual) != tc.expect {
} t.Errorf("\n[TEST %d: %s]\n====== EXPECTED ======\n%s\n====== ACTUAL ======\n%s^^^^^^^^^^^^^^^^^^^^^",
i, tc.description, string(tc.expect), string(actual))
}
})
} }
} }

4
caddyconfig/caddyfile/lexer.go
View File

@ -149,6 +149,10 @@ func (l *lexer) next() (bool, error) {
continue continue
} }
if len(val) > 32 {
return false, fmt.Errorf("heredoc marker too long on line #%d: %s", l.line, string(val))
}
// after hitting a newline, we know that the heredoc marker // after hitting a newline, we know that the heredoc marker
// is the characters after the two << and the newline. // is the characters after the two << and the newline.
// we reset the val because the heredoc is syntax we don't // we reset the val because the heredoc is syntax we don't

BIN
caddyconfig/caddyfile/testdata/clusterfuzz-testcase-minimized-fuzz-format-5806400649363456 vendored Normal file
View File

Binary file not shown.