[FAB-3215] fix panic in policy parser code

ale-linux · ale-linux · commit 11a4d0a789b2 · 2017-06-01T19:21:44.000+02:00
This change set ensures that bad input doesn't cause the policy parser code
to panic. Tests have also been added.

Change-Id: If844c3e5fd5a4945e4d47bc74030ca54d68219b8
Signed-off-by: Alessandro Sorniotti &lt;ale.linux@sopit.net&gt;
diff --git a/common/cauthdsl/policyparser.go b/common/cauthdsl/policyparser.go
@@ -29,6 +29,7 @@ import (
 )
 
 var regex *regexp.Regexp = regexp.MustCompile("^([[:alnum:]]+)([.])(member|admin)$")
+var regexErr *regexp.Regexp = regexp.MustCompile("^No parameter '([^']+)' found[.]$")
 
 func and(args ...interface{}) (interface{}, error) {
 	toret := "outof(" + strconv.Itoa(len(args))
@@ -209,8 +210,16 @@ func FromString(policy string) (*common.SignaturePolicyEnvelope, error) {
 		return nil, err
 	}
 
-	intermediateRes, err := intermediate.Evaluate(nil)
+	intermediateRes, err := intermediate.Evaluate(map[string]interface{}{})
 	if err != nil {
+		// attempt to produce a meaningful error
+		if regexErr.MatchString(err.Error()) {
+			sm := regexErr.FindStringSubmatch(err.Error())
+			if len(sm) == 2 {
+				return nil, fmt.Errorf("unrecognized token '%s' in policy string", sm[1])
+			}
+		}
+
 		return nil, err
 	}
 
@@ -225,8 +234,16 @@ func FromString(policy string) (*common.SignaturePolicyEnvelope, error) {
 		return nil, err
 	}
 
-	res, err := exp.Evaluate(nil)
+	res, err := exp.Evaluate(map[string]interface{}{})
 	if err != nil {
+		// attempt to produce a meaningful error
+		if regexErr.MatchString(err.Error()) {
+			sm := regexErr.FindStringSubmatch(err.Error())
+			if len(sm) == 2 {
+				return nil, fmt.Errorf("unrecognized token '%s' in policy string", sm[1])
+			}
+		}
+
 		return nil, err
 	}
 
@@ -241,6 +258,14 @@ func FromString(policy string) (*common.SignaturePolicyEnvelope, error) {
 
 	res, err = exp.Evaluate(parameters)
 	if err != nil {
+		// attempt to produce a meaningful error
+		if regexErr.MatchString(err.Error()) {
+			sm := regexErr.FindStringSubmatch(err.Error())
+			if len(sm) == 2 {
+				return nil, fmt.Errorf("unrecognized token '%s' in policy string", sm[1])
+			}
+		}
+
 		return nil, err
 	}
 
diff --git a/common/cauthdsl/policyparser_test.go b/common/cauthdsl/policyparser_test.go
@@ -129,3 +129,10 @@ func TestComplex2(t *testing.T) {
 
 	assert.True(t, reflect.DeepEqual(p1, p2))
 }
+
+func TestBadStringsNoPanic(t *testing.T) {
+	_, err := FromString("OR('A.member', 'Bmember')")
+	assert.Error(t, err)
+	_, err = FromString("OR('A.member', Bmember)")
+	assert.Error(t, err)
+}
