Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

text/template: slice bounds out of range in Parse #52527

Closed
catenacyber opened this issue Apr 24, 2022 · 10 comments
Closed

text/template: slice bounds out of range in Parse #52527

catenacyber opened this issue Apr 24, 2022 · 10 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Milestone
Backlog

Comments

@catenacyber
Copy link
Contributor

What version of Go are you using (go version)?

$ go version
go version go1.17.6 darwin/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/catena/Library/Caches/go-build"
GOENV="/Users/catena/Library/Application Support/go/env"
GOEXE=""
GOEXPERIMENT=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GOMODCACHE="/Users/catena/go/pkg/mod"
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/catena/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GOVCS=""
GOVERSION="go1.17.6"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD="/Users/catena/go/src/github.com/catenacyber/go/src/go.mod"
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -arch x86_64 -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/pp/dc1dtf9x2js3v0jx_m010nqr0000gn/T/go-build4237848497=/tmp/go-build -gno-record-gcc-switches -fno-common"
GOROOT/bin/go version: go version go1.17.6 darwin/amd64
GOROOT/bin/go tool compile -V: compile version go1.17.6
uname -v: Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_X86_64
ProductName:	macOS
ProductVersion:	12.2.1
BuildVersion:	21D62
lldb --version: lldb-1316.0.9.41
Apple Swift version 5.6 (swiftlang-5.6.0.323.62 clang-1316.0.20.8)
gdb --version: GNU gdb (GDB) 9.1

What did you do?

Run https://go.dev/play/p/59OUlem1oNe?v=gotip

What did you expect to see?

The program finishing and printing somme dummy data

What did you see instead?

panic: runtime error: slice bounds out of range [:5] with length 3

goroutine 6 [running]:
text/template/parse.(*lexer).emit(...)
	/usr/local/go-faketime/src/text/template/parse/lex.go:163
text/template/parse.lexRightDelim(0xc000104000)
	/usr/local/go-faketime/src/text/template/parse/lex.go:354 +0x29a
text/template/parse.(*lexer).run(0xc000104000)
	/usr/local/go-faketime/src/text/template/parse/lex.go:236 +0x2a
created by text/template/parse.lex
	/usr/local/go-faketime/src/text/template/parse/lex.go:229 +0x1ca

Program exited.

Found by https://github.com/catenacyber/ngolo-fuzzing on oss-fuzz
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46746
@cagedmantis cagedmantis added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Apr 27, 2022
@cagedmantis cagedmantis added this to the Backlog milestone Apr 27, 2022
@cagedmantis
Copy link
Contributor

/cc @robpike @mvdan

@robpike
Copy link
Contributor

robpike commented Apr 27, 2022

See also #52191. The lexer is due for a rewrite.

@seankhliao seankhliao mentioned this issue Jun 5, 2022
Closed
@ianlancetaylor
Copy link
Contributor

Don't use whitespace in delimiters.

I guess we could add a check for that, but it's hard to see why anybody would write it. I assume this was found by a fuzzer.

@catenacyber
Copy link
Contributor Author

I guess we could add a check for that, but it's hard to see why anybody would write it. I assume this was found by a fuzzer.

This was indeed found by ngolo-fuzzing.
So, should a check be added for this whitespace ?

@ianlancetaylor
Copy link
Contributor

I'm inclined to think that it's not worth adding a check to the text/template package, but I don't feel strongly about it. I think it's extremely unlikely that anybody would write code that permits the user to specify the delimiters for a text/template. If that is true, then this crash can only occur for code that deliberately itself sets the delimiters to include whitespace, and for that odd behavior I think the current panic is fine. Happy to hear other opinions.

@mvdan
Copy link
Member

mvdan commented Jun 7, 2022

I'm inclined to think that we should add a check - causing a panic given some inputs which aren't documented as invalid feels like something to avoid, and the fuzzer is probably right to complain about it. But Ian is probably right that this feels like a rare possibility in practice, so I don't think we need to rush out a fix.

@robpike
Copy link
Contributor

robpike commented Jun 8, 2022

I propose to deal with this while addressing #53261

@catenacyber
Copy link
Contributor Author

My 2 cents : the fuzzer does not alert on a panic with a string.

This way, developers can explicitly mention an unexpected behavior, and users can get a better error message ("do not use white space" looks more explicit to me than "slice bounds out of range")

And no need to rush

@catenacyber
Copy link
Contributor Author

Fixed through #53261

@seankhliao seankhliao mentioned this issue Sep 22, 2022
Closed
@gopherbot
Copy link

Change https://go.dev/cl/433036 mentions this issue: text/template/parse: fix confusion about markers near right delims

gopherbot pushed a commit that referenced this issue Sep 23, 2022
@rsc @gopherbot
text/template/parse: fix confusion about markers near right delims
65deb9c 
Fixes #52527.
Fixes #55336.

Change-Id: I8f5c521c693e74451a558788909e7e4ad1cc797a
Reviewed-on: https://go-review.googlesource.com/c/go/+/433036
Run-TryBot: Russ Cox <rsc@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Rob Pike <r@golang.org>
Auto-Submit: Russ Cox <rsc@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
@golang golang locked and limited conversation to collaborators Sep 23, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
6 participants
@cagedmantis @ianlancetaylor @mvdan @robpike @gopherbot @catenacyber