Avoid panic in shortcode param handling

Fixes #1337

diff --git a/hugolib/shortcode.go b/hugolib/shortcode.go
index 8b445f0db2e6acbc4dbfb263b1f1da6819e86852..3fa136173e2649ee92017ffdf848e6c8bec6b944 100644 (file)
--- a/hugolib/shortcode.go
+++ b/hugolib/shortcode.go
@@ -271,6 +271,8 @@ func extractAndRenderShortcodes(stringToParse string, p *Page, t tpl.Template) (
 
 }
 
+var shortCodeIllegalState = errors.New("Illegal shortcode state")
+
 // pageTokens state:
 // - before: positioned just before the shortcode start
 // - after: shortcode(s) consumed (plural when they are nested)
@@ -353,8 +355,12 @@ Loop:
                                        params[currItem.val] = pt.next().val
                                        sc.params = params
                                } else {
-                                       params := sc.params.(map[string]string)
-                                       params[currItem.val] = pt.next().val
+                                       if params, ok := sc.params.(map[string]string); ok {
+                                               params[currItem.val] = pt.next().val
+                                       } else {
+                                               return sc, shortCodeIllegalState
+                                       }
+
                                }
                        } else {
                                // positional params
@@ -363,9 +369,13 @@ Loop:
                                        params = append(params, currItem.val)
                                        sc.params = params
                                } else {
-                                       params := sc.params.([]string)
-                                       params = append(params, currItem.val)
-                                       sc.params = params
+                                       if params, ok := sc.params.([]string); ok {
+                                               params = append(params, currItem.val)
+                                               sc.params = params
+                                       } else {
+                                               return sc, shortCodeIllegalState
+                                       }
+
                                }
                        }
 

diff --git a/hugolib/shortcode_test.go b/hugolib/shortcode_test.go
index 43c958aff6bfbc528558661d8e13a32c7c8e3d3d..ecc77f97dc4ebf4f6594872c09e247a8936116d8 100644 (file)
--- a/hugolib/shortcode_test.go
+++ b/hugolib/shortcode_test.go
@@ -18,14 +18,22 @@ func pageFromString(in, filename string) (*Page, error) {
 }
 
 func CheckShortCodeMatch(t *testing.T, input, expected string, template tpl.Template) {
+       CheckShortCodeMatchAndError(t, input, expected, template, false)
+}
+
+func CheckShortCodeMatchAndError(t *testing.T, input, expected string, template tpl.Template, expectError bool) {
 
        p, _ := pageFromString(SIMPLE_PAGE, "simple.md")
        output, err := HandleShortcodes(input, p, template)
 
-       if err != nil {
+       if err != nil && !expectError {
                t.Fatalf("Shortcode rendered error %s. Expected: %q, Got: %q", err, expected, output)
        }
 
+       if err == nil && expectError {
+               t.Fatalf("No error from shortcode")
+       }
+
        if output != expected {
                t.Fatalf("Shortcode render didn't match. got %q but exxpected %q", output, expected)
        }
@@ -91,6 +99,14 @@ func TestPositionalParamIndexOutOfBounds(t *testing.T) {
        CheckShortCodeMatch(t, "{{< video 47238zzb >}}", "Playing Video error: index out of range for positional param at position 1", tem)
 }
 
+// some repro issues for panics in Go Fuzz testing
+func TestShortcodeGoFuzzRepros(t *testing.T) {
+       tt := tpl.New()
+       tt.AddInternalShortcode("inner.html", `Shortcode... {{ with .Get 0 }}{{ . }}{{ end }}-- {{ with .Get 1 }}{{ . }}{{ end }}- {{ with .Inner }}{{ . }}{{ end }}`)
+       // Issue #1337
+       CheckShortCodeMatchAndError(t, "{{%inner\"\"\"\"=\"\"", "", tt, true)
+}
+
 func TestNamedParamSC(t *testing.T) {
        tem := tpl.New()
        tem.AddInternalShortcode("img.html", `<img{{ with .Get "src" }} src="{{.}}"{{end}}{{with .Get "class"}} class="{{.}}"{{end}}>`)