Hi!
I checked my project, which has the go-jmespath library in its dependencies, with the SAST tool and found some problems in the go-jmespath code.
On line 389, SAST was triggered by a possible index out of range problem.
func (lexer *Lexer) consumeUnquotedIdentifier() token {
// Consume runes until we reach the end of an unquoted
// identifier.
start := lexer.currentPos - lexer.lastWidth
for {
r := lexer.next()
if r < 0 || r > 128 || identifierTrailingBits[uint64(r)/64]&(1<<(uint64(r)%64)) == 0 {
lexer.back()
break
}
}
value := lexer.expression[start:lexer.currentPos]
return token{
tokenType: tUnquotedIdentifier,
value: value,
position: start,
length: lexer.currentPos - start,
}
}I found that when r = 128 a panic occurs
package main
import "fmt"
func main() {
var identifierTrailingBits = [2]uint64{287948901175001088, 576460745995190270}
var r rune = 128
if r < 0 || r > 128 || identifierTrailingBits[uint64(r)/64]&(1<<(uint64(r)%64)) == 0 {
fmt.Println("yes")
} else {
fmt.Println("no")
}
}result
panic: runtime error: index out of range [2] with length 2
Hi!
I checked my project, which has the go-jmespath library in its dependencies, with the SAST tool and found some problems in the go-jmespath code.
On line 389, SAST was triggered by a possible index out of range problem.
I found that when
r = 128a panic occursresult