Skip to content

Security Fix: Prevent ParseTemplateConfig panic on malformed input#2099

Merged
santoshpulluri merged 1 commit intomainfrom
santosh/SECVULN-14566
Oct 16, 2025
Merged

Security Fix: Prevent ParseTemplateConfig panic on malformed input#2099
santoshpulluri merged 1 commit intomainfrom
santosh/SECVULN-14566

Conversation

@santoshpulluri
Copy link
Contributor

@santoshpulluri santoshpulluri commented Oct 16, 2025

Summary

Fixes a security vulnerability in ParseTemplateConfig where certain malformed inputs could cause a runtime panic due to improper handling of empty regex matches.

Problem

The function ParseTemplateConfig was vulnerable to runtime panics when processing inputs like : or :::. The regular expression configTemplateRe.FindAllString(s, -1) would return an empty slice for such inputs, but the default case in the switch statement assumed parts[0] and parts[1] would always exist, causing an "index out of range" panic.

Solution

  • Added a new case 0: to handle empty parts slices and return ErrTemplateStringEmpty
  • Added comprehensive test cases for edge cases including : and :::
  • Maintains backward compatibility while eliminating the panic vulnerability

Security Impact

  • Before: Malformed inputs could cause runtime panics, potentially leading to denial of service
  • After: Such inputs now return proper error handling instead of panicking

Changes

  • config/template.go: Added case 0 handling in ParseTemplateConfig switch statement
  • config/template_test.go: Added test cases for "colon_only" and "multiple_colons_only" scenarios

Testing

  • ✅ All existing tests pass
  • ✅ New test cases validate the fix
  • ✅ Manual verification confirms vulnerability is resolved

References

  • Addresses SECVULN-14566
  • Follows security recommendations for input validation

@santoshpulluri santoshpulluri requested a review from a team as a code owner October 16, 2025 09:12
@hashicorp-cla-app
Copy link

hashicorp-cla-app bot commented Oct 16, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

krutibaraiya
krutibaraiya approved these changes Oct 16, 2025
View reviewed changes
Copy link
Member

@krutibaraiya krutibaraiya left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@santoshpulluri santoshpulluri merged commit 265a257 into main Oct 16, 2025
53 of 54 checks passed
@santoshpulluri santoshpulluri deleted the santosh/SECVULN-14566 branch October 16, 2025 10:13
@BrewTestBot BrewTestBot mentioned this pull request Nov 4, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sanikachavan5 sanikachavan5 sanikachavan5 approved these changes

@krutibaraiya krutibaraiya krutibaraiya approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@santoshpulluri @sanikachavan5 @krutibaraiya