Skip to content

Commit b7dfd64

Browse files
nikpivkinnikpivkin
authored
fix(misconf): check if metadata is not nil (#8647)
Signed-off-by: nikpivkin <[email protected]>
1 parent 195880b commit b7dfd64

File tree

2 files changed

+22
-2
lines changed

2 files changed

+22
-2
lines changed

pkg/iac/rego/load.go

+2-2
Original file line numberDiff line numberDiff line change
@@ -197,13 +197,13 @@ func (s *Scanner) findMatchedEmbeddedCheck(badPolicy *ast.Module) *ast.Module {
197197
}
198198

199199
badPolicyMeta, err := MetadataFromAnnotations(badPolicy)
200-
if err != nil {
200+
if err != nil || badPolicyMeta == nil {
201201
return nil
202202
}
203203

204204
for _, embeddedCheck := range s.embeddedChecks {
205205
meta, err := MetadataFromAnnotations(embeddedCheck)
206-
if err != nil {
206+
if err != nil || meta == nil {
207207
continue
208208
}
209209
if badPolicyMeta.AVDID != "" && badPolicyMeta.AVDID == meta.AVDID {

pkg/iac/rego/load_test.go

+20
Original file line numberDiff line numberDiff line change
@@ -205,7 +205,11 @@ deny {
205205
}`),
206206
}
207207

208+
originalFS := checks.EmbeddedPolicyFileSystem
208209
checks.EmbeddedPolicyFileSystem = embeddedChecksFS
210+
t.Cleanup(func() {
211+
checks.EmbeddedPolicyFileSystem = originalFS
212+
})
209213
err := scanner.LoadPolicies(fstest.MapFS(tt.files))
210214

211215
if tt.expectedErr != "" {
@@ -253,3 +257,19 @@ deny {
253257
err := scanner.LoadPolicies(fsys)
254258
require.Error(t, err)
255259
}
260+
261+
func TestFallback_CheckWithoutAnnotation(t *testing.T) {
262+
fsys := fstest.MapFS{
263+
"check.rego": &fstest.MapFile{Data: []byte(`package builtin.test
264+
import data.some_func
265+
deny := some_func(input)
266+
`)},
267+
}
268+
scanner := rego.NewScanner(
269+
rego.WithPolicyDirs("."),
270+
rego.WithEmbeddedLibraries(false),
271+
rego.WithPolicyFilesystem(fsys),
272+
)
273+
err := scanner.LoadPolicies(nil)
274+
require.NoError(t, err)
275+
}

0 commit comments

Comments
 (0)