From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 27 Mar 2025 15:32:16 +0000 (+0100)
Subject: json: disallow empty concatenation
X-Git-Tag: v1.1.2~22
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ab4ad2e12a059b31c4e65a8900e33bc88f2f5531;p=thirdparty%2Fnftables.git

json: disallow empty concatenation

Disallow empty concatenation in set declaration in json.

 internal:0:0-0: Error: Empty concatenation
 internal:0:0-0: Error: Invalid set type.
 internal:0:0-0: Error: Parsing command array at index 1 failed.

Joint work with Florian Westphal.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

diff --git a/src/parser_json.c b/src/parser_json.c
index dd085d78..04d76274 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -1729,6 +1729,13 @@ static struct expr *json_parse_dtype_expr(struct json_ctx *ctx, json_t *root)
 			}
 			compound_expr_add(expr, i);
 		}
+
+		if (list_empty(&expr->expressions)) {
+			json_error(ctx, "Empty concatenation");
+			expr_free(expr);
+			return NULL;
+		}
+
 		return expr;
 	} else if (json_is_object(root)) {
 		const char *key;
diff --git a/tests/shell/testcases/bogons/nft-j-f/expr_evaluate_concat_empty_concat_key_assert b/tests/shell/testcases/bogons/nft-j-f/expr_evaluate_concat_empty_concat_key_assert
new file mode 100644
index 00000000..956ecdc9
--- /dev/null
+++ b/tests/shell/testcases/bogons/nft-j-f/expr_evaluate_concat_empty_concat_key_assert
@@ -0,0 +1,27 @@
+{
+  "nftables": [
+    {
+      "table": { "family": "ip",
+        "name": "t",
+        "handle": 0
+      }
+    },
+    {
+      "set": {
+        "family": "ip",
+        "name": "s",
+        "table": "t",
+        "type": [
+             ],
+        "elem": [
+          {
+            "concat": [
+              "foo", "bar"
+            ]
+          }
+        ]
+      }
+    }
+  ]
+}
+