From 1479f353c0fa5274863a92b3c0fa672babb13b8c Mon Sep 17 00:00:00 2001
From: Mahmood Ali <mahmood@hashicorp.com>
Date: Mon, 24 Aug 2020 20:35:58 -0400
Subject: [PATCH] handle when hcl parser panics

Apparently `\` followed by a digit number can cause hcl parser to panic!
Will fix in hcl library, but using a hammer to squash any similar issue
here.
---
 acl/policy.go      | 14 +++++++++++++-
 acl/policy_test.go | 13 +++++++++++++
 2 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/acl/policy.go b/acl/policy.go
index 9ff322536..1bf9e3743 100644
--- a/acl/policy.go
+++ b/acl/policy.go
@@ -238,7 +238,7 @@ func Parse(rules string) (*Policy, error) {
 	}
 
 	// Attempt to parse
-	if err := hcl.Decode(p, rules); err != nil {
+	if err := hclDecode(p, rules); err != nil {
 		return nil, fmt.Errorf("Failed to parse ACL Policy: %v", err)
 	}
 
@@ -312,3 +312,15 @@ func Parse(rules string) (*Policy, error) {
 	}
 	return p, nil
 }
+
+// hclDecode wraps hcl.Decode function but handles any unexpected panics
+func hclDecode(p *Policy, rules string) (err error) {
+	defer func() {
+		if rerr := recover(); rerr != nil {
+			err = fmt.Errorf("invalid acl policy: %v", rerr)
+		}
+	}()
+
+	err = hcl.Decode(p, rules)
+	return err
+}
diff --git a/acl/policy_test.go b/acl/policy_test.go
index 59ae88922..ffb816b1f 100644
--- a/acl/policy_test.go
+++ b/acl/policy_test.go
@@ -327,3 +327,16 @@ func TestParse(t *testing.T) {
 		})
 	}
 }
+
+func TestParse_BadInput(t *testing.T) {
+	inputs := []string{
+		`namespace "\500" {}`,
+	}
+
+	for i, c := range inputs {
+		t.Run(fmt.Sprintf("%d: %v", i, c), func(t *testing.T) {
+			_, err := Parse(c)
+			assert.Error(t, err)
+		})
+	}
+}