Merge pull request #81 from cedar-policy/apg/rfcs-94-prevent-time-wrapping

Andrew Gwozdziewycz · web-flow · commit 56ed3ee7e579 · 2025-03-11T14:23:25.000-07:00
Addresses cedar-policy/rfcs#94 concerns about time wrapping
diff --git a/types/datetime.go b/types/datetime.go
@@ -77,6 +77,9 @@ func ParseDatetime(s string) (Datetime, error) {
 		return Datetime{}, fmt.Errorf("%w: invalid month", errDatetime)
 	}
 	month = 10*int(rune(s[5])-'0') + int(rune(s[6])-'0')
+	if month > 12 {
+		return Datetime{}, fmt.Errorf("%w: month is out of range", errDatetime)
+	}
 
 	if s[7] != '-' {
 		return Datetime{}, fmt.Errorf("%w: unexpected character %s", errDatetime, strconv.QuoteRune(rune(s[7])))
@@ -88,6 +91,9 @@ func ParseDatetime(s string) (Datetime, error) {
 		return Datetime{}, fmt.Errorf("%w: invalid day", errDatetime)
 	}
 	day = 10*int(rune(s[8])-'0') + int(rune(s[9])-'0')
+	if day > 31 {
+		return Datetime{}, fmt.Errorf("%w: day is out of range", errDatetime)
+	}
 
 	// If the length is 10, we only have a date and we're done.
 	if length == 10 {
@@ -117,6 +123,9 @@ func ParseDatetime(s string) (Datetime, error) {
 		return Datetime{}, fmt.Errorf("%w: invalid hour", errDatetime)
 	}
 	hour = 10*int(rune(s[11])-'0') + int(rune(s[12])-'0')
+	if hour > 23 {
+		return Datetime{}, fmt.Errorf("%w: hour is out of range", errDatetime)
+	}
 
 	if s[13] != ':' {
 		return Datetime{}, fmt.Errorf("%w: unexpected character %s", errDatetime, strconv.QuoteRune(rune(s[13])))
@@ -127,6 +136,9 @@ func ParseDatetime(s string) (Datetime, error) {
 		return Datetime{}, fmt.Errorf("%w: invalid minute", errDatetime)
 	}
 	minute = 10*int(rune(s[14])-'0') + int(rune(s[15])-'0')
+	if minute > 59 {
+		return Datetime{}, fmt.Errorf("%w: minute is out of range", errDatetime)
+	}
 
 	if s[16] != ':' {
 		return Datetime{}, fmt.Errorf("%w: unexpected character %s", errDatetime, strconv.QuoteRune(rune(s[16])))
@@ -137,6 +149,9 @@ func ParseDatetime(s string) (Datetime, error) {
 		return Datetime{}, fmt.Errorf("%w: invalid second", errDatetime)
 	}
 	second = 10*int(rune(s[17])-'0') + int(rune(s[18])-'0')
+	if second > 59 {
+		return Datetime{}, fmt.Errorf("%w: second is out of range", errDatetime)
+	}
 
 	// At this point, things are variable.
 	// 19 can be ., in which case we have milliseconds. (SSS)
@@ -189,9 +204,17 @@ func ParseDatetime(s string) (Datetime, error) {
 			return Datetime{}, fmt.Errorf("%w: invalid time zone offset", errDatetime)
 		}
 
-		hh := time.Duration(10*int64(rune(s[trailerOffset+1])-'0')+int64(rune(s[trailerOffset+2])-'0')) * time.Hour
-		mm := time.Duration(10*int64(rune(s[trailerOffset+3])-'0')+int64(rune(s[trailerOffset+4])-'0')) * time.Minute
-		offset = time.Duration(sign) * (hh + mm)
+		hh := time.Duration(10*int64(rune(s[trailerOffset+1])-'0') + int64(rune(s[trailerOffset+2])-'0'))
+		mm := time.Duration(10*int64(rune(s[trailerOffset+3])-'0') + int64(rune(s[trailerOffset+4])-'0'))
+
+		if hh > 23 {
+			return Datetime{}, fmt.Errorf("%w: time zone offset hours are out of range", errDatetime)
+		}
+		if mm > 59 {
+			return Datetime{}, fmt.Errorf("%w: time zone offset minutes are out of range", errDatetime)
+		}
+
+		offset = time.Duration(sign) * ((hh * time.Hour) + (mm * time.Minute))
 
 	default:
 		return Datetime{}, fmt.Errorf("%w: invalid time zone designator", errDatetime)
@@ -200,6 +223,14 @@ func ParseDatetime(s string) (Datetime, error) {
 	t := time.Date(year, time.Month(month), day,
 		hour, minute, second,
 		int(time.Duration(milli)*time.Millisecond), time.UTC)
+
+	// Don't allow wrapping: https://github.com/cedar-policy/rfcs/pull/94, which can occur
+	// because not all months have 31 days, which is our validation range
+	_, tmonth, tday := t.Date()
+	if time.Month(month) != tmonth || day != tday {
+		return Datetime{}, fmt.Errorf("%w: invalid date", errDatetime)
+	}
+
 	t = t.Add(offset)
 	return Datetime{value: t.UnixMilli()}, nil
 }
diff --git a/types/datetime_test.go b/types/datetime_test.go
@@ -42,6 +42,8 @@ func TestDatetime(t *testing.T) {
 			{"1970-01-01T00:10:00-0010", "1970-01-01T00:00:00.000Z"},
 			{"1970-01-01T01:00:00-0100", "1970-01-01T00:00:00.000Z"},
 			{"1970-01-01T10:00:00-1000", "1970-01-01T00:00:00.000Z"},
+
+			{"1972-02-29T10:00:00-1000", "1972-02-29T00:00:00.000Z"},
 		}
 		for ti, tt := range tests {
 			tt := tt
@@ -100,6 +102,22 @@ func TestDatetime(t *testing.T) {
 			{"1995-01-01T00:00:00.000-0aaa", "error parsing datetime value: invalid time zone offset"},
 			{"1995-01-01T00:00:00.000-aaaa", "error parsing datetime value: invalid time zone offset"},
 			{"1995-01-01T00:00:00.000-aaaa0", "error parsing datetime value: unexpected trailer after time zone designator"},
+
+			{"1995-04-31T00:00:00Z", "error parsing datetime value: invalid date"},
+
+			// Prevent Wrapping invalid dates to real dates: See: cedar-policy/rfcs#94
+			{"2024-02-30T00:00:00Z", "error parsing datetime value: invalid date"},
+			{"2024-02-29T23:59:60Z", "error parsing datetime value: second is out of range"},
+			{"2023-02-28T23:59:60Z", "error parsing datetime value: second is out of range"},
+			{"2023-02-28T23:60:59Z", "error parsing datetime value: minute is out of range"},
+			{"1970-01-01T25:00:00Z", "error parsing datetime value: hour is out of range"},
+			{"1970-12-32T:00:00Z", "error parsing datetime value: day is out of range"},
+			{"1970-13-01T00:00:00Z", "error parsing datetime value: month is out of range"},
+
+			{"1970-01-01T00:00:00+2400", "error parsing datetime value: time zone offset hours are out of range"},
+			{"1970-01-01T00:00:00-2400", "error parsing datetime value: time zone offset hours are out of range"},
+			{"1970-01-01T00:00:00+2360", "error parsing datetime value: time zone offset minutes are out of range"},
+			{"1970-01-01T00:00:00-2360", "error parsing datetime value: time zone offset minutes are out of range"},
 		}
 		for ti, tt := range tests {
 			tt := tt
