Skip to content

jp: bounds-check the index in the at() function#593

Open
arpitjain099 wants to merge 1 commit into
kyverno:mainfrom
arpitjain099:chore/jp-at-bounds-check
Open

jp: bounds-check the index in the at() function#593
arpitjain099 wants to merge 1 commit into
kyverno:mainfrom
arpitjain099:chore/jp-at-bounds-check

Conversation

@arpitjain099

@arpitjain099 arpitjain099 commented Jul 13, 2026

Copy link
Copy Markdown

Explanation

The at jmespath function can panic with an index-out-of-range when an assertion expression requests an index outside the array's bounds (or a negative index). Because the array argument can be derived from the payload being evaluated, a crafted assertion expression can crash the assertion evaluation. This PR is a bug fix that turns that panic into a normal error the engine already handles.

Related issue

n/a (no existing issue; found by code review). Happy to open a tracking issue if you prefer.

Milestone of this PR

n/a

What type of PR is this

/kind bug

Proposed Changes

jpfAt in pkg/jp/functions/at.go guards both of its argument type assertions with comma-ok, but then indexes the slice with slice[int(index)] without a bounds check, so an out-of-range or negative index panics. A crafted assertion expression such as at(@, `999`) (or at(@, `-1`)) evaluated against a shorter array crashes the assertion evaluation, and there is no recover on that path. This returns an error for an out-of-range or negative index, which the engine already surfaces, instead of indexing blindly.

Proof Manifests

This is an internal robustness fix to the JMESPath at function rather than a policy-behavior change, so there are no Kubernetes/Kyverno manifests to attach. The fix is covered by unit tests in pkg/jp/functions/at_test.go that assert an out-of-range index and a negative index each return an error instead of panicking. Before the fix, evaluating at(@, `999`) against a two-element array panics; after, it returns index out of range: 999 (array length 2).

Checklist

  • I have read the contributing guidelines.
  • I have read the PR documentation guide and followed the process including adding proof manifests to this PR. (internal function fix, not a user-facing policy change, so no proof manifests apply; see the note above)
  • This is a bug fix and I have added unit tests that prove my fix is effective.
  • This is a feature and I have added CLI tests that are applicable.
  • My PR needs to be cherry picked to a specific release branch which is .

Further Comments

The sibling functions (concat, wildcard, json_parse) all guard their argument access; only at indexed unchecked, so this brings it in line with them.

jpfAt guards both argument type assertions with comma-ok but then does
slice[int(index)] with no bounds check, so an out-of-range or negative
index panics. The array argument can be payload-derived, so a crafted
assertion expression like at(@, `999`) against a shorter array crashes
the evaluation.

Return an error for an out-of-range or negative index, which the engine
already handles, instead of indexing blindly. Adds tests for the
out-of-range and negative cases.

Signed-off-by: Arpit Jain <arpitjain099@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant