Zxc200611/pocketpy
1
0
Fork 0
mirror of https://github.com/pocketpy/pocketpy synced 2025-10-20 11:30:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Perform boundary checks before searching to prevent security vulnerabilities (#237)

Browse Source 
* perform boundary check before searching to prevent security vulnerabilities

* when a negative start index is passed to str.find, 0 is used instead

* a ValueError is raised when argument 'start' is a negative integer
This commit is contained in:
albertexye 2024-04-02 01:38:45 -04:00 committed by GitHub
parent b1115a4c8f
commit 936870c1f0
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/pocketpy.cpp
View File

@ -627,6 +627,7 @@ void init_builtins(VM* _vm) {
const Str& self = _CAST(Str&, args[0]);
const Str& value = CAST(Str&, args[1]);
int start = CAST(int, args[2]);
if (start < 0) vm->ValueError("argument 'start' can't be negative");
int index = self.index(value, start);
if(index < 0) vm->ValueError("substring not found");
return VAR(index);
@ -636,6 +637,7 @@ void init_builtins(VM* _vm) {
const Str& self = _CAST(Str&, args[0]);
const Str& value = CAST(Str&, args[1]);
int start = CAST(int, args[2]);
if (start < 0) vm->ValueError("argument 'start' can't be negative");
return VAR(self.index(value, start));
});

11
tests/04_str.py
View File

@ -250,6 +250,17 @@ try:
except ValueError:
pass
try:
a.index('1', -1)
exit(1)
except ValueError:
pass
assert a.find('1') == 0
assert a.find('1', 1) == -1
try:
a.find('1', -1)
exit(1)
except ValueError:
pass