Skip to content

Panic: assignment to entry in nil map in NewRegoPolicyInterpreter (copyObject) #2596

New issue
New issue
Open
Open
Panic: assignment to entry in nil map in NewRegoPolicyInterpreter (copyObject)#2596
@ntrappe-cmu

Description

@ntrappe-cmu
ntrappe-cmu
opened on Feb 5, 2026

hcsshim/internal/regopolicyinterpreter/regopolicyinterpreter.go

Line 85 in 18193a4

func copyObject(data map[string]interface{}) (map[string]interface{}, error) {

Bug Description

Invoking NewRegoPolicyInterpreter with an empty map as initial data can panic with assignment to entry in nil map due to how the internal copyObject function handles empty input.

Steps to Reproduce

  • Call NewRegoPolicyInterpreter and pass make(map[string]interface{}) (an empty map) for the data parameter.
  • The function panics when attempting data["metadata"] = ... inside the constructor.

Root Cause

  • In copyObject, unmarshaling JSON into a nil map returns a nil map, not an initialized map.
  • Later code assumes the map is always initialized and safe to assign fields to.

Impact

  • Triggers a runtime panic with valid (but empty) input.

Recommendation

  • Modify copyObject to add check for nil or empty input:
func copyObject(data map[string]interface{}) (map[string]interface{}, error) {
	// Handle nil or empty input
	if data == nil {
		return make(map[string]interface{}), nil
	}
	
	objJSON, err := json.Marshal(data)
	if err != nil {
		return nil, err
	}

	objCopy := make(map[string]interface{})  // Initialize before unmarshaling!
	err = json.Unmarshal(objJSON, &objCopy)
	if err != nil {
		return nil, err
	}

	return objCopy, nil
}

Fuzzer Identification

  • I discovered this issue while fuzzing the regopolicyinterpreter. Here's the test case:
package regopolicyinterpreter

import (
	"testing"
)

func FuzzInterpreterLogic(f *testing.F) {
	// Seed with a basic Rego package and a query
	f.Add("package test\nallow = true", "data.test.allow")

	f.Fuzz(func(t *testing.T, moduleCode string, queryStr string) {
		// 1. Initialize the interpreter with fuzzed code
		rpi, err := NewRegoPolicyInterpreter(moduleCode, nil)
		if err != nil {
			t.Skip() // Ignore invalid Rego syntax
		}

		// 2. Try to add a fuzzed module (AddModule returns nothing)
		rpi.AddModule("fuzzed.rego", &RegoModule{
			Namespace: "fuzzed",
			Code:      moduleCode,
		})

		// 3. Attempt a raw query with an empty input map
		// want (string, map[string]interface{})
		input := make(map[string]interface{})
		_, _ = rpi.RawQuery(queryStr, input)
	})
}
  • Running with: go test -fuzz=FuzzInterpreterLogic -fuzztime=15m

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions