fix: add nil/len guards for RunCommand

in_toto/runlib.go

@@ -21,6 +21,8 @@ var ErrSymCycle = errors.New("symlink cycle detected")
 // ErrUnsupportedHashAlgorithm signals a missing hash mapping in getHashMapping
 var ErrUnsupportedHashAlgorithm = errors.New("unsupported hash algorithm detected")
 
+var ErrEmptyCommandArgs = errors.New("the command args are empty")
+
 // visitedSymlinks is a hashset that contains all paths that we have visited.
 var visitedSymlinks Set
 
@@ -239,6 +241,9 @@ NOTE: Since stdout and stderr are captured, they cannot be seen during the
 command execution.
 */
 func RunCommand(cmdArgs []string, runDir string) (map[string]interface{}, error) {
+	if cmdArgs == nil || len(cmdArgs) == 0 {
+		return nil, ErrEmptyCommandArgs
+	}
 
 	cmd := exec.Command(cmdArgs[0], cmdArgs[1:]...)
 
@@ -290,9 +295,13 @@ func InTotoRun(name string, runDir string, materialPaths []string, productPaths
 		return linkMb, err
 	}
 
-	byProducts, err := RunCommand(cmdArgs, runDir)
-	if err != nil {
-		return linkMb, err
+	// make sure that we only run RunCommand if cmdArgs is not nil or empty
+	var byProducts map[string]interface{}
+	if cmdArgs != nil && len(cmdArgs) != 0 {
+		byProducts, err = RunCommand(cmdArgs, runDir)
+		if err != nil {
+			return linkMb, err
+		}
 	}
 
 	products, err := RecordArtifacts(productPaths, hashAlgorithms, gitignorePatterns, lStripPaths)

in_toto/runlib_test.go

@@ -360,6 +360,23 @@ func TestRunCommand(t *testing.T) {
 	}
 }
 
+func TestRunCommandErrors(t *testing.T) {
+	tables := []struct {
+		CmdArgs       []string
+		RunDir        string
+		ExpectedError error
+	}{
+		{nil, "", ErrEmptyCommandArgs},
+		{[]string{}, "", ErrEmptyCommandArgs},
+	}
+	for _, table := range tables {
+		_, err := RunCommand(table.CmdArgs, table.RunDir)
+		if !errors.Is(err, ErrEmptyCommandArgs) {
+			t.Errorf("RunCommand did not provoke expected error. Got: %s, want: %s", err, ErrEmptyCommandArgs)
+		}
+	}
+}
+
 func TestInTotoRun(t *testing.T) {
 	// Successfully run InTotoRun
 	linkName := "Name"