Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Number literals with leading zeros cause issues in JSON marshaling #2947

Closed
XuejiaoZhang opened this issue Nov 25, 2020 · 12 comments · Fixed by #3036
Closed

Number literals with leading zeros cause issues in JSON marshaling #2947

XuejiaoZhang opened this issue Nov 25, 2020 · 12 comments · Fixed by #3036
Labels
bug

Comments

@XuejiaoZhang
Copy link

XuejiaoZhang commented Nov 25, 2020
edited
Loading

Expected Behavior

Run OPA server, specifying the policies

$ opa run -s policies/

Then list all policies

$ curl localhost:8181/v1/policies  -H 'Content-Type: application/json'

Actual Behavior

Steps to Reproduce the Problem

Got the following compliant

$ curl localhost:8181/v1/policies  -H 'Content-Type: application/json'
{
  "code": "internal_error",
  "message": "json: error calling MarshalJSON for type ast.Body: json: error calling MarshalJSON for type *ast.Term: json: error calling MarshalJSON for type ast.Number: json: invalid number literal \"00\""
}

Additional Info

I am wondering whether there are any requirements/dependencies on the policy file or anything else. Thanks.
@XuejiaoZhang XuejiaoZhang changed the title /v/policies API Error /v/policies API Error with policies loaded through files when starting OPA server Nov 25, 2020
@XuejiaoZhang XuejiaoZhang changed the title /v/policies API Error with policies loaded through files when starting OPA server /v/policies API Error if policies loaded through files while starting OPA server Nov 25, 2020
@srenatus srenatus added the bug label Nov 25, 2020
@srenatus
Copy link
Contributor

Thanks for reporting this.

Can you share your policy, or the part of it that's troubling here, in case it's clearly isolated and known?

@XuejiaoZhang
Copy link
Author

XuejiaoZhang commented Nov 25, 2020
edited
Loading

Thanks! @sedooe

I think I found the cause. The policy file was similar to the following.

package example.rule

allow = true {
    a = 0
    a == 00 # bug here, should be a == 0  
} else = false

It was a bug in the policy writing. but it's really hard to debug based on the error message.

Is it possible to have the compliant more readable? Thanks.

@srenatus
Copy link
Contributor

With your example code in foo.rego, I've not been able to replicate this:

If the policy is added with API (put), it could be listed.

opa/issue-2947 % curl localhost:8181/v1/policies/foo
{
  "code": "resource_not_found",
  "message": "storage_not_found_error: policy id \"foo\""
}
opa/issue-2947 % curl localhost:8181/v1/policies/foo  -H 'Content-Type: text/plain' -XPUT --data-binary @foo.rego
{}%                                                                                                                           
opa/issue-2947 % curl localhost:8181/v1/policies/foo
{
  "code": "internal_error",
  "message": "json: error calling MarshalJSON for type ast.Body: json: error calling MarshalJSON for type *ast.Term: json: error calling MarshalJSON for type ast.Number: json: invalid number literal \"00\""
}

That output is the same I'd get when running opa run -s foo.rego and querying for the policy. So at least that seems consistent to me -- or am I missing something?

@XuejiaoZhang
Copy link
Author

XuejiaoZhang commented Nov 25, 2020
edited
Loading

One more thing I forgot to mention is that the error only occurred when there were 2 layers' (may be more than 1 layer) folders, as following policies/abc/

$ ls policies/abc/example.rego 
policies/abc/example.rego
$  opa run -s policies
{"addrs":[":8181"],"diagnostic-addrs":[],"insecure_addr":"","level":"info","msg":"Initializing server.","time":"2020-11-25T21:00:05+08:00"}
{"client_addr":"127.0.0.1:57985","level":"info","msg":"Received request.","req_id":1,"req_method":"GET","req_path":"/v1/policies","time":"2020-11-25T21:00:09+08:00"}
{"client_addr":"127.0.0.1:57985","level":"info","msg":"Sent response.","req_id":1,"req_method":"GET","req_path":"/v1/policies","resp_bytes":239,"resp_duration":0.717608,"resp_status":500,"time":"2020-11-25T21:00:09+08:00"}

@srenatus
Copy link
Contributor

At its core, https://play.golang.org/p/NufrdsAa1lg replicates what we're seeing.

The problem here is that a policy containing 00 is accepted at all (either way, CLI arg or via API call).

@XuejiaoZhang
Copy link
Author

XuejiaoZhang commented Nov 25, 2020
edited
Loading

Do you mean, "is NOT accepted at all", right?
But the behaviors are different for different parent folder layers of rego file, that's strange.
Still, the error message is not that helpful.
Anyway, we could close the ticket.

Thanks @srenatus !

@srenatus
Copy link
Contributor

No I think this is a valid problem. I could not replicate what you saw with PUTing the policy vs. loading it from the command line, but the fact that you can store a policy that cannot be marshalled to JSON is a bug. 🐛

@srenatus
Copy link
Contributor

Underlying this is the fact that we're using math/big's Parse to verify that a number is a number; but that'll accept leading zeros. We store the number as-is in the AST then. On marshaling it to JSON, that fails because json.Number (the string) cannot have leading zeros.

I think this boils down to deciding what we want to support, and fixing the problem accordingly. I'm leaning towards not allowing leading zeros in number literals.

@XuejiaoZhang
Copy link
Author

XuejiaoZhang commented Nov 25, 2020
edited
Loading

@srenatus Hm, so the policy code itself is kinda right, it would do what it suppose to, just the writing 0 is in a strange way 00.

We are in an agreement there is a bug there. Thanks you for digging into it.

@srenatus srenatus changed the title /v/policies API Error if policies loaded through files while starting OPA server Number literals with leading zeros cause issues in JSON marshaling Nov 25, 2020
@srenatus
Copy link
Contributor

I took the liberty of renaming the issue to make it a little more focused, hope you don't mind. Thanks again for bringing this up!

@XuejiaoZhang
Copy link
Author

Sure, thanks @srenatus.

@tsandall
Copy link
Member

This looks like an issue in the scanner. It shouldn't be scanning number literals with leading zeros (that's not valid JSON). We don't support non-decimal numbers so this should be rejected immediately when the policy is tokenized.

@LCartwright LCartwright mentioned this issue Dec 24, 2020
Merged
LCartwright added a commit to LCartwright/opa that referenced this issue Jan 6, 2021
@LCartwright
ast: Additional check for leading 0's in number parser
d31bbc0 
Additional checks for leading 0's are now part of the
*Parser.parseNumber()'s validations, prior to parsing.

Fixes open-policy-agent#2947

Signed-off-by: Laurence Cartwright <me@lcartwright.com>
srenatus pushed a commit that referenced this issue Jan 12, 2021
@LCartwright
ast: Additional check for leading 0's in number parser (#3036)
4406bb6 
Additional checks for leading 0's are now part of the
*Parser.parseNumber()'s validations, prior to parsing.

Fixes #2947

Signed-off-by: Laurence Cartwright <me@lcartwright.com>
@juremedvesek juremedvesek mentioned this issue Nov 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Open Policy Agent
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Additional check for leading 0's in number parser LCartwright/opa
3 participants
@tsandall @srenatus @XuejiaoZhang