From d02cd46b724c5d2be312d1c5aa9e45af120d1c6c Mon Sep 17 00:00:00 2001
From: Mitchell Hashimoto <mitchell.hashimoto@gmail.com>
Date: Mon, 21 Nov 2016 18:08:30 -0800
Subject: [PATCH] hcl: error if we scan a null char before end of input text

This was allowing very strange input to be allowed through to Terraform
since some encryped output will contain null characters (such as from
git crypt).
---
 decoder_test.go                        |   6 ++++++
 hcl/parser/parser_test.go              |   4 ++++
 hcl/parser/test-fixtures/git_crypt.hcl | Bin 0 -> 10 bytes
 hcl/scanner/scanner.go                 |   6 ++++++
 test-fixtures/git_crypt.hcl            | Bin 0 -> 10 bytes
 5 files changed, 16 insertions(+)
 create mode 100644 hcl/parser/test-fixtures/git_crypt.hcl
 create mode 100644 test-fixtures/git_crypt.hcl

diff --git a/decoder_test.go b/decoder_test.go
index 50f52f7..b3428bb 100644
--- a/decoder_test.go
+++ b/decoder_test.go
@@ -379,6 +379,12 @@ func TestDecode_interface(t *testing.T) {
 				},
 			},
 		},
+
+		{
+			"git_crypt.hcl",
+			true,
+			nil,
+		},
 	}
 
 	for _, tc := range cases {
diff --git a/hcl/parser/parser_test.go b/hcl/parser/parser_test.go
index 96b25b2..ea0d78f 100644
--- a/hcl/parser/parser_test.go
+++ b/hcl/parser/parser_test.go
@@ -504,6 +504,10 @@ func TestParse(t *testing.T) {
 			"object_key_assign_without_value3.hcl",
 			true,
 		},
+		{
+			"git_crypt.hcl",
+			true,
+		},
 	}
 
 	const fixtureDir = "./test-fixtures"
diff --git a/hcl/parser/test-fixtures/git_crypt.hcl b/hcl/parser/test-fixtures/git_crypt.hcl
new file mode 100644
index 0000000000000000000000000000000000000000..f691948e1b4238d680e670973bbae039c809e5ca
GIT binary patch
literal 10
RcmZQ@_Y83kiVO(h0ssw90)YSk

literal 0
HcmV?d00001

diff --git a/hcl/scanner/scanner.go b/hcl/scanner/scanner.go
index 0735d95..d387794 100644
--- a/hcl/scanner/scanner.go
+++ b/hcl/scanner/scanner.go
@@ -95,6 +95,12 @@ func (s *Scanner) next() rune {
 		s.srcPos.Column = 0
 	}
 
+	// If we see a null character with data left, then that is an error
+	if ch == '\x00' && s.buf.Len() > 0 {
+		s.err("unexpected null character (0x00)")
+		return eof
+	}
+
 	// debug
 	// fmt.Printf("ch: %q, offset:column: %d:%d\n", ch, s.srcPos.Offset, s.srcPos.Column)
 	return ch
diff --git a/test-fixtures/git_crypt.hcl b/test-fixtures/git_crypt.hcl
new file mode 100644
index 0000000000000000000000000000000000000000..f691948e1b4238d680e670973bbae039c809e5ca
GIT binary patch
literal 10
RcmZQ@_Y83kiVO(h0ssw90)YSk

literal 0
HcmV?d00001