From dfa6aff940a5d121f5273019303fc34b98645971 Mon Sep 17 00:00:00 2001
From: Pam Selle <pamela.selle@gmail.com>
Date: Tue, 15 Dec 2020 14:38:30 -0500
Subject: [PATCH] Return an error if a for expression attempts to use a marked
 value as a key

---
 hclsyntax/expression.go      | 13 +++++++++++++
 hclsyntax/expression_test.go | 32 +++++++++++++++++++++++++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)

diff --git a/hclsyntax/expression.go b/hclsyntax/expression.go
index e995110..df0a49a 100644
--- a/hclsyntax/expression.go
+++ b/hclsyntax/expression.go
@@ -1175,6 +1175,19 @@ func (e *ForExpr) Value(ctx *hcl.EvalContext) (cty.Value, hcl.Diagnostics) {
 				continue
 			}
 
+			if key.IsMarked() {
+				diags = append(diags, &hcl.Diagnostic{
+					Severity:    hcl.DiagError,
+					Summary:     "Invalid object key",
+					Detail:      "Marked values cannot be used as object keys.",
+					Subject:     e.KeyExpr.Range().Ptr(),
+					Context:     &e.SrcRange,
+					Expression:  e.KeyExpr,
+					EvalContext: childCtx,
+				})
+				continue
+			}
+
 			val, valDiags := e.ValExpr.Value(childCtx)
 			diags = append(diags, valDiags...)
 
diff --git a/hclsyntax/expression_test.go b/hclsyntax/expression_test.go
index 1fd4f51..5a43721 100644
--- a/hclsyntax/expression_test.go
+++ b/hclsyntax/expression_test.go
@@ -889,7 +889,37 @@ upper(
 			}).Mark("sensitive"),
 			0,
 		},
-
+		{ // Marked map member carries marks through
+			`{for k, v in things: k => !v}`,
+			&hcl.EvalContext{
+				Variables: map[string]cty.Value{
+					"things": cty.MapVal(map[string]cty.Value{
+						"a": cty.True.Mark("sensitive"),
+						"b": cty.False,
+					}),
+				},
+			},
+			cty.ObjectVal(map[string]cty.Value{
+				"a": cty.False.Mark("sensitive"),
+				"b": cty.True,
+			}),
+			0,
+		},
+		{ // Error when using marked value as object key
+			`{for v in things: v => "${v}-friend"}`,
+			&hcl.EvalContext{
+				Variables: map[string]cty.Value{
+					"things": cty.MapVal(map[string]cty.Value{
+						"a": cty.StringVal("rosie").Mark("sensitive"),
+						"b": cty.StringVal("robin"),
+					}),
+				},
+			},
+			cty.ObjectVal(map[string]cty.Value{
+				"robin": cty.StringVal("robin-friend"),
+			}),
+			1,
+		},
 		{
 			`[{name: "Steve"}, {name: "Ermintrude"}].*.name`,
 			nil,