fix(query-grammar): handle set_field(None) on Exists without panic#2921
Open
masumi-ryugo wants to merge 1 commit into
Open
fix(query-grammar): handle set_field(None) on Exists without panic#2921masumi-ryugo wants to merge 1 commit into
masumi-ryugo wants to merge 1 commit into
Conversation
`UserInputLeaf::set_field` panicked with
"Exist query without a field isn't allowed" when called with `None`
on a `UserInputLeaf::Exists`. This was reachable straight from the
strict `parse_query(&str)` API, which builds an `Exists` leaf via
`alt((range, set, exists, regex, term_or_phrase))` even when no
leading `field:` prefix was parsed (`opt(field_name)`), then routes
through `leaf.set_field(field_name)` with `field_name == None`.
A 4-byte cargo-fuzz repro (`(*'\n`) drove this in single-digit
minutes from an empty corpus on `tantivy-query-grammar/main`:
thread '<unnamed>' panicked at query-grammar/src/user_input_ast.rs:51:30:
Exist query without a field isn't allowed
…
7: query_grammar::literal at query-grammar/src/query_grammar.rs:374
Switch the call to preserve the existing field when `None` is passed,
matching the no-op intent in `set_default_field` for the same leaf
shape. The strict parser still produces the same AST it would have
produced with a non-`None` field; the only behavior change is that
malformed user-supplied query strings no longer crash the process.
Two regression tests in `tests`:
- `test_set_field_none_on_exists_does_not_panic` — direct
`set_field(None)` call on an `Exists` leaf.
- `test_parse_query_fuzz_repro_does_not_panic` — end-to-end via
`parse_query("(*'\\n")` on the fuzz repro byte string.
The lenient `parse_query_lenient` path was unaffected because it
goes through a different conversion that already tolerates the
missing field.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
UserInputLeaf::set_fieldpanicked with "Exist query without a field isn't allowed" when called withNoneon aUserInputLeaf::Exists. This was reachable straight from the strictparse_query(&str)API:query_grammar::literalbuilds anExistsleaf viaalt((range, set, exists, regex, term_or_phrase))even when no leadingfield:prefix was parsed (opt(field_name)), and then routes throughleaf.set_field(field_name)withfield_name == None.Repro
A 4-byte cargo-fuzz repro (
(*'\n) drove this in single-digit minutes from an empty corpus ontantivy-query-grammar/main:Reachable from
tantivy_query_grammar::parse_query(&str), which is the public API tantivy's higher-levelQueryParser::parse_queryis built on. Any tantivy user feeding attacker-controlled query strings (search box input from end users, log query DSL, etc.) crashes the process on this.Fix
Switch the call to preserve the existing field when
Noneis passed, matching the no-op intent inset_default_fieldfor the same leaf shape:The strict parser still produces the same AST it would have produced with a non-
Nonefield; the only behavior change is that malformed user-supplied query strings no longer crash the process. The lenientparse_query_lenientpath was unaffected because it routes through a different conversion that already tolerated the missing field.Tests
Two regression tests in
user_input_ast::tests:test_set_field_none_on_exists_does_not_panic— directset_field(None)call on anExistsleaf, asserting the existing field is preserved.test_parse_query_fuzz_repro_does_not_panic— end-to-end viaparse_query("(*'\\n")on the fuzz repro byte string.The existing 54 tests in
query-grammarcontinue to pass.Source of the repro
The repro is from a cargo-fuzz harness I'm prototyping for
tantivy-query-grammar'sparse_queryandparse_query_leniententry points. The harness lives on a separate branch on my fork (fuzz/initial-harnesses) — I'm holding off on proposing it as a standalone tracking issue until I see whether a similar finding cadence in this crate justifies the integration cost. Happy to send that as its own follow-up if the maintainers find this kind of fuzz-found bug worth keeping rolling.