From 71217a6e43514c7c1b227128f9650df2c9a8e0fd Mon Sep 17 00:00:00 2001
From: Simon Pasquier <spasquie@redhat.com>
Date: Thu, 19 Jun 2025 15:10:49 +0200
Subject: [PATCH] fix: prevent invalid array access in aggregate expression

This commit fixes the evaluation of invalid expressions like
`sum(rate(`. Before that, it would trigger a panic in the PromQL engine
because it tried to access an index which is out of range.

The bug was probably introduced by 06d0b063ea.

Signed-off-by: Simon Pasquier <spasquie@redhat.com>
---
 promql/parser/parse.go      | 5 +++++
 promql/parser/parse_test.go | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/promql/parser/parse.go b/promql/parser/parse.go
index 615055d905..e99f5f4570 100644
--- a/promql/parser/parse.go
+++ b/promql/parser/parse.go
@@ -451,6 +451,11 @@ func (p *parser) newAggregateExpr(op Item, modifier, args Node) (ret *AggregateE
 	ret = modifier.(*AggregateExpr)
 	arguments := args.(Expressions)
 
+	if len(p.closingParens) == 0 {
+		// Prevents invalid array accesses.
+		// The error is already captured by the parser.
+		return
+	}
 	ret.PosRange = posrange.PositionRange{
 		Start: op.Pos,
 		End:   p.closingParens[0],
diff --git a/promql/parser/parse_test.go b/promql/parser/parse_test.go
index a1b59af8de..73371306af 100644
--- a/promql/parser/parse_test.go
+++ b/promql/parser/parse_test.go
@@ -4540,6 +4540,11 @@ var testExpr = []struct {
 			PosRange: posrange.PositionRange{Start: 0, End: 20},
 		},
 	},
+	{
+		input:  "sum(rate(",
+		fail:   true,
+		errMsg: "unclosed left parenthesis",
+	},
 }
 
 func makeInt64Pointer(val int64) *int64 {