fix(misconf): unmark cty values before access (#9495)

nikpivkin · web-flow · commit 8e40d27a43ec · 2025-09-24T20:21:07.000Z
Signed-off-by: nikpivkin &lt;nikita.pivkin@smartforce.io&gt;
diff --git a/pkg/iac/scanners/terraform/parser/parser_test.go b/pkg/iac/scanners/terraform/parser/parser_test.go
@@ -2877,3 +2877,39 @@ module "test" {
 
 	require.Len(t, modules, 1)
 }
+
+func Test_MarkedValues(t *testing.T) {
+
+	tests := []struct {
+		name string
+		src  string
+	}{
+		{
+			name: "marked object",
+			src: `resource "foo" "bar" {
+  test = sensitive({})
+}`,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			files := map[string]string{
+				`main.tf`: tt.src,
+			}
+
+			fsys := testutil.CreateFS(t, files)
+			parser := New(fsys, "",
+				OptionWithSkipCachedModules(true),
+				OptionStopOnHCLError(true),
+			)
+			err := parser.ParseFS(t.Context(), ".")
+			require.NoError(t, err)
+
+			modules, err := parser.EvaluateAll(t.Context())
+			require.NoError(t, err)
+
+			require.Len(t, modules, 1)
+		})
+	}
+}
diff --git a/pkg/iac/terraform/attribute.go b/pkg/iac/terraform/attribute.go
@@ -391,12 +391,10 @@ func (a *Attribute) valueToStrings(value cty.Value) (results []iacTypes.StringVa
 			results = []iacTypes.StringValue{iacTypes.StringUnresolvable(a.metadata)}
 		}
 	}()
-	if value.IsNull() {
-		return []iacTypes.StringValue{iacTypes.StringUnresolvable(a.metadata)}
-	}
-	if !value.IsKnown() {
+	if value.IsNull() || !value.IsKnown() {
 		return []iacTypes.StringValue{iacTypes.StringUnresolvable(a.metadata)}
 	}
+
 	if value.Type().IsListType() || value.Type().IsTupleType() || value.Type().IsSetType() {
 		for _, val := range value.AsValueSlice() {
 			results = append(results, a.valueToString(val))
@@ -828,7 +826,9 @@ func safeOp[T any](a *Attribute, fn func(cty.Value) T) T {
 		return res
 	}
 
-	return fn(val)
+	unmarked, _ := val.UnmarkDeep()
+
+	return fn(unmarked)
 }
 
 // RewriteExpr applies the given function `transform` to the expression of the attribute,
diff --git a/pkg/iac/terraform/context/context.go b/pkg/iac/terraform/context/context.go
@@ -142,5 +142,10 @@ func mergeObjects(a, b cty.Value) cty.Value {
 }
 
 func isNotEmptyObject(val cty.Value) bool {
-	return !val.IsNull() && val.IsKnown() && val.Type().IsObjectType() && val.LengthInt() > 0
+	if val.IsNull() || !val.IsKnown() || !val.Type().IsObjectType() {
+		return false
+	}
+
+	unmarked, _ := val.Unmark()
+	return unmarked.LengthInt() > 0
 }

Original file line number	Diff line number	Diff line change
`@@ -391,12 +391,10 @@ func (a *Attribute) valueToStrings(value cty.Value) (results []iacTypes.StringVa`
`391`	`391`	`results = []iacTypes.StringValue{iacTypes.StringUnresolvable(a.metadata)}`
`392`	`392`	`}`
`393`	`393`	`}()`
`394`		`- if value.IsNull() {`
`395`		`- return []iacTypes.StringValue{iacTypes.StringUnresolvable(a.metadata)}`
`396`		`- }`
`397`		`- if !value.IsKnown() {`
	`394`	`+ if value.IsNull() \|\| !value.IsKnown() {`
`398`	`395`	`return []iacTypes.StringValue{iacTypes.StringUnresolvable(a.metadata)}`
`399`	`396`	`}`
	`397`	`+`
`400`	`398`	`if value.Type().IsListType() \|\| value.Type().IsTupleType() \|\| value.Type().IsSetType() {`
`401`	`399`	`for _, val := range value.AsValueSlice() {`
`402`	`400`	`results = append(results, a.valueToString(val))`
`@@ -828,7 +826,9 @@ func safeOp[T any](a *Attribute, fn func(cty.Value) T) T {`
`828`	`826`	`return res`
`829`	`827`	`}`
`830`	`828`
`831`		`- return fn(val)`
	`829`	`+ unmarked, _ := val.UnmarkDeep()`
	`830`	`+`
	`831`	`+ return fn(unmarked)`
`832`	`832`	`}`
`833`	`833`
`834`	`834`	// RewriteExpr applies the given function `transform` to the expression of the attribute,
Original file line number	Diff line number	Diff line change
`@@ -142,5 +142,10 @@ func mergeObjects(a, b cty.Value) cty.Value {`
`142`	`142`	`}`
`143`	`143`
`144`	`144`	`func isNotEmptyObject(val cty.Value) bool {`
`145`		`- return !val.IsNull() && val.IsKnown() && val.Type().IsObjectType() && val.LengthInt() > 0`
	`145`	`+ if val.IsNull() \|\| !val.IsKnown() \|\| !val.Type().IsObjectType() {`
	`146`	`+ return false`
	`147`	`+ }`
	`148`	`+`
	`149`	`+ unmarked, _ := val.Unmark()`
	`150`	`+ return unmarked.LengthInt() > 0`
`146`	`151`	`}`