Skip to content

terraform: _find_block() corrupted by unbalanced braces in string literals #7

Description

@scheidydude

_find_block() in terraform_analyzer.py counts { and } characters to locate block boundaries but does not skip characters inside HCL string literals or comments. Balanced {...} pairs in strings (e.g. "my-{env}-vpc") cancel out and are harmless, but a string containing an unbalanced brace (e.g. default = "prefix-{") would corrupt the depth counter, causing the extracted block body to be truncated or over-extended.

File: codeindex/analyzers/terraform_analyzer.py:85

def _find_block(source: str, start: int) -> str:
    i = source.find('{', start)
    depth = 1
    j = i + 1
    while j < len(source) and depth > 0:
        c = source[j]
        if c == '{': depth += 1   # ← fires inside string literals
        elif c == '}': depth -= 1
        j += 1
    return source[i + 1 : j - 1]

Trigger: Any .tf file with a string default containing an unmatched { or }, e.g.:

variable "template" {
  default = "open-brace-here-{"
}

Impact: _module_sources() and the locals extraction loop both call _find_block(). A corrupted block causes module source links or local variable definitions in the same file to be silently dropped, producing an incomplete graph with no error or warning.

Fix: Track whether the scanner is inside a quoted string (toggle on unescaped ") and skip brace counting while inside one. Also skip #/// line comments and /* */ block comments.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions