From 8cbf5a6c03a2443e309f3fcf10c27edadd05d578 Mon Sep 17 00:00:00 2001
From: Alec Thomas <alec@swapoff.org>
Date: Wed, 9 Jun 2021 13:10:29 +1000
Subject: [PATCH] Validate short flags are a single rune.

Fixes #175.
---
 tag.go      | 22 +++++++++++++++-------
 tag_test.go |  8 ++++++++
 2 files changed, 23 insertions(+), 7 deletions(-)

diff --git a/tag.go b/tag.go
index 4d640c9..8c24a9f 100644
--- a/tag.go
+++ b/tag.go
@@ -1,6 +1,7 @@
 package kong
 
 import (
+	"errors"
 	"fmt"
 	"reflect"
 	"strconv"
@@ -130,9 +131,12 @@ func parseTag(fv reflect.Value, ft reflect.StructField) *Tag {
 		t.Ignored = true
 		return t
 	}
-	t := &Tag{
-		items: parseTagItems(getTagInfo(ft)),
-	}
+	var (
+		err error
+		t   = &Tag{
+			items: parseTagItems(getTagInfo(ft)),
+		}
+	)
 	t.Cmd = t.Has("cmd")
 	t.Arg = t.Has("arg")
 	required := t.Has("required")
@@ -151,7 +155,10 @@ func parseTag(fv reflect.Value, ft reflect.StructField) *Tag {
 	t.Help = t.Get("help")
 	t.Type = t.Get("type")
 	t.Env = t.Get("env")
-	t.Short, _ = t.GetRune("short")
+	t.Short, err = t.GetRune("short")
+	if err != nil && t.Get("short") != "" {
+		fail("invalid short flag name %q: %s", t.Get("short"), err)
+	}
 	t.Hidden = t.Has("hidden")
 	t.Format = t.Get("format")
 	t.Sep, _ = t.GetSep("sep", ',')
@@ -232,9 +239,10 @@ func (t *Tag) GetInt(k string) (int64, error) {
 
 // GetRune parses the given tag as a rune.
 func (t *Tag) GetRune(k string) (rune, error) {
-	r, _ := utf8.DecodeRuneInString(t.Get(k))
-	if r == utf8.RuneError {
-		return 0, fmt.Errorf("%v has a rune error", t.Get(k))
+	value := t.Get(k)
+	r, size := utf8.DecodeRuneInString(value)
+	if r == utf8.RuneError || size < len(value) {
+		return 0, errors.New("invalid rune")
 	}
 	return r, nil
 }
diff --git a/tag_test.go b/tag_test.go
index 4da0bd0..ae8c38d 100644
--- a/tag_test.go
+++ b/tag_test.go
@@ -192,3 +192,11 @@ func TestTagAliasesSub(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, "arg", cli.Cmd.SubCmd.Arg)
 }
+
+func TestInvalidRuneErrors(t *testing.T) {
+	cli := struct {
+		Flag bool `short:"invalid"`
+	}{}
+	_, err := kong.New(&cli)
+	require.EqualError(t, err, "invalid short flag name \"invalid\": invalid rune")
+}