fix: add bounds checks to prevent slice bounds out of range panic

Author: arash-mosavi

internal/ls/autoimports.go

@@ -117,16 +117,27 @@ func (e *exportInfoMap) add(
 			topLevelNodeModulesIndex := nodeModulesPathParts.TopLevelNodeModulesIndex
 			topLevelPackageNameIndex := nodeModulesPathParts.TopLevelPackageNameIndex
 			packageRootIndex := nodeModulesPathParts.PackageRootIndex
-			packageName = module.UnmangleScopedPackageName(modulespecifiers.GetPackageNameFromTypesPackageName(moduleFile.FileName()[topLevelPackageNameIndex+1 : packageRootIndex]))
-			if strings.HasPrefix(string(importingFile), string(moduleFile.Path())[0:topLevelNodeModulesIndex]) {
-				nodeModulesPath := moduleFile.FileName()[0 : topLevelPackageNameIndex+1]
-				if prevDeepestNodeModulesPath, ok := e.packages[packageName]; ok {
-					prevDeepestNodeModulesIndex := strings.Index(prevDeepestNodeModulesPath, "/node_modules/")
-					if topLevelNodeModulesIndex > prevDeepestNodeModulesIndex {
+
+			// Bounds check to prevent slice bounds out of range panic
+			fileName := moduleFile.FileName()
+			if topLevelPackageNameIndex+1 >= 0 && packageRootIndex >= 0 && topLevelPackageNameIndex+1 <= packageRootIndex && packageRootIndex <= len(fileName) {
+				packageName = module.UnmangleScopedPackageName(modulespecifiers.GetPackageNameFromTypesPackageName(fileName[topLevelPackageNameIndex+1 : packageRootIndex]))
+			}
+
+			// Bounds check for module path slice
+			modulePath := string(moduleFile.Path())
+			if topLevelNodeModulesIndex >= 0 && topLevelNodeModulesIndex <= len(modulePath) && strings.HasPrefix(string(importingFile), modulePath[0:topLevelNodeModulesIndex]) {
+				// Bounds check for node modules path slice
+				if topLevelPackageNameIndex+1 >= 0 && topLevelPackageNameIndex+1 <= len(fileName) {
+					nodeModulesPath := fileName[0 : topLevelPackageNameIndex+1]
+					if prevDeepestNodeModulesPath, ok := e.packages[packageName]; ok {
+						prevDeepestNodeModulesIndex := strings.Index(prevDeepestNodeModulesPath, "/node_modules/")
+						if topLevelNodeModulesIndex > prevDeepestNodeModulesIndex {
+							e.packages[packageName] = nodeModulesPath
+						}
+					} else {
 						e.packages[packageName] = nodeModulesPath
 					}
-				} else {
-					e.packages[packageName] = nodeModulesPath
 				}
 			}
 		}

internal/ls/autoimportsexportinfo.go

@@ -100,6 +100,10 @@ func (l *LanguageService) searchExportInfosForCompletions(
 			return false
 		}
 		// Do not try to auto-import something with a lowercase first letter for a JSX tag
+		if len(symbolName) == 0 {
+			symbolNameMatches[symbolName] = false
+			return false
+		}
 		firstChar := rune(symbolName[0])
 		if isRightOfOpenTag && (firstChar < 'A' || firstChar > 'Z') {
 			symbolNameMatches[symbolName] = false

internal/ls/completions.go

@@ -2376,7 +2376,14 @@ var wordSeparators = collections.NewSetFromItems(
 // e.g. for "abc def.ghi|jkl", the word length is 3 and the word start is 'g'.
 func getWordLengthAndStart(sourceFile *ast.SourceFile, position int) (wordLength int, wordStart rune) {
 	// !!! Port other case of vscode's `DEFAULT_WORD_REGEXP` that covers words that start like numbers, e.g. -123.456abcd.
-	text := sourceFile.Text()[:position]
+
+	// Bounds check to prevent slice bounds out of range panic
+	sourceText := sourceFile.Text()
+	if position < 0 || position > len(sourceText) {
+		return 0, 0
+	}
+
+	text := sourceText[:position]
 	totalSize := 0
 	var firstRune rune
 	for r, size := utf8.DecodeLastRuneInString(text); size != 0; r, size = utf8.DecodeLastRuneInString(text[:len(text)-totalSize]) {
@@ -2485,7 +2492,13 @@ func getFilterText(
 
 // Ported from vscode's `provideCompletionItems`.
 func getDotAccessor(file *ast.SourceFile, position int) string {
-	text := file.Text()[:position]
+	// Bounds check to prevent slice bounds out of range panic
+	fileText := file.Text()
+	if position < 0 || position > len(fileText) {
+		return ""
+	}
+
+	text := fileText[:position]
 	totalSize := 0
 	if strings.HasSuffix(text, "?.") {
 		totalSize += 2