From 8f9a70c2e784acf29d1d6ace5dd01eedf2c097ac Mon Sep 17 00:00:00 2001
From: Neil Twigg <neil@nats.io>
Date: Fri, 7 Mar 2025 09:38:55 +0000
Subject: [PATCH] Fix panic when subject transform has missing tokens

It is likely that this is to do with a faulty service import,
and we'll almost certainly be able to do better validation
there too, but in the meantime we can and should avoid a panic
with more rigorous bounds checking.

Signed-off-by: Neil Twigg <neil@nats.io>
---
 server/subject_transform.go      | 11 ++++++++++-
 server/subject_transform_test.go | 11 +++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/server/subject_transform.go b/server/subject_transform.go
index 41e42722d1d..42cc17e0672 100644
--- a/server/subject_transform.go
+++ b/server/subject_transform.go
@@ -459,7 +459,16 @@ func (tr *subjectTransform) TransformTokenizedSubject(tokens []string) string {
 				}
 				b.WriteString(tr.getHashPartition(keyForHashing, int(tr.dtokmfintargs[i])))
 			case Wildcard: // simple substitution
-				b.WriteString(tokens[tr.dtokmftokindexesargs[i][0]])
+				switch {
+				case len(tr.dtokmftokindexesargs) < i:
+					break
+				case len(tr.dtokmftokindexesargs[i]) < 1:
+					break
+				case len(tokens) <= tr.dtokmftokindexesargs[i][0]:
+					break
+				default:
+					b.WriteString(tokens[tr.dtokmftokindexesargs[i][0]])
+				}
 			case SplitFromLeft:
 				sourceToken := tokens[tr.dtokmftokindexesargs[i][0]]
 				sourceTokenLen := len(sourceToken)
diff --git a/server/subject_transform_test.go b/server/subject_transform_test.go
index 9f973a70172..19a5bce7895 100644
--- a/server/subject_transform_test.go
+++ b/server/subject_transform_test.go
@@ -221,3 +221,14 @@ func TestSubjectTransforms(t *testing.T) {
 	shouldMatch("*", "{{left(1,3)}}", "1234", "123")
 	shouldMatch("*", "{{left(1,6)}}", "1234", "1234")
 }
+
+func TestSubjectTransformDoesntPanicTransformingMissingToken(t *testing.T) {
+	defer func() {
+		p := recover()
+		require_True(t, p == nil)
+	}()
+
+	tr, err := NewSubjectTransform("foo.*", "one.two.{{wildcard(1)}}")
+	require_NoError(t, err)
+	require_Equal(t, tr.TransformTokenizedSubject([]string{"foo"}), "one.two.")
+}