Fix panic in v1beta1 matrix validation for invalid result refs

mathur07 · mathur07 · commit 355e530cd2da · 2025-11-11T01:58:28.000-05:00
This fix applies the same safety check that was added to v1 pipelines in PR #8089. The validateMatrixedPipelineTaskConsumed function was panicking when encountering invalid variable substitutions like $(tasks)-$(tasks.echo-result.results.output) because it tried to access subExpressions[1] without first checking if the expression was a valid result reference. The fix adds a check to skip expressions that don't look like result references before attempting to parse them, preventing the panic and allowing the webhook to return a proper validation error instead. Fixes: SRVKP-9204 Related: #8089
diff --git a/pkg/apis/pipeline/v1beta1/pipeline_validation.go b/pkg/apis/pipeline/v1beta1/pipeline_validation.go
@@ -811,6 +811,10 @@ func findAndValidateResultRefsForMatrix(tasks []PipelineTask, taskMapping map[st
 func validateMatrixedPipelineTaskConsumed(expressions []string, taskMapping map[string]PipelineTask) (resultRefs []*ResultRef, errs *apis.FieldError) {
 	var filteredExpressions []string
 	for _, expression := range expressions {
+		// if it is not matrix result ref expression, skip
+		if !resultref.LooksLikeResultRef(expression) {
+			continue
+		}
 		// ie. "tasks.<pipelineTaskName>.results.<resultName>[*]"
 		subExpressions := strings.Split(expression, ".")
 		pipelineTask := subExpressions[1] // pipelineTaskName
diff --git a/pkg/apis/pipeline/v1beta1/pipeline_validation_test.go b/pkg/apis/pipeline/v1beta1/pipeline_validation_test.go
@@ -167,6 +167,56 @@ func TestPipeline_Validate_Success(t *testing.T) {
 				}},
 			},
 		},
+	}, {
+		name: "param with different type of values with matrix and invalid result ref",
+		p: &Pipeline{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "pipelinelinename",
+			},
+			Spec: PipelineSpec{
+				Tasks: []PipelineTask{{
+					Name: "echo-result",
+					TaskSpec: &EmbeddedTask{TaskSpec: TaskSpec{
+						Results: []TaskResult{{
+							Name: "output",
+							Type: ResultsTypeString,
+						}},
+						Steps: []Step{{
+							Name:    "emit-a-result",
+							Image:   "mirror.gcr.io/bash",
+							Script:  "#!/usr/bin/env bash\necho -n \"some data\" | tee $(results.output.path)",
+						}},
+					}},
+				}, {
+					Name: "consume-result",
+					Matrix: &Matrix{
+						Params: Params{{
+							Name: "version", Value: ParamValue{ArrayVal: []string{"1", "2"}},
+						}},
+					},
+					Params: Params{
+						{
+							Name: "bad-input",
+							Value: ParamValue{
+								Type:      ParamTypeString,
+								StringVal: "$(tasks)-$(tasks.echo-result.results.output)",
+							},
+						},
+					},
+					TaskSpec: &EmbeddedTask{TaskSpec: TaskSpec{
+						Params: []ParamSpec{{
+							Name: "bad-input",
+							Type: ParamTypeString,
+						}},
+						Steps: []Step{{
+							Name:    "consume-the-result",
+							Image:   "mirror.gcr.io/bash",
+							Script:  "#!/usr/bin/env bash\necho -n \"input: $(params.bad-input)\"",
+						}},
+					}},
+				}},
+			},
+		},
 	}, {
 		name: "valid pipeline with pipeline task and final task referencing artifacts in task params with enable-artifacts flag true",
 		p: &Pipeline{
