From e422158e1373a4741f948645571d83f5b309b0be Mon Sep 17 00:00:00 2001
From: Felix Fontein <felix@fontein.de>
Date: Sat, 16 Sep 2023 15:16:07 +0200
Subject: [PATCH] Reject completely empty documents.

This only affects empty YAML files, since only these can contain zero documents.

Signed-off-by: Felix Fontein <felix@fontein.de>
---
 cmd/sops/codes/codes.go | 1 +
 cmd/sops/encrypt.go     | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/cmd/sops/codes/codes.go b/cmd/sops/codes/codes.go
index e431bd778..7aea67e80 100644
--- a/cmd/sops/codes/codes.go
+++ b/cmd/sops/codes/codes.go
@@ -21,6 +21,7 @@ const (
 	ConfigFileNotFound                     int = 61
 	KeyboardInterrupt                      int = 85
 	InvalidTreePathFormat                  int = 91
+	NeedAtLeastOneDocument                 int = 92
 	NoFileSpecified                        int = 100
 	CouldNotRetrieveKey                    int = 128
 	NoEncryptionKeyFound                   int = 111
diff --git a/cmd/sops/encrypt.go b/cmd/sops/encrypt.go
index cfb16ab18..f5b770e7a 100644
--- a/cmd/sops/encrypt.go
+++ b/cmd/sops/encrypt.go
@@ -64,6 +64,9 @@ func encrypt(opts encryptOpts) (encryptedFile []byte, err error) {
 	if err != nil {
 		return nil, common.NewExitError(fmt.Sprintf("Error unmarshalling file: %s", err), codes.CouldNotReadInputFile)
 	}
+	if len(branches) < 1 {
+		return nil, common.NewExitError("File cannot be completely empty, it must contain at least one document", codes.NeedAtLeastOneDocument)
+	}
 	if err := ensureNoMetadata(opts, branches[0]); err != nil {
 		return nil, common.NewExitError(err, codes.FileAlreadyEncrypted)
 	}