Check PR number value before casting from int64 to int (#4516)

* Check PR number value before casting from int64 to int This should not matter as int == int64 on 64bit architectures IIRC but let's silence the code scanning alerts. * Silence linter
mindersec · Sep 17, 2024 · f6ba405 · f6ba405
1 parent 292c4ce
commit f6ba405
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/internal/engine/ingester/diff/diff.go b/internal/engine/ingester/diff/diff.go
@@ -19,6 +19,7 @@ import (
 	"bufio"
 	"context"
 	"fmt"
+	"math"
 	"path/filepath"
 	"regexp"
 	"strconv"
@@ -78,6 +79,8 @@ func (di *Diff) GetConfig() protoreflect.ProtoMessage {
 }
 
 // Ingest ingests a diff from a pull request in accordance with its type
+//
+//nolint:gocyclo
 func (di *Diff) Ingest(
 	ctx context.Context,
 	ent protoreflect.ProtoMessage,
@@ -99,6 +102,9 @@ func (di *Diff) Ingest(
 	case "", pb.DiffTypeDep:
 		allDiffs := make([]*pbinternal.PrDependencies_ContextualDependency, 0)
 		for {
+			if pr.Number > math.MaxInt {
+				return nil, fmt.Errorf("pr number is too large")
+			}
 			prFiles, resp, err := di.cli.ListFiles(ctx, pr.RepoOwner, pr.RepoName, int(pr.Number), prFilesPerPage, page)
 			if err != nil {
 				return nil, fmt.Errorf("error getting pull request files: %w", err)
@@ -131,6 +137,9 @@ func (di *Diff) Ingest(
 	case pb.DiffTypeFull:
 		allDiffs := make([]*pbinternal.PrContents_File, 0)
 		for {
+			if pr.Number > math.MaxInt {
+				return nil, fmt.Errorf("pr number is too large")
+			}
 			prFiles, resp, err := di.cli.ListFiles(ctx, pr.RepoOwner, pr.RepoName, int(pr.Number), prFilesPerPage, page)
 			if err != nil {
 				return nil, fmt.Errorf("error getting pull request files: %w", err)

diff --git a/internal/providers/github/properties/pull_request.go b/internal/providers/github/properties/pull_request.go
@@ -19,6 +19,7 @@ package properties
 import (
 	"context"
 	"fmt"
+	"math"
 	"net/http"
 	"strconv"
 	"strings"
@@ -126,12 +127,17 @@ func getPrWrapper(
 ) (map[string]any, error) {
 	_ = isOrg
 
-	owner, name, id, err := getPrWrapperAttrsFromProps(getByProps)
+	owner, name, id64, err := getPrWrapperAttrsFromProps(getByProps)
 	if err != nil {
 		return nil, fmt.Errorf("error getting pr wrapper attributes: %w", err)
 	}
 
-	prReply, result, err := ghCli.PullRequests.Get(ctx, owner, name, int(id))
+	if id64 > math.MaxInt {
+		return nil, fmt.Errorf("pr number is too large")
+	}
+	intId := int(id64)
+
+	prReply, result, err := ghCli.PullRequests.Get(ctx, owner, name, intId)
 	if err != nil {
 		if result != nil && result.StatusCode == http.StatusNotFound {
 			return nil, v1.ErrEntityNotFound
@@ -142,7 +148,7 @@ func getPrWrapper(
 	prProps := map[string]any{
 		// general entity
 		properties.PropertyUpstreamID: prReply.GetID(),
-		properties.PropertyName:       fmt.Sprintf("%s/%s/%d", owner, name, id),
+		properties.PropertyName:       fmt.Sprintf("%s/%s/%d", owner, name, intId),
 		// github-specific
 		PullPropertyURL: prReply.GetHTMLURL(),
 		// our proto representation uses int64 for the number but GH uses int