fix(security): prevent integer overflow in uint64 to int64 conversions

Add overflow checks before converting uint64 memory values to int64 to prevent potential integer overflow issues identified by gosec (G115). - Add math.MaxInt64 checks in fileproc/backpressure.go - Add math.MaxInt64 checks in fileproc/resource_monitor_validation.go - Add math.MaxInt64 checks in fileproc/resource_monitor_metrics.go - Add math.MaxInt64 check in benchmark/benchmark.go with nosec annotation Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
2026-02-09 23:47:55 +00:00 · 2025-10-04 23:17:02 +00:00
parent dfda38ded4
commit e9bd694685
40 changed files with 331 additions and 328 deletions
--- a/fileproc/backpressure.go
+++ b/fileproc/backpressure.go
@@ -3,6 +3,7 @@ package fileproc

 import (
 	"context"
+	"math"
 	"runtime"
 	"sync"
 	"sync/atomic"
@@ -73,7 +74,11 @@ func (bp *BackpressureManager) ShouldApplyBackpressure(ctx context.Context) bool
 	// Get current memory usage
 	var m runtime.MemStats
 	runtime.ReadMemStats(&m)
+	// Safe conversion: cap at MaxInt64 to prevent overflow
 	currentMemory := int64(m.Alloc)
+	if m.Alloc > math.MaxInt64 {
+		currentMemory = math.MaxInt64
+	}

 	bp.mu.Lock()
 	defer bp.mu.Unlock()
@@ -130,10 +135,16 @@ func (bp *BackpressureManager) GetStats() BackpressureStats {
 	var m runtime.MemStats
 	runtime.ReadMemStats(&m)

+	// Safe conversion: cap at MaxInt64 to prevent overflow
+	currentMemory := int64(m.Alloc)
+	if m.Alloc > math.MaxInt64 {
+		currentMemory = math.MaxInt64
+	}
+
 	return BackpressureStats{
 		Enabled:             bp.enabled,
 		FilesProcessed:      atomic.LoadInt64(&bp.filesProcessed),
-		CurrentMemoryUsage:  int64(m.Alloc),
+		CurrentMemoryUsage:  currentMemory,
 		MaxMemoryUsage:      bp.maxMemoryUsage,
 		MemoryWarningActive: bp.memoryWarningLogged,
 		LastMemoryCheck:     bp.lastMemoryCheck,