fix(security): prevent integer overflow in uint64 to int64 conversions

Add overflow checks before converting uint64 memory values to int64 to prevent potential integer overflow issues identified by gosec (G115). - Add math.MaxInt64 checks in fileproc/backpressure.go - Add math.MaxInt64 checks in fileproc/resource_monitor_validation.go - Add math.MaxInt64 checks in fileproc/resource_monitor_metrics.go - Add math.MaxInt64 check in benchmark/benchmark.go with nosec annotation Co-authored-by: ivuorinen <11024+ivuorinen@users.noreply.github.com>
2026-02-14 23:50:02 +00:00 · 2025-10-04 23:17:02 +00:00
parent dfda38ded4
commit e9bd694685
40 changed files with 331 additions and 328 deletions
--- a/fileproc/resource_monitor_metrics.go
+++ b/fileproc/resource_monitor_metrics.go
@@ -1,6 +1,7 @@
 package fileproc

 import (
+	"math"
 	"runtime"
 	"sync/atomic"
 	"time"
@@ -48,6 +49,12 @@ func (rm *ResourceMonitor) GetMetrics() ResourceMetrics {
 		violations = append(violations, violation)
 	}

+	// Safe conversion: cap at MaxInt64 to prevent overflow
+	memoryUsage := int64(m.Alloc) / 1024 / 1024
+	if m.Alloc > math.MaxInt64 {
+		memoryUsage = math.MaxInt64 / 1024 / 1024
+	}
+
 	return ResourceMetrics{
 		FilesProcessed:      filesProcessed,
 		TotalSizeProcessed:  totalSize,
@@ -55,7 +62,7 @@ func (rm *ResourceMonitor) GetMetrics() ResourceMetrics {
 		ProcessingDuration:  duration,
 		AverageFileSize:     avgFileSize,
 		ProcessingRate:      processingRate,
-		MemoryUsageMB:       int64(m.Alloc) / 1024 / 1024,
+		MemoryUsageMB:       memoryUsage,
 		MaxMemoryUsageMB:    int64(rm.hardMemoryLimitMB),
 		ViolationsDetected:  violations,
 		DegradationActive:   rm.degradationActive,
@@ -76,4 +83,4 @@ func (rm *ResourceMonitor) LogResourceInfo() {
 	} else {
 		logrus.Info("Resource limits disabled")
 	}
-}
+}