[scanner] fix: safe uintptr-to-int conversion in flock_unix.go#19787
Conversation
Fixes #19782 Adds bounds checking for the uintptr to int conversion to prevent integer overflow (gosec G115). File descriptors are validated to fit within the int range before conversion. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
kubestellar-prow
Bot
added
the
dco-signoff: no
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
✅ Deploy Preview for kubestellarconsole canceled.
|
|
🐝 Hi @clubanderson! I'm Trusted users — org members and contributors with write access — can mention Automation may take a moment to start, and follow-up happens through workflow activity rather than chat replies. |
|
👋 Hey @clubanderson — thanks for opening this PR!
This is an automated message. |
kubestellar-prow
Bot
added
the
size/S
There was a problem hiding this comment.
Pull request overview
Addresses the gosec G115 finding in the token tracker’s Unix file-lock implementation by ensuring the uintptr file descriptor returned by (*os.File).Fd() is validated before converting to int.
Changes:
- Added a bounds check to ensure
f.Fd()fits inintprior to conversion (prevents potential overflow on platforms whereuintptris wider thanint). - Introduced
math.MaxIntusage to express the upper bound clearly.
Comments suppressed due to low confidence (1)
pkg/agent/tokentracker/flock_unix.go:38
- Consider explicitly discarding the Close() error (
_ = f.Close()) for consistency with the release() closure and to avoid linters flagging an ignored return value.
if err := syscall.Flock(fd, syscall.LOCK_EX); err != nil {
f.Close()
return nil, fmt.Errorf("flock: %w", err)
| if uintptrVal > uintptr(math.MaxInt) { | ||
| f.Close() | ||
| return nil, fmt.Errorf("file descriptor out of range: %v", uintptrVal) | ||
| } |
![github-code-quality[bot]](https://avatars.githubusercontent.com/u/9919?s=60&v=4){kind=small}
| // Safe conversion: validate uintptr fits in int (gosec G115) | ||
| uintptrVal := f.Fd() | ||
| if uintptrVal > uintptr(math.MaxInt) { | ||
| f.Close() |
Signed-off-by: clubanderson <clubanderson@users.noreply.github.com>
After merging main, line numbers shifted in cluster_groups_test.go and solver.go. Update baseline entries to match current positions. Signed-off-by: clubanderson <clubanderson@users.noreply.github.com>
kubestellar-prow
Bot
added
size/M
Signed-off-by: clubanderson <clubanderson@users.noreply.github.com>
kubestellar-prow
Bot
added
size/S
Signed-off-by: clubanderson <clubanderson@users.noreply.github.com>
|
Thanks for your pull request. Before we can look at it, you'll need to add a 'DCO signoff' to your commits. 📝 Please follow instructions in the contributing guide to update your commits with the DCO Full details of the Developer Certificate of Origin can be found at developercertificate.org. The list of commits missing DCO signoff:
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
Thank you for your contribution! Your PR has been merged. Check out what's new:
Stay connected: Slack #kubestellar-dev | Multi-Cluster Survey |
✅ Post-Merge Verification: passedCommit: |
|
Post-merge build verification passed ✅ Both Go and frontend builds compiled successfully against merge commit |
Fixes #19782
Fixes gosec G115 integer overflow finding in
pkg/agent/tokentracker/flock_unix.goby adding bounds checking for the uintptr-to-int conversion. The fix validates that the file descriptor value fits within the int range before conversion, preventing potential integer overflow on systems where uintptr is larger than int.