Handle integer overflow cases in shellquote (#1822)

esimkowitz · web-flow · commit 209647f343a4 · 2025-01-23T18:18:44.000-08:00
Resolves CodeQL warnings
diff --git a/pkg/util/shellutil/shellquote.go b/pkg/util/shellutil/shellquote.go
@@ -3,7 +3,14 @@
 
 package shellutil
 
-import "regexp"
+import (
+	"log"
+	"regexp"
+)
+
+const (
+	MaxQuoteSize = 10000000 // 10MB
+)
 
 var (
 	safePattern       = regexp.MustCompile(`^[a-zA-Z0-9_/.-]+$`)
@@ -23,6 +30,10 @@ func HardQuote(s string) string {
 		return s
 	}
 
+	if !checkQuoteSize(s) {
+		return ""
+	}
+
 	buf := make([]byte, 0, len(s)+5)
 	buf = append(buf, '"')
 
@@ -51,6 +62,10 @@ func HardQuoteFish(s string) string {
 		return s
 	}
 
+	if !checkQuoteSize(s) {
+		return ""
+	}
+
 	buf := make([]byte, 0, len(s)+5)
 	buf = append(buf, '"')
 
@@ -72,6 +87,10 @@ func HardQuotePowerShell(s string) string {
 		return "\"\""
 	}
 
+	if !checkQuoteSize(s) {
+		return ""
+	}
+
 	buf := make([]byte, 0, len(s)+5)
 	buf = append(buf, '"')
 
@@ -113,6 +132,10 @@ func SoftQuote(s string) string {
 		return s
 	}
 
+	if !checkQuoteSize(s) {
+		return ""
+	}
+
 	buf := make([]byte, 0, len(s)+5)
 	buf = append(buf, '"')
 
@@ -128,3 +151,11 @@ func SoftQuote(s string) string {
 	buf = append(buf, '"')
 	return string(buf)
 }
+
+func checkQuoteSize(s string) bool {
+	if len(s) > MaxQuoteSize {
+		log.Printf("string too long to quote: %s", s)
+		return false
+	}
+	return true
+}
