integer overflow protection

Author: joejstuart

internal/applicationsnapshot/attestation.go

@@ -19,6 +19,7 @@ package applicationsnapshot
 import (
 	"bytes"
 	"encoding/json"
+	"math"
 
 	"github.com/in-toto/in-toto-golang/in_toto"
 
@@ -53,7 +54,14 @@ func NewAttestationResult(att attestation.Attestation) AttestationResult {
 }
 
 func (r *Report) renderAttestations() ([]byte, error) {
-	byts := make([][]byte, 0, len(r.Components)*2)
+	// Safe capacity calculation with overflow protection
+	componentCount := len(r.Components)
+	capacity := componentCount * 2
+	if componentCount > math.MaxInt/2 {
+		// If doubling would overflow, use a reasonable maximum
+		capacity = math.MaxInt / 4
+	}
+	byts := make([][]byte, 0, capacity)
 
 	for _, c := range r.Components {
 		for _, a := range c.Attestations {

internal/utils/safe_arithmetic.go

@@ -0,0 +1,111 @@
+// Copyright The Conforma Contributors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package utils
+
+import (
+	"fmt"
+	"math"
+)
+
+// SafeAdd safely adds two integers, returning an error if overflow would occur
+func SafeAdd(a, b int) (int, error) {
+	if a > 0 && b > math.MaxInt-a {
+		return 0, fmt.Errorf("integer overflow: %d + %d would exceed MaxInt", a, b)
+	}
+	if a < 0 && b < math.MinInt-a {
+		return 0, fmt.Errorf("integer overflow: %d + %d would exceed MinInt", a, b)
+	}
+	return a + b, nil
+}
+
+// SafeMultiply safely multiplies two integers, returning an error if overflow would occur
+func SafeMultiply(a, b int) (int, error) {
+	if a == 0 || b == 0 {
+		return 0, nil
+	}
+
+	// Check for overflow
+	if a > 0 && b > 0 {
+		if a > math.MaxInt/b {
+			return 0, fmt.Errorf("integer overflow: %d * %d would exceed MaxInt", a, b)
+		}
+	} else if a < 0 && b < 0 {
+		if a < math.MaxInt/b {
+			return 0, fmt.Errorf("integer overflow: %d * %d would exceed MaxInt", a, b)
+		}
+	} else if a > 0 && b < 0 {
+		if b < math.MinInt/a {
+			return 0, fmt.Errorf("integer overflow: %d * %d would exceed MinInt", a, b)
+		}
+	} else if a < 0 && b > 0 {
+		if a < math.MinInt/b {
+			return 0, fmt.Errorf("integer overflow: %d * %d would exceed MinInt", a, b)
+		}
+	}
+
+	return a * b, nil
+}
+
+// SafeCapacity calculates a safe capacity for slice allocation
+// It prevents integer overflow and provides reasonable fallbacks
+func SafeCapacity(base int, multiplier int) int {
+	capacity, err := SafeMultiply(base, multiplier)
+	if err != nil {
+		// Fallback to a reasonable maximum
+		return math.MaxInt / 4
+	}
+
+	// Additional safety check for extremely large values
+	const maxReasonableCapacity = 10000000 // 10 million
+	if capacity > maxReasonableCapacity {
+		return maxReasonableCapacity
+	}
+
+	return capacity
+}
+
+// SafeSliceCapacity calculates safe capacity for slice allocation with multiple length additions
+func SafeSliceCapacity(lengths ...int) int {
+	total := 0
+	for _, length := range lengths {
+		sum, err := SafeAdd(total, length)
+		if err != nil {
+			// Fallback to reasonable maximum
+			return math.MaxInt / 4
+		}
+		total = sum
+	}
+
+	// Additional safety check
+	const maxReasonableCapacity = 10000000 // 10 million
+	if total > maxReasonableCapacity {
+		return maxReasonableCapacity
+	}
+
+	return total
+}
+
+// ValidateSliceLength validates that a slice length is within reasonable bounds
+func ValidateSliceLength(length int, maxAllowed int) error {
+	if length < 0 {
+		return fmt.Errorf("negative slice length: %d", length)
+	}
+	if length > maxAllowed {
+		return fmt.Errorf("slice length %d exceeds maximum allowed %d", length, maxAllowed)
+	}
+	return nil
+}

internal/validate/vsa/validation.go

@@ -22,6 +22,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"fmt"
+	"math"
 	"strings"
 	"sync"
 
@@ -401,8 +402,28 @@ func validateAllComponentsFromPredicate(ctx context.Context, predicate *Predicat
 
 	// Pre-allocate slices with estimated capacity for better performance
 	componentCount := len(predicate.Results.Components)
-	allMissingRules := make([]MissingRule, 0, componentCount*2) // Estimate 2 missing rules per component
-	allFailingRules := make([]FailingRule, 0, componentCount*2) // Estimate 2 failing rules per component
+
+	// Validate input bounds to prevent DoS attacks
+	if componentCount < 0 {
+		return nil, fmt.Errorf("negative component count: %d", componentCount)
+	}
+
+	// Reasonable limit to prevent DoS attacks while allowing legitimate large predicates
+	const maxComponents = 1000000 // 1 million components max
+	if componentCount > maxComponents {
+		return nil, fmt.Errorf("VSA predicate has too many components: %d (max: %d). This may indicate a malformed or malicious predicate.",
+			componentCount, maxComponents)
+	}
+
+	// Safe capacity calculation with overflow protection
+	capacity := componentCount * 2
+	if componentCount > math.MaxInt/2 {
+		// If doubling would overflow, use a reasonable maximum
+		capacity = math.MaxInt / 4
+	}
+
+	allMissingRules := make([]MissingRule, 0, capacity)
+	allFailingRules := make([]FailingRule, 0, capacity)
 
 	var totalPassingCount, totalRequired int
 
@@ -525,7 +546,26 @@ func createValidationResult(missingRules []MissingRule, failingRules []FailingRu
 // It processes successes, violations, and warnings into a unified rule results map.
 func extractRuleResultsFromComponent(component applicationsnapshot.Component) map[string][]RuleResult {
 	// Pre-allocate with estimated capacity for better performance
-	totalRules := len(component.Successes) + len(component.Violations) + len(component.Warnings)
+	// Safe addition to prevent integer overflow
+	successes := len(component.Successes)
+	violations := len(component.Violations)
+	warnings := len(component.Warnings)
+
+	// Safe addition to prevent integer overflow
+	var totalRules int
+	// Check if any individual length is too large first
+	if successes > math.MaxInt/3 || violations > math.MaxInt/3 || warnings > math.MaxInt/3 {
+		// Individual slice too large, use conservative estimate
+		totalRules = math.MaxInt / 4
+	} else {
+		// Safe to add - check for overflow
+		totalRules = successes + violations + warnings
+		if totalRules < 0 {
+			// Overflow detected (result wrapped to negative)
+			totalRules = math.MaxInt / 4
+		}
+	}
+
 	ruleResults := make(map[string][]RuleResult, totalRules/2) // Estimate 2 rules per ruleID
 
 	// Process all rule types using a helper function to reduce code duplication