Skip to content

Commit e32a94f

Browse files
committed
fix(flow): avoid gosec panic on byte decoding
1 parent 262421e commit e32a94f

1 file changed

Lines changed: 19 additions & 3 deletions

File tree

internal/conversation/flow/resolver.go

Lines changed: 19 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ import (
1010
"fmt"
1111
"io"
1212
"log/slog"
13+
"math"
1314
"net/http"
1415
"sort"
1516
"strconv"
@@ -2103,12 +2104,12 @@ func anyIndexedByteObject(value any) ([]byte, bool) {
21032104
if err != nil || idx < 0 {
21042105
return nil, false
21052106
}
2106-
floatValue, ok := raw.(float64)
2107-
if !ok || floatValue < 0 || floatValue > 255 || floatValue != float64(int(floatValue)) {
2107+
byteValue, ok := anyNumberToByte(raw)
2108+
if !ok {
21082109
return nil, false
21092110
}
21102111
indexes = append(indexes, idx)
2111-
values[idx] = byte(int(floatValue))
2112+
values[idx] = byteValue
21122113
}
21132114
sort.Ints(indexes)
21142115
if indexes[len(indexes)-1]+1 != len(indexes) {
@@ -2121,6 +2122,21 @@ func anyIndexedByteObject(value any) ([]byte, bool) {
21212122
return bytes, true
21222123
}
21232124

2125+
func anyNumberToByte(value any) (byte, bool) {
2126+
floatValue, ok := value.(float64)
2127+
if !ok || math.IsNaN(floatValue) || math.IsInf(floatValue, 0) {
2128+
return 0, false
2129+
}
2130+
if floatValue < 0 || floatValue > 255 || math.Trunc(floatValue) != floatValue {
2131+
return 0, false
2132+
}
2133+
parsed, err := strconv.ParseUint(strconv.FormatFloat(floatValue, 'f', 0, 64), 10, 8)
2134+
if err != nil {
2135+
return 0, false
2136+
}
2137+
return byte(parsed), true
2138+
}
2139+
21242140
func normalizeGatewaySkill(entry SkillEntry) (gatewaySkill, bool) {
21252141
name := strings.TrimSpace(entry.Name)
21262142
if name == "" {

0 commit comments

Comments
 (0)