Skip to content

fix: add bounds check for partition index int32 conversion#1517

Open
merlimat wants to merge 1 commit into
masterfrom
fix/partition-index-int32-conversion
Open

fix: add bounds check for partition index int32 conversion#1517
merlimat wants to merge 1 commit into
masterfrom
fix/partition-index-int32-conversion

Conversation

@merlimat

Copy link
Copy Markdown
Contributor

Motivation

CodeQL code-scanning alert #1 (go/incorrect-integer-conversion, high — CWE-190 / CWE-681) flags pulsar/consumer_partition.go:422, where the partition index — ultimately parsed from the topic name via strconv.Atoi in getPartitionIndex — is converted from int to int32 without a bounds check.

Modifications

Add an explicit range check in newPartitionConsumer before the int32(options.partitionIdx) conversion, returning an error if the value falls outside the int32 range. Negative values (e.g. -1 for non-partitioned topics) remain valid.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework without new test coverage; the conversion is exercised by the existing partitioned-consumer tests.

Does this pull request potentially affect one of the following parts:

  • Dependencies (does it add or upgrade a dependency): no
  • The public API: no
  • The schema: no
  • The default values of configurations: no
  • The wire protocol: no

Documentation

  • Does this pull request introduce a new feature? no

CodeQL go/incorrect-integer-conversion (CWE-190/CWE-681) flagged the
int->int32 conversion of the topic-derived partition index in
newPartitionConsumer. Guard it with an explicit int32 range check;
negative values (-1 for non-partitioned topics) remain valid.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant