Merge pull request #1838 from l3montree-dev/add-saveguards-to-sarif-upload

timbastin · web-flow · commit 50c7b9eb36f8 · 2026-04-02T16:44:32.000+02:00
Added size limit check for sarif upload and implemented nil pointer checks for regions
diff --git a/controllers/scan_controller.go b/controllers/scan_controller.go
@@ -19,6 +19,7 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"net/http"
 	"time"
 
 	cdx "github.com/CycloneDX/cyclonedx-go"
@@ -404,6 +405,9 @@ func (s *ScanController) FirstPartyVulnScan(ctx shared.Context) error {
 
 	var sarifScan sarif.SarifSchema210Json
 
+	var maxSize int64 = 16 * 1024 * 1024 //Max Upload Size 16mb
+
+	ctx.Request().Body = http.MaxBytesReader(ctx.Response(), ctx.Request().Body, maxSize)
 	defer ctx.Request().Body.Close()
 
 	if err := ctx.Bind(&sarifScan); err != nil {
diff --git a/services/scan_service.go b/services/scan_service.go
@@ -239,12 +239,29 @@ func (s *scanService) HandleFirstPartyVulnResult(ctx context.Context, org models
 				loc := result.Locations[0]
 				firstPartyVulnerability.URI = utils.OrDefault(loc.PhysicalLocation.ArtifactLocation.URI, "")
 
-				snippetContent := dtos.SnippetContent{
-					StartLine:   utils.OrDefault(loc.PhysicalLocation.Region.StartLine, 0),
-					EndLine:     utils.OrDefault(loc.PhysicalLocation.Region.EndLine, 0),
-					StartColumn: utils.OrDefault(loc.PhysicalLocation.Region.StartColumn, 0),
-					EndColumn:   utils.OrDefault(loc.PhysicalLocation.Region.EndColumn, 0),
-					Snippet:     utils.OrDefault(loc.PhysicalLocation.Region.Snippet.Text, ""),
+				var snippetContent dtos.SnippetContent
+
+				if loc.PhysicalLocation.Region == nil {
+					snippetContent = dtos.SnippetContent{
+						StartLine:   0,
+						EndLine:     0,
+						StartColumn: 0,
+						EndColumn:   0,
+						Snippet:     "",
+					}
+				} else {
+					var checkedSnippet = ""
+					if loc.PhysicalLocation.Region.Snippet != nil {
+						checkedSnippet = utils.OrDefault(loc.PhysicalLocation.Region.Snippet.Text, "")
+					}
+
+					snippetContent = dtos.SnippetContent{
+						StartLine:   utils.OrDefault(loc.PhysicalLocation.Region.StartLine, 0),
+						EndLine:     utils.OrDefault(loc.PhysicalLocation.Region.EndLine, 0),
+						StartColumn: utils.OrDefault(loc.PhysicalLocation.Region.StartColumn, 0),
+						EndColumn:   utils.OrDefault(loc.PhysicalLocation.Region.EndColumn, 0),
+						Snippet:     checkedSnippet,
+					}
 				}
 
 				hash = firstPartyVulnerability.CalculateHash()
