fix: cap stream size to node.js max buffer size (#715)

Now that we can handle scanning larger files, there's a very small chance of a failure if the file size is greater than the max file size allowed by node.js AND it has an ELF header

The issue here is it can fail for large ELF files (> 4GB). The chance if this is near zero, I'm not aware of any go modules this large, but if someone has another executable that is this large (still pretty unlikely), it could crash the scan. So I've just added one more check

Author: parker-snyk

lib/go-parser/index.ts

@@ -132,7 +132,15 @@ async function findGoBinaries(
 
       if (first4Bytes === elfHeaderMagic) {
         // Now that we know it's an ELF file, allocate the buffer
-        buffer = Buffer.alloc(streamSize ?? elfBuildInfoSize);
+        // If the streamSize is larger than node.js's max buffer length
+        // we should cap the size at that value. The liklihood
+        // of a node module being this size is near zero, so we should
+        // be okay doing this
+        const bufferSize = Math.min(
+          streamSize ?? elfBuildInfoSize,
+          require("buffer").constants.MAX_LENGTH,
+        );
+        buffer = Buffer.alloc(bufferSize);
 
         bytesWritten += Buffer.from(chunk).copy(buffer, bytesWritten, 0);
 

test/unit/go-parser-memory-stream.spec.ts

@@ -32,6 +32,43 @@ describe("Go parser memory allocation fix", () => {
       // If we reach here without memory errors, the fix works
     });
 
+    it("should cap buffer size at Node.js max buffer length for large ELF files", async () => {
+      // Create ELF content that would trigger large buffer allocation
+      const elfContent = Buffer.concat([
+        Buffer.from("\x7FELF"), // ELF magic
+        Buffer.alloc(1000, 0), // Some content
+      ]);
+      const stream = createStreamFromBuffer(elfContent);
+      const bigOlFileSize = 5 * 1024 * 1024 * 1024; // 5GB - exceeds max buffer length
+
+      // Mock elf.parse to avoid complexity and track buffer allocation
+      const originalParse = elf.parse;
+      let allocatedBufferSize: number | undefined;
+
+      // Mock Buffer.alloc to capture the size being allocated
+      const originalAlloc = Buffer.alloc;
+      Buffer.alloc = jest.fn().mockImplementation((size: number) => {
+        allocatedBufferSize = size;
+        return originalAlloc.call(Buffer, Math.min(size, 1024)); // Allocate small buffer for test
+      });
+
+      elf.parse = jest.fn().mockReturnValue({ body: { sections: [] } });
+
+      // Act
+      await findGoBinaries(stream, bigOlFileSize);
+
+      // Assert - buffer size should be capped at Node.js max, not the huge reported size
+      expect(allocatedBufferSize).toBeDefined();
+      expect(allocatedBufferSize).toEqual(
+        require("buffer").constants.MAX_LENGTH,
+      );
+      expect(allocatedBufferSize).toBeLessThan(bigOlFileSize);
+
+      // Restore mocks
+      Buffer.alloc = originalAlloc;
+      elf.parse = originalParse;
+    });
+
     it("should still process legitimate ELF files", async () => {
       // Ensure we didn't break existing functionality
       const goBinaryPath = path.join(