fix: file stream memory allocation bug (#707)

parker-snyk · web-flow · commit fe858e66f2ae · 2025-09-24T10:50:20.000-04:00
* fix: terminate early if file is not elf
* chore: unit tests
* fix: prevent overflow / pr comments
* chore: update stream check
diff --git a/lib/go-parser/index.ts b/lib/go-parser/index.ts
@@ -61,13 +61,13 @@ async function findGoBinaries(
     // ELF section headers and so ".go.buildinfo" & ".note.go.buildid" blobs are available in the first 64kb
     const elfBuildInfoSize = 64 * 1024;
 
-    const buffer: Buffer = Buffer.alloc(streamSize ?? elfBuildInfoSize);
+    let buffer: Buffer | null = null;
     let bytesWritten = 0;
 
     stream.on("end", () => {
       try {
         // Discard
-        if (bytesWritten === 0) {
+        if (!buffer || bytesWritten === 0) {
           return resolve(undefined);
         }
 
@@ -131,13 +131,31 @@ async function findGoBinaries(
       const first4Bytes = chunk.toString(encoding, 0, 4);
 
       if (first4Bytes === elfHeaderMagic) {
-        Buffer.from(chunk).copy(buffer, bytesWritten, 0);
-        bytesWritten += chunk.length;
+        // Now that we know it's an ELF file, allocate the buffer
+        buffer = Buffer.alloc(streamSize ?? elfBuildInfoSize);
+
+        bytesWritten += Buffer.from(chunk).copy(buffer, bytesWritten, 0);
+
         // Listen to next chunks only if it's an ELF executable
         stream.addListener("data", (chunk) => {
-          Buffer.from(chunk).copy(buffer, bytesWritten, 0);
-          bytesWritten += chunk.length;
+          if (buffer && bytesWritten < buffer.length) {
+            // Make sure we don't exceed the buffer capacity. Don't copy more
+            // than the buffer can handle, and don't exceed the chunk length
+            const bytesToWrite = Math.min(
+              buffer.length - bytesWritten,
+              chunk.length,
+            );
+            bytesWritten += Buffer.from(chunk).copy(
+              buffer,
+              bytesWritten,
+              0,
+              bytesToWrite,
+            );
+          }
         });
+      } else {
+        // Not an ELF file, exit early without allocating memory
+        return resolve(undefined);
       }
     });
   });
diff --git a/test/unit/go-parser-memory-stream.spec.ts b/test/unit/go-parser-memory-stream.spec.ts
@@ -0,0 +1,132 @@
+import * as elf from "elfy";
+import { readFileSync } from "fs";
+import * as path from "path";
+import { Readable } from "stream";
+
+import { getGoModulesContentAction } from "../../lib/go-parser";
+
+// Helper to create a readable stream from buffer
+function createStreamFromBuffer(buffer: Buffer): Readable {
+  const stream = new Readable();
+  stream.push(buffer);
+  stream.push(null);
+  return stream;
+}
+
+describe("Go parser memory allocation fix", () => {
+  const findGoBinaries = getGoModulesContentAction.callback!;
+  const { filePathMatches } = getGoModulesContentAction;
+
+  describe("Core memory fix - large non-ELF files", () => {
+    it("should not allocate large buffers for non-ELF files", async () => {
+      // This is the main bug we fixed - simulate 5GB non-ELF file
+      const nonElfContent = Buffer.from("This is not an ELF file");
+      const stream = createStreamFromBuffer(nonElfContent);
+      const hugeReportedSize = 5 * 1024 * 1024 * 1024; // 5GB
+
+      // Act - should not cause memory allocation issues
+      const result = await findGoBinaries(stream, hugeReportedSize);
+
+      // Assert
+      expect(result).toBeUndefined();
+      // If we reach here without memory errors, the fix works
+    });
+
+    it("should still process legitimate ELF files", async () => {
+      // Ensure we didn't break existing functionality
+      const goBinaryPath = path.join(
+        __dirname,
+        "../fixtures/go-binaries/go1.18.5_normal",
+      );
+
+      const goBinaryBuffer = readFileSync(goBinaryPath);
+      const stream = createStreamFromBuffer(goBinaryBuffer);
+
+      const result = await findGoBinaries(stream, goBinaryBuffer.length);
+
+      // Should process ELF files
+      expect(typeof result).toBeDefined();
+    });
+  });
+
+  describe("ELF magic detection", () => {
+    it("should detect ELF magic correctly", async () => {
+      const elfContent = Buffer.concat([
+        Buffer.from("\x7FELF"), // ELF magic
+        Buffer.alloc(100, 0),
+      ]);
+      const stream = createStreamFromBuffer(elfContent);
+
+      // Mock elf.parse to avoid complexity
+      const originalParse = elf.parse;
+      elf.parse = jest.fn().mockReturnValue({ body: { sections: [] } });
+
+      const result = await findGoBinaries(stream, elfContent.length);
+
+      expect(elf.parse).toHaveBeenCalled();
+      expect(result).toBeUndefined(); // No Go sections
+
+      elf.parse = originalParse;
+    });
+
+    it("should reject non-ELF files early", async () => {
+      const nonElfContent = Buffer.from("Not ELF content");
+      const stream = createStreamFromBuffer(nonElfContent);
+
+      const result = await findGoBinaries(stream, 1024 * 1024); // 1MB
+
+      expect(result).toBeUndefined();
+    });
+  });
+
+  describe("filePathMatches function", () => {
+    it("should match normal files without extensions", () => {
+      expect(filePathMatches("/app/myservice")).toBe(true);
+      expect(filePathMatches("/usr/bin/kubectl")).toBe(true);
+      expect(filePathMatches("/opt/binary")).toBe(true);
+    });
+
+    it("should not match files with extensions", () => {
+      expect(filePathMatches("/app/script.sh")).toBe(false);
+      expect(filePathMatches("/app/config.json")).toBe(false);
+      expect(filePathMatches("/app/main.go")).toBe(false);
+    });
+
+    it("should not match files in ignored paths", () => {
+      expect(filePathMatches("/etc/passwd")).toBe(false);
+      expect(filePathMatches("/var/log/app")).toBe(false);
+      expect(filePathMatches("/tmp/file")).toBe(false);
+      expect(filePathMatches("/proc/cpuinfo")).toBe(false);
+    });
+  });
+
+  describe("Error handling", () => {
+    it("should catch stream errors", async () => {
+      const errorStream = new Readable({
+        read() {
+          this.emit("error", new Error("Stream error"));
+        },
+      });
+
+      await expect(findGoBinaries(errorStream)).rejects.toThrow("Stream error");
+    });
+
+    it("should return undefined for corrupted ELF files", async () => {
+      const corruptedElf = Buffer.from("\x7FELF" + "corrupted");
+      const stream = createStreamFromBuffer(corruptedElf);
+
+      const result = await findGoBinaries(stream);
+
+      expect(result).toBeUndefined(); // Should not throw
+    });
+
+    it("should return undefined for empty streams", async () => {
+      const emptyStream = new Readable();
+      emptyStream.push(null);
+
+      const result = await findGoBinaries(emptyStream);
+
+      expect(result).toBeUndefined();
+    });
+  });
+});
