Skip to content

Fix SBOM size validation to check before reading file#353

Closed
Copilot wants to merge 3 commits intobdehamer/esmfrom
copilot/sub-pr-347-again
Closed

Fix SBOM size validation to check before reading file#353
Copilot wants to merge 3 commits intobdehamer/esmfrom
copilot/sub-pr-347-again

Conversation

Copy link
Contributor

Copilot AI commented Feb 17, 2026
edited
Loading

Addresses feedback from #347 where parseSBOMFromPath reads the entire file before checking size, defeating the 16MB guard for memory protection.

Changes:

  • Check file size with fs.stat() before fs.readFile() to prevent loading oversized files into memory
  • Handle ENOENT explicitly with "SBOM file not found" error instead of exposing system error codes
  • Update test expectations for new error message

Before:

export const parseSBOMFromPath = async (filePath: string): Promise<SBOM> => {
  const fileContent = await fs.readFile(filePath, 'utf8')  // Reads entire file first
  
  const stats = await fs.stat(filePath)
  if (stats.size > MAX_SBOM_SIZE_BYTES) {  // Too late
    throw new Error(...)
  }
  // ...
}

After:

export const parseSBOMFromPath = async (filePath: string): Promise<SBOM> => {
  let stats
  try {
    stats = await fs.stat(filePath)  // Check size first
  } catch (error) {
    const err = error as NodeJS.ErrnoException
    if (err.code === 'ENOENT') {
      throw new Error('SBOM file not found')
    }
    throw error
  }

  if (stats.size > MAX_SBOM_SIZE_BYTES) {  // Guard works correctly now
    throw new Error(...)
  }

  const fileContent = await fs.readFile(filePath, 'utf8')  // Only read valid files
  // ...
}

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI mentioned this pull request Feb 17, 2026
Merged
Copilot AI and others added 2 commits February 17, 2026 16:01
@bdehamer
Fix parseSBOMFromPath to check file size before reading
4734ea3 
Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>
@bdehamer
Build package with updated changes
0554dfb 
Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com>
Copilot AI changed the title [WIP] Address feedback on ESM conversion pull request Fix SBOM size validation to check before reading file Feb 17, 2026
Copilot AI requested a review from bdehamer February 17, 2026 16:04
@bdehamer
Copy link
Collaborator

bdehamer commented Feb 17, 2026

cherry-picked into #347

@bdehamer bdehamer closed this Feb 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bdehamer bdehamer Awaiting requested review from bdehamer

Assignees

@bdehamer bdehamer

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bdehamer