OsvClient: cap fetch_all_pages at MAX_PAGES to avoid unbounded loop#52
Open
SAY-5 wants to merge 1 commit intoHomebrew:mainfrom
Open
OsvClient: cap fetch_all_pages at MAX_PAGES to avoid unbounded loop#52SAY-5 wants to merge 1 commit intoHomebrew:mainfrom
SAY-5 wants to merge 1 commit intoHomebrew:mainfrom
Conversation
fetch_all_pages keeps calling /v1/query as long as the OSV response has a next_page_token. If OSV ever returns a buggy response that echoes the same token (or returns a token unconditionally), the loop allocates into 'vulns' until the process is OOM-killed. Add a 100-page upper bound and raise ApiError with a clear message when the limit is hit, so an infinite-pagination response surfaces as an actionable error instead of an OOM. Add a regression test that stubs the server to return the same next_page_token every call and asserts the ApiError.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #47.
OsvClient#fetch_all_pages(lib/brew/vulns/osv_client.rb:120) loops as long as the OSV response carries anext_page_token, with no upper bound:If the upstream returns a buggy response that echoes the same
next_page_token(or unconditionally returns one), the loop concatenates intovulnsuntil the process OOM-kills.Add a
MAX_PAGES = 100ceiling and raiseApiErrorwith a clear message when the limit is hit, turning the infinite-pagination case into an actionable error. Added a regression test (test_pagination_aborts_after_max_pages) that stubs the server to return the same token forever and asserts theApiError.Local verification: Ruby
-csyntax check passes for both files. I couldn't runbundle exec rake testlocally because system Ruby is 2.6 andGemfile.lockpinsbundler 4.0.6which requires Ruby >= 3.2 — happy to iterate on the test if CI catches anything.