Skip to content

Commit bd81542

Browse files
elijah-rouelijah-rou
committed
chore: run hack and fix gosec issues
1 parent cd0ed1d commit bd81542

File tree

5 files changed

+48
-24
lines changed

5 files changed

+48
-24
lines changed

config/core/300-resources/configuration.yaml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -438,7 +438,7 @@ spec:
438438
type: object
439439
properties:
440440
host:
441-
description: "Optional: Host name to connect to, defaults to the pod IP."
441+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
442442
type: string
443443
port:
444444
description: |-
@@ -606,7 +606,7 @@ spec:
606606
type: object
607607
properties:
608608
host:
609-
description: "Optional: Host name to connect to, defaults to the pod IP."
609+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
610610
type: string
611611
port:
612612
description: |-
@@ -871,7 +871,7 @@ spec:
871871
type: object
872872
properties:
873873
host:
874-
description: "Optional: Host name to connect to, defaults to the pod IP."
874+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
875875
type: string
876876
port:
877877
description: |-
@@ -1297,7 +1297,7 @@ spec:
12971297
- path
12981298
properties:
12991299
fieldRef:
1300-
description: "Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported."
1300+
description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
13011301
type: object
13021302
required:
13031303
- fieldPath
@@ -1320,7 +1320,7 @@ spec:
13201320
type: integer
13211321
format: int32
13221322
path:
1323-
description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'"
1323+
description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
13241324
type: string
13251325
resourceFieldRef:
13261326
description: |-
@@ -1331,7 +1331,7 @@ spec:
13311331
- resource
13321332
properties:
13331333
containerName:
1334-
description: "Container name: required for volumes, optional for env vars"
1334+
description: 'Container name: required for volumes, optional for env vars'
13351335
type: string
13361336
divisor:
13371337
description: Specifies the output format of the exposed resources, defaults to "1"
@@ -1341,7 +1341,7 @@ spec:
13411341
- type: string
13421342
x-kubernetes-int-or-string: true
13431343
resource:
1344-
description: "Required: resource to select"
1344+
description: 'Required: resource to select'
13451345
type: string
13461346
x-kubernetes-map-type: atomic
13471347
x-kubernetes-list-type: atomic

config/core/300-resources/revision.yaml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -414,7 +414,7 @@ spec:
414414
type: object
415415
properties:
416416
host:
417-
description: "Optional: Host name to connect to, defaults to the pod IP."
417+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
418418
type: string
419419
port:
420420
description: |-
@@ -582,7 +582,7 @@ spec:
582582
type: object
583583
properties:
584584
host:
585-
description: "Optional: Host name to connect to, defaults to the pod IP."
585+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
586586
type: string
587587
port:
588588
description: |-
@@ -847,7 +847,7 @@ spec:
847847
type: object
848848
properties:
849849
host:
850-
description: "Optional: Host name to connect to, defaults to the pod IP."
850+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
851851
type: string
852852
port:
853853
description: |-
@@ -1273,7 +1273,7 @@ spec:
12731273
- path
12741274
properties:
12751275
fieldRef:
1276-
description: "Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported."
1276+
description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
12771277
type: object
12781278
required:
12791279
- fieldPath
@@ -1296,7 +1296,7 @@ spec:
12961296
type: integer
12971297
format: int32
12981298
path:
1299-
description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'"
1299+
description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
13001300
type: string
13011301
resourceFieldRef:
13021302
description: |-
@@ -1307,7 +1307,7 @@ spec:
13071307
- resource
13081308
properties:
13091309
containerName:
1310-
description: "Container name: required for volumes, optional for env vars"
1310+
description: 'Container name: required for volumes, optional for env vars'
13111311
type: string
13121312
divisor:
13131313
description: Specifies the output format of the exposed resources, defaults to "1"
@@ -1317,7 +1317,7 @@ spec:
13171317
- type: string
13181318
x-kubernetes-int-or-string: true
13191319
resource:
1320-
description: "Required: resource to select"
1320+
description: 'Required: resource to select'
13211321
type: string
13221322
x-kubernetes-map-type: atomic
13231323
x-kubernetes-list-type: atomic

config/core/300-resources/service.yaml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -456,7 +456,7 @@ spec:
456456
type: object
457457
properties:
458458
host:
459-
description: "Optional: Host name to connect to, defaults to the pod IP."
459+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
460460
type: string
461461
port:
462462
description: |-
@@ -624,7 +624,7 @@ spec:
624624
type: object
625625
properties:
626626
host:
627-
description: "Optional: Host name to connect to, defaults to the pod IP."
627+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
628628
type: string
629629
port:
630630
description: |-
@@ -889,7 +889,7 @@ spec:
889889
type: object
890890
properties:
891891
host:
892-
description: "Optional: Host name to connect to, defaults to the pod IP."
892+
description: 'Optional: Host name to connect to, defaults to the pod IP.'
893893
type: string
894894
port:
895895
description: |-
@@ -1315,7 +1315,7 @@ spec:
13151315
- path
13161316
properties:
13171317
fieldRef:
1318-
description: "Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported."
1318+
description: 'Required: Selects a field of the pod: only annotations, labels, name, namespace and uid are supported.'
13191319
type: object
13201320
required:
13211321
- fieldPath
@@ -1338,7 +1338,7 @@ spec:
13381338
type: integer
13391339
format: int32
13401340
path:
1341-
description: "Required: Path is the relative path name of the file to be created. Must not be absolute or contain the '..' path. Must be utf-8 encoded. The first item of the relative path must not start with '..'"
1341+
description: 'Required: Path is the relative path name of the file to be created. Must not be absolute or contain the ''..'' path. Must be utf-8 encoded. The first item of the relative path must not start with ''..'''
13421342
type: string
13431343
resourceFieldRef:
13441344
description: |-
@@ -1349,7 +1349,7 @@ spec:
13491349
- resource
13501350
properties:
13511351
containerName:
1352-
description: "Container name: required for volumes, optional for env vars"
1352+
description: 'Container name: required for volumes, optional for env vars'
13531353
type: string
13541354
divisor:
13551355
description: Specifies the output format of the exposed resources, defaults to "1"
@@ -1359,7 +1359,7 @@ spec:
13591359
- type: string
13601360
x-kubernetes-int-or-string: true
13611361
resource:
1362-
description: "Required: resource to select"
1362+
description: 'Required: resource to select'
13631363
type: string
13641364
x-kubernetes-map-type: atomic
13651365
x-kubernetes-list-type: atomic

pkg/activator/net/lb_policy.go

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -180,7 +180,14 @@ func leastConnectionsPolicy(ctx context.Context, targets []*podTracker) (func(),
180180
if weight < 0 {
181181
weight = 0
182182
}
183-
trackerLoads[i] = TrackerLoad{tracker: t, inFlight: uint64(weight)}
183+
// Safe conversion: weight is guaranteed to be non-negative after the check above
184+
// Since weight is int32 and non-negative, it will always fit in uint64
185+
// Use explicit check for gosec G115
186+
var inFlight uint64
187+
if weight >= 0 {
188+
inFlight = uint64(weight)
189+
}
190+
trackerLoads[i] = TrackerLoad{tracker: t, inFlight: inFlight}
184191
}
185192
}
186193
sort.Slice(trackerLoads, func(i, j int) bool {

pkg/activator/net/throttler.go

Lines changed: 19 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@ package net
1818

1919
import (
2020
"context"
21+
"math"
2122
"net/http"
2223
"slices"
2324
"sort"
@@ -240,7 +241,15 @@ func newRevisionThrottler(revID types.NamespacedName,
240241
if containerConcurrency < 0 {
241242
containerConcurrency = 0
242243
}
243-
t.containerConcurrency.Store(uint32(containerConcurrency))
244+
// Safe conversion: containerConcurrency is guaranteed to be non-negative after the check above
245+
var cc uint32
246+
if containerConcurrency >= 0 && containerConcurrency <= math.MaxUint32 {
247+
cc = uint32(containerConcurrency)
248+
} else if containerConcurrency > math.MaxUint32 {
249+
// Cap at max value if containerConcurrency exceeds uint32 range
250+
cc = math.MaxUint32
251+
}
252+
t.containerConcurrency.Store(cc)
244253
t.lbPolicy.Store(lbp)
245254

246255
// Start with unknown
@@ -625,7 +634,15 @@ func (t *Throttler) revisionUpdated(obj any) {
625634
newPolicy, name := pickLBPolicy(rev.Spec.LoadBalancingPolicy, nil, int(containerConcurrency), t.logger)
626635
// Use atomic store for lock-free access in the hot request path
627636
rt.lbPolicy.Store(newPolicy)
628-
rt.containerConcurrency.Store(uint32(containerConcurrency))
637+
// Safe conversion: containerConcurrency is guaranteed to be non-negative after the check above
638+
var cc uint32
639+
if containerConcurrency >= 0 && containerConcurrency <= math.MaxUint32 {
640+
cc = uint32(containerConcurrency)
641+
} else if containerConcurrency > math.MaxUint32 {
642+
// Cap at max value if containerConcurrency exceeds uint32 range
643+
cc = math.MaxUint32
644+
}
645+
rt.containerConcurrency.Store(cc)
629646
t.logger.Infof("Updated revision throttler LB policy to: %s", name)
630647
}
631648
}

0 commit comments

Comments
 (0)