diff --git a/pkg/workflow/frontmatter_extraction_metadata.go b/pkg/workflow/frontmatter_extraction_metadata.go index cf142110c2..a17733c15c 100644 --- a/pkg/workflow/frontmatter_extraction_metadata.go +++ b/pkg/workflow/frontmatter_extraction_metadata.go @@ -2,6 +2,7 @@ package workflow import ( "fmt" + "math" "strings" ) @@ -143,6 +144,22 @@ func (c *Compiler) extractSafetyPromptSetting(tools map[string]any) bool { return true } +// safeUintToInt safely converts uint to int, returning 0 if overflow would occur +func safeUintToInt(u uint) int { + if u > math.MaxInt { + return 0 // Return 0 (engine default) if value would overflow + } + return int(u) +} + +// safeUint64ToInt safely converts uint64 to int, returning 0 if overflow would occur +func safeUint64ToInt(u uint64) int { + if u > math.MaxInt { + return 0 // Return 0 (engine default) if value would overflow + } + return int(u) +} + // extractToolsTimeout extracts the timeout setting from tools // Returns 0 if not set (engines will use their own defaults) func (c *Compiler) extractToolsTimeout(tools map[string]any) int { @@ -152,16 +169,16 @@ func (c *Compiler) extractToolsTimeout(tools map[string]any) int { // Check if timeout is explicitly set in tools if timeoutValue, exists := tools["timeout"]; exists { - // Handle different numeric types + // Handle different numeric types with safe conversions to prevent overflow switch v := timeoutValue.(type) { case int: return v case int64: return int(v) case uint: - return int(v) + return safeUintToInt(v) // Safe conversion to prevent overflow (alert #418) case uint64: - return int(v) + return safeUint64ToInt(v) // Safe conversion to prevent overflow (alert #416) case float64: return int(v) } @@ -180,16 +197,16 @@ func (c *Compiler) extractToolsStartupTimeout(tools map[string]any) int { // Check if startup-timeout is explicitly set in tools if timeoutValue, exists := tools["startup-timeout"]; exists { - // Handle different numeric types + // Handle different numeric types with safe conversions to prevent overflow switch v := timeoutValue.(type) { case int: return v case int64: return int(v) case uint: - return int(v) + return safeUintToInt(v) // Safe conversion to prevent overflow (alert #417) case uint64: - return int(v) + return safeUint64ToInt(v) // Safe conversion to prevent overflow (alert #415) case float64: return int(v) } diff --git a/pkg/workflow/safe_inputs_parser.go b/pkg/workflow/safe_inputs_parser.go index ceddb33ee3..db3d822bf0 100644 --- a/pkg/workflow/safe_inputs_parser.go +++ b/pkg/workflow/safe_inputs_parser.go @@ -3,6 +3,7 @@ package workflow import ( "encoding/json" "fmt" + "math" "strings" "github.com/githubnext/gh-aw/pkg/logger" @@ -10,6 +11,15 @@ import ( var safeInputsLog = logger.New("workflow:safe_inputs") +// safeUint64ToIntForTimeout safely converts uint64 to int for timeout values +// Returns 0 (which signals to use engine defaults) if overflow would occur +func safeUint64ToIntForTimeout(u uint64) int { + if u > math.MaxInt { + return 0 // Return 0 (engine default) if value would overflow + } + return int(u) +} + // SafeInputsConfig holds the configuration for safe-inputs custom tools type SafeInputsConfig struct { Mode string // Transport mode: "http" (default) or "stdio" @@ -211,7 +221,7 @@ func parseSafeInputsMap(safeInputsMap map[string]any) (*SafeInputsConfig, bool) case int: toolConfig.Timeout = t case uint64: - toolConfig.Timeout = int(t) + toolConfig.Timeout = safeUint64ToIntForTimeout(t) // Safe conversion to prevent overflow (alert #414) case float64: toolConfig.Timeout = int(t) case string: @@ -395,7 +405,7 @@ func (c *Compiler) mergeSafeInputs(main *SafeInputsConfig, importedConfigs []str case int: toolConfig.Timeout = t case uint64: - toolConfig.Timeout = int(t) + toolConfig.Timeout = safeUint64ToIntForTimeout(t) // Safe conversion to prevent overflow (alert #413) case float64: toolConfig.Timeout = int(t) case string: