From 71658218b6b32cc95be6e5e1f4d1d184a37e1f97 Mon Sep 17 00:00:00 2001 From: Sungkyu Yoo Date: Sun, 19 Apr 2026 22:30:32 +0900 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 22: Slice memory allocation with excessive size value Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- internal/services/secretsmanager/provider.go | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/internal/services/secretsmanager/provider.go b/internal/services/secretsmanager/provider.go index cfb88d4..c272e67 100644 --- a/internal/services/secretsmanager/provider.go +++ b/internal/services/secretsmanager/provider.go @@ -426,9 +426,16 @@ func (p *Provider) cancelRotateSecret(params map[string]any) (*plugin.Response, // allowedChars is the default character pool for random passwords. const allowedChars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*()-_=+[]{}|;:,.<>?" +// maxRandomPasswordLength caps user-controlled password length to prevent +// excessive memory allocation from untrusted input. +const maxRandomPasswordLength = 4096 + func (p *Provider) getRandomPassword(params map[string]any) (*plugin.Response, error) { length := 32 - if l, ok := params["PasswordLength"].(float64); ok && l > 0 { + if l, ok := params["PasswordLength"].(float64); ok { + if l <= 0 || l > maxRandomPasswordLength { + return smError("InvalidParameterException", "PasswordLength must be between 1 and 4096", http.StatusBadRequest), nil + } length = int(l) } excludeChars, _ := params["ExcludeCharacters"].(string) From 55a1776dd567f605a62950748827c192e041a14d Mon Sep 17 00:00:00 2001 From: Sung-Kyu Yoo Date: Tue, 21 Apr 2026 01:33:35 +0900 Subject: [PATCH 2/2] fix: use maxRandomPasswordLength constant in error message instead of hardcoded 4096 --- internal/services/secretsmanager/provider.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/internal/services/secretsmanager/provider.go b/internal/services/secretsmanager/provider.go index c272e67..0f6a656 100644 --- a/internal/services/secretsmanager/provider.go +++ b/internal/services/secretsmanager/provider.go @@ -434,7 +434,7 @@ func (p *Provider) getRandomPassword(params map[string]any) (*plugin.Response, e length := 32 if l, ok := params["PasswordLength"].(float64); ok { if l <= 0 || l > maxRandomPasswordLength { - return smError("InvalidParameterException", "PasswordLength must be between 1 and 4096", http.StatusBadRequest), nil + return smError("InvalidParameterException", fmt.Sprintf("PasswordLength must be between 1 and %d", maxRandomPasswordLength), http.StatusBadRequest), nil } length = int(l) }