From 4734ea3b9bd1fe2915a0b53fda900aa4ecd010b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Tue, 17 Feb 2026 16:01:11 +0000 Subject: [PATCH] Fix parseSBOMFromPath to check file size before reading Co-authored-by: bdehamer <398027+bdehamer@users.noreply.github.com> --- __tests__/sbom.test.ts | 2 +- package-lock.json | 10 ++++++++++ src/sbom.ts | 13 +++++++++++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/__tests__/sbom.test.ts b/__tests__/sbom.test.ts index 97e2ad0..17b72d5 100644 --- a/__tests__/sbom.test.ts +++ b/__tests__/sbom.test.ts @@ -17,7 +17,7 @@ describe('parseSBOMFromPath', () => { describe('when file does not exist', () => { it('throws an error', async () => { await expect(parseSBOMFromPath('/nonexistent/file.json')).rejects.toThrow( - /ENOENT/ + /SBOM file not found/ ) }) }) diff --git a/package-lock.json b/package-lock.json index f22c42b..0c782db 100644 --- a/package-lock.json +++ b/package-lock.json @@ -175,6 +175,7 @@ "integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@babel/code-frame": "^7.29.0", "@babel/generator": "^7.29.0", @@ -1497,6 +1498,7 @@ "resolved": "https://registry.npmjs.org/@octokit/core/-/core-7.0.6.tgz", "integrity": "sha512-DhGl4xMVFGVIyMwswXeyzdL4uXD5OGILGX5N8Y+f6W7LhC1Ze2poSNrkF/fedpVDHEEZ+PHFW0vL14I+mm8K3Q==", "license": "MIT", + "peer": true, "dependencies": { "@octokit/auth-token": "^6.0.0", "@octokit/graphql": "^9.0.3", @@ -2365,6 +2367,7 @@ "integrity": "sha512-1y/MVSz0NglV1ijHC8OT49mPJ4qhPYjiK08YUQVbIOyu+5k862LKUHFkpKHWu//zmr7hDR2rhwUm6gnCGNmGBQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@eslint-community/regexpp": "^4.12.2", "@typescript-eslint/scope-manager": "8.55.0", @@ -2404,6 +2407,7 @@ "integrity": "sha512-4z2nCSBfVIMnbuu8uinj+f0o4qOeggYJLbjpPHka3KH1om7e+H9yLKTYgksTaHcGco+NClhhY2vyO3HsMH1RGw==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.55.0", "@typescript-eslint/types": "8.55.0", @@ -2920,6 +2924,7 @@ "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "dev": true, "license": "MIT", + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -3367,6 +3372,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "baseline-browser-mapping": "^2.9.0", "caniuse-lite": "^1.0.30001759", @@ -4395,6 +4401,7 @@ "integrity": "sha512-LEyamqS7W5HB3ujJyvi0HQK/dtVINZvd5mAAp9eT5S/ujByGjiZLCzPcHVzuXbpJDJF/cxwHlfceVUDZ2lnSTw==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.1", @@ -6090,6 +6097,7 @@ "integrity": "sha512-F26gjC0yWN8uAA5m5Ss8ZQf5nDHWGlN/xWZIh8S5SRbsEKBovwZhxGd6LJlbZYxBgCYOtreSUyb8hpXyGC5O4A==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@jest/core": "30.2.0", "@jest/types": "30.2.0", @@ -9488,6 +9496,7 @@ "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==", "dev": true, "license": "MIT", + "peer": true, "engines": { "node": ">=12" }, @@ -9799,6 +9808,7 @@ "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", "dev": true, "license": "Apache-2.0", + "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" diff --git a/src/sbom.ts b/src/sbom.ts index 441f4c4..6185a31 100644 --- a/src/sbom.ts +++ b/src/sbom.ts @@ -11,15 +11,24 @@ export type SBOM = { const MAX_SBOM_SIZE_BYTES = 16 * 1024 * 1024 export const parseSBOMFromPath = async (filePath: string): Promise => { - const fileContent = await fs.readFile(filePath, 'utf8') + let stats + try { + stats = await fs.stat(filePath) + } catch (error) { + const err = error as NodeJS.ErrnoException + if (err.code === 'ENOENT') { + throw new Error('SBOM file not found') + } + throw error + } - const stats = await fs.stat(filePath) if (stats.size > MAX_SBOM_SIZE_BYTES) { throw new Error( `SBOM file exceeds maximum allowed size: ${MAX_SBOM_SIZE_BYTES} bytes` ) } + const fileContent = await fs.readFile(filePath, 'utf8') const sbom = JSON.parse(fileContent) as object if (checkIsSPDX(sbom)) {