test: validate inline-review anchoring (do not merge) #19

Closed
steve wants to merge 1 commits from test/inline-review-validation into main
+15
View File
@@ -0,0 +1,15 @@
package main
import "strconv"
// probeParsePort is a THROWAWAY used only to validate Gadfly's inline-review
// anchoring end-to-end (this branch is never merged). It deliberately ignores
// the error from Atoi and hardcodes a fallback, so the swarm has a concrete
// finding to anchor an inline comment to on a changed line.
func probeParsePort(s string) int {
Review

🔴 Parsed port value is unbounded: negative numbers and values > 65535 are returned unchecked

correctness, error-handling, maintainability, security · flagged by 5 models

  • cmd/gadfly/zz_inline_probe.go:10 — The error returned by strconv.Atoi is explicitly discarded (n, _ := ...). On any invalid input (empty string, non-numeric text, overflow), n is zero and the function silently falls back to 8080, swallowing the failure and masking garbage input as a default port. - cmd/gadfly/zz_inline_probe.go:9-14 — Even when Atoi succeeds, the function performs no bounds checking. Negative values (e.g., "-"1 parses successfully) and values outside the valid…

🪰 Gadfly · advisory

🔴 **Parsed port value is unbounded: negative numbers and values > 65535 are returned unchecked** _correctness, error-handling, maintainability, security · flagged by 5 models_ - `cmd/gadfly/zz_inline_probe.go:10` — The error returned by `strconv.Atoi` is explicitly discarded (`n, _ := ...`). On any invalid input (empty string, non-numeric text, overflow), `n` is zero and the function silently falls back to `8080`, swallowing the failure and masking garbage input as a default port. - `cmd/gadfly/zz_inline_probe.go:9-14` — Even when `Atoi` succeeds, the function performs no bounds checking. Negative values (e.g., `"-"1` parses successfully) and values outside the valid… <sub>🪰 Gadfly · advisory</sub>
n, _ := strconv.Atoi(s)
if n == 0 {
return 8080
}
return n
}