Fix #179

Possible Index Outside bounds of array when more than 128 packages are scanned
digitalcoyote · Mar 16, 2024 · 0257ba2 · 0257ba2
1 parent 88a80c0
commit 0257ba2
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 13 deletions.
diff --git a/Src/NuGetDefense.Lib/NuGetDefense.Lib.csproj b/Src/NuGetDefense.Lib/NuGetDefense.Lib.csproj
@@ -23,7 +23,7 @@
         <Description>NuGetDefense ~ Check for Known Vulnerabilities at Build</Description>
         <PackageDescription>NuGetDefense was inspired by [OWASP SafeNuGet](https://nuget.org/packages/SafeNuGet/) but aims to check with multiple sources for known vulnerabilities.</PackageDescription>
         <Copyright>Curtis Carter 2023</Copyright>
-        <Version>4.0.2.0</Version>
+        <Version>4.0.4.0</Version>
         <RepositoryType>git</RepositoryType>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>

diff --git a/Src/NuGetDefense.Lib/Scanner.cs b/Src/NuGetDefense.Lib/Scanner.cs
@@ -22,7 +22,7 @@ namespace NuGetDefense;
 
 public class Scanner
 {
-    public const string Version = "4.0.2.0";
+    public const string Version = "4.0.4.0";
     public const string UserAgentString = @$"NuGetDefense/{Version}";
     public const string DefaultSettingsFileName = "NuGetDefense.json";
     public const string DefaultVulnerabilityDataFileName = "VulnerabilityData.bin";
@@ -196,12 +196,13 @@ private void ScanVulnerabilities(ScanOptions options)
                 var modUncached = uncachedPkgs.Count % 128;
                 if (modUncached > 0 && cachedPackages.Length > 0)
                 {
-                    for (var i = cachedPackages.Length - 1; i >= cachedPackages.Length - modUncached; i--)
+                    var rescanCount = Math.Min(128 - modUncached, cachedPackages.Length);
+                    for (var i = cachedPackages.Length - 1; i >= 0; i--)
                     {
                         uncachedPkgs.Add(cachedPackages[i]);
                     }
-                    
-                    cachedPackages = cachedPackages[..^modUncached];
+
+                    cachedPackages = cachedPackages[..^rescanCount];
                 }
                 // Round out the calls to have a full set of packages each to refresh oldest cached packages
                 if (uncachedPkgs.Count > 0) uncachedPkgs.AddRange(cachedPackages.Take(uncachedPkgs.Count % 128));
@@ -236,12 +237,13 @@ private void ScanVulnerabilities(ScanOptions options)
                     var modUncached = uncachedPkgs.Count % 128;
                     if (modUncached > 0 && cachedPackages.Length > 0)
                     {
-                        for (var i = cachedPackages.Length - 1; i >= cachedPackages.Length - modUncached; i--)
+                        var rescanCount = Math.Min(128 - modUncached, cachedPackages.Length);
+                        for (var i = cachedPackages.Length - 1; i >= 0; i--)
                         {
                             uncachedPkgs.Add(cachedPackages[i]);
                         }
-                    
-                        cachedPackages = cachedPackages[..^modUncached];
+
+                        cachedPackages = cachedPackages[..^rescanCount];
                     }
                     Log.Logger.Verbose("Checking the GitHub Security Advisory Database for Vulnerabilities");
                     var ghsaVulnDict =

diff --git a/Src/NuGetDefense/NuGetDefense.csproj b/Src/NuGetDefense/NuGetDefense.csproj
@@ -21,8 +21,8 @@
         <IncludeSymbols>true</IncludeSymbols>
         <SymbolPackageFormat>snupkg</SymbolPackageFormat>
         <Nullable>enable</Nullable>
-        <AssemblyVersion>4.0.2.0</AssemblyVersion>
-        <FileVersion>4.0.2.0</FileVersion>
+        <AssemblyVersion>4.0.4.0</AssemblyVersion>
+        <FileVersion>4.0.4.0</FileVersion>
         <PackageIcon>icon.png</PackageIcon>
     </PropertyGroup>
     <PropertyGroup Condition="'$(Configuration)'=='Release'">
@@ -37,7 +37,7 @@
         <PackageId>NuGetDefense.Tool</PackageId>
         <PackAsTool>true</PackAsTool>
         <ToolCommandName>nugetdefense</ToolCommandName>
-        <Version>4.0.2.0</Version>
+        <Version>4.0.4.0</Version>
         <PackageReadmeFile>README.md</PackageReadmeFile>
     </PropertyGroup>
     <ItemGroup>

diff --git a/Src/NuGetDefense/NuGetDefense.nuspec b/Src/NuGetDefense/NuGetDefense.nuspec
@@ -3,7 +3,7 @@
     <metadata>
         <id>NuGetDefense</id>
         <title>NuGetDefense</title>
-        <version>4.0.2.0</version>
+        <version>4.0.4.0</version>
         <authors>Curtis Carter</authors>
         <owners>Curtis Carter</owners>
         <projectUrl>https://digitalcoyote.github.io/NuGetDefense/</projectUrl>
@@ -12,7 +12,7 @@
         <description>
             vulnerabilities.
         </description>
-        <releaseNotes>https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.0.2.0</releaseNotes>
+        <releaseNotes>https://github.com/digitalcoyote/NuGetDefense/releases/tag/v4.0.4.0</releaseNotes>
         <repository type="git" url="https://github.com/digitalcoyote/NuGetDefense.git"/>
         <license type="expression">MIT</license>
         <icon>images\icon.png</icon>