From 7850a05e67d4427e00f3aa704834895cf5775149 Mon Sep 17 00:00:00 2001 From: Sungkyu Yoo Date: Sun, 19 Apr 2026 22:31:53 +0900 Subject: [PATCH 1/2] Potential fix for code scanning alert no. 20: Slice memory allocation with excessive size value Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com> --- internal/services/ec2/provider.go | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/internal/services/ec2/provider.go b/internal/services/ec2/provider.go index ebd1b8d..4535444 100644 --- a/internal/services/ec2/provider.go +++ b/internal/services/ec2/provider.go @@ -17,7 +17,10 @@ import ( "github.com/skyoo2003/devcloud/internal/plugin" ) -const defaultAccountID = plugin.DefaultAccountID +const ( + defaultAccountID = plugin.DefaultAccountID + maxRunInstancesBatchCount = 1000 +) // Provider implements the EC2 service (Query/XML protocol). type Provider struct { @@ -191,9 +194,14 @@ func (p *Provider) handleRunInstances(form url.Values) (*plugin.Response, error) instanceType := form.Get("InstanceType") count := 1 if s := form.Get("MinCount"); s != "" { - if n, err := strconv.Atoi(s); err == nil && n > 0 { - count = n + n, err := strconv.Atoi(s) + if err != nil || n <= 0 { + return ec2XMLError("InvalidParameterValue", "MinCount must be a positive integer", http.StatusBadRequest), nil + } + if n > maxRunInstancesBatchCount { + return ec2XMLError("InvalidParameterValue", fmt.Sprintf("MinCount exceeds maximum allowed value (%d)", maxRunInstancesBatchCount), http.StatusBadRequest), nil } + count = n } instances, err := p.store.RunInstances(defaultAccountID, imageID, instanceType, count) From 7d951e151dfc16c2e3dcac6feddef82fee110860 Mon Sep 17 00:00:00 2001 From: Sung-Kyu Yoo Date: Tue, 21 Apr 2026 01:28:33 +0900 Subject: [PATCH 2/2] fix: address code review comments on RunInstances validation - Document maxRunInstancesBatchCount rationale (matches AWS EC2 default) - Add MaxCount validation with same checks as MinCount --- internal/services/ec2/provider.go | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/internal/services/ec2/provider.go b/internal/services/ec2/provider.go index 4535444..af662e3 100644 --- a/internal/services/ec2/provider.go +++ b/internal/services/ec2/provider.go @@ -18,7 +18,8 @@ import ( ) const ( - defaultAccountID = plugin.DefaultAccountID + defaultAccountID = plugin.DefaultAccountID + // maxRunInstancesBatchCount matches the AWS EC2 default on-demand instance limit per launch request. maxRunInstancesBatchCount = 1000 ) @@ -203,6 +204,19 @@ func (p *Provider) handleRunInstances(form url.Values) (*plugin.Response, error) } count = n } + if s := form.Get("MaxCount"); s != "" { + n, err := strconv.Atoi(s) + if err != nil || n <= 0 { + return ec2XMLError("InvalidParameterValue", "MaxCount must be a positive integer", http.StatusBadRequest), nil + } + if n > maxRunInstancesBatchCount { + return ec2XMLError("InvalidParameterValue", fmt.Sprintf("MaxCount exceeds maximum allowed value (%d)", maxRunInstancesBatchCount), http.StatusBadRequest), nil + } + if n < count { + return ec2XMLError("InvalidParameterValue", "MaxCount must be greater than or equal to MinCount", http.StatusBadRequest), nil + } + count = n + } instances, err := p.store.RunInstances(defaultAccountID, imageID, instanceType, count) if err != nil {