tomaioo opened a new pull request, #1492:
URL: https://github.com/apache/pulsar-client-go/pull/1492
## Summary
fix(security): 2 improvements across 2 files
## Problem
**Severity**: `High` | **File**: `pulsar/negative_backoff_policy.go:L30`
In pulsar/negative_backoff_policy.go, the backoff calculation uses bit shift
(minNackTime << redeliveryCount) which can overflow when redeliveryCount is
large. The overflow causes backoff to become 0, resulting in immediate retry
without any delay, potentially causing a denial of service.
## Solution
Add overflow check before the shift operation: if redeliveryCount >= 63 {
return maxNackTime }. Also consider using math.Min with a pre-computed maximum
to avoid the overflow entirely.
## Changes
- `pulsar/negative_backoff_policy.go` (modified)
- `oauth2/oidc_endpoint_provider.go` (modified)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
