feat: copilot ifxes

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>

Author: gusfcarvalho

main.go

@@ -29,10 +29,11 @@ import (
 )
 
 const (
-	defaultCheckTimeoutSeconds = 300
-	schemaVersionV1            = "v1"
-	sourceCloudCustodian       = "cloud-custodian"
-	defaultRemotePolicyTimeout = 30 * time.Second
+	defaultCheckTimeoutSeconds  = 300
+	schemaVersionV1             = "v1"
+	sourceCloudCustodian        = "cloud-custodian"
+	defaultRemotePolicyTimeout  = 30 * time.Second
+	defaultMaxRemotePolicyBytes = 1 << 20 // 1 MiB
 )
 
 var lookPath = exec.LookPath
@@ -261,9 +262,13 @@ func (e *CommandCustodianExecutor) Execute(ctx context.Context, req CustodianExe
 		result.Err = fmt.Errorf("custodian execution failed: %w", err)
 		result.Errors = append(result.Errors, result.Err.Error())
 	}
-	if runCtx.Err() != nil {
-		result.Err = errors.Join(result.Err, runCtx.Err())
-		result.Errors = append(result.Errors, runCtx.Err().Error())
+	if runErr := runCtx.Err(); runErr != nil {
+		// Avoid duplicating context timeout/cancel errors when cmd.Run already
+		// returned an error that wraps the same context failure.
+		if err == nil || !errors.Is(err, runErr) {
+			result.Err = errors.Join(result.Err, runErr)
+			result.Errors = append(result.Errors, runErr.Error())
+		}
 	}
 	if resourcesErr != nil {
 		result.Err = errors.Join(result.Err, resourcesErr)
@@ -595,11 +600,17 @@ func resolvePoliciesYAML(ctx context.Context, inlineYAML string, policiesPath st
 		if resp.StatusCode < 200 || resp.StatusCode >= 300 {
 			return nil, fmt.Errorf("unexpected status code %d while fetching policies_path", resp.StatusCode)
 		}
+		if resp.ContentLength > defaultMaxRemotePolicyBytes {
+			return nil, fmt.Errorf("policies_path response too large: content-length=%d exceeds max=%d bytes", resp.ContentLength, defaultMaxRemotePolicyBytes)
+		}
 
-		content, err := io.ReadAll(resp.Body)
+		content, err := io.ReadAll(io.LimitReader(resp.Body, defaultMaxRemotePolicyBytes+1))
 		if err != nil {
 			return nil, fmt.Errorf("failed to read policies_path response body: %w", err)
 		}
+		if len(content) > defaultMaxRemotePolicyBytes {
+			return nil, fmt.Errorf("policies_path response too large: size=%d exceeds max=%d bytes", len(content), defaultMaxRemotePolicyBytes)
+		}
 		return content, nil
 	default:
 		return nil, fmt.Errorf("unsupported policies_path scheme: %s", parsedURL.Scheme)

main_test.go

@@ -170,6 +170,23 @@ func TestResolvePoliciesYAML(t *testing.T) {
 		}
 	})
 
+	t.Run("http response too large", func(t *testing.T) {
+		oversized := strings.Repeat("a", defaultMaxRemotePolicyBytes+1)
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.WriteHeader(http.StatusOK)
+			_, _ = w.Write([]byte(oversized))
+		}))
+		defer srv.Close()
+
+		_, err := resolvePoliciesYAML(context.Background(), "", srv.URL)
+		if err == nil {
+			t.Fatalf("expected error for oversized response body")
+		}
+		if !strings.Contains(err.Error(), "too large") {
+			t.Fatalf("expected oversized body error, got: %v", err)
+		}
+	})
+
 	t.Run("unsupported scheme", func(t *testing.T) {
 		_, err := resolvePoliciesYAML(context.Background(), "", "s3://bucket/policies.yaml")
 		if err == nil {
@@ -344,8 +361,14 @@ sleep 2
 		if !strings.Contains(result.Error, "deadline exceeded") {
 			t.Fatalf("expected deadline exceeded in error, got: %s", result.Error)
 		}
-		if len(result.Errors) == 0 {
-			t.Fatalf("expected structured execution errors")
+		deadlineMentions := 0
+		for _, msg := range result.Errors {
+			if strings.Contains(msg, "deadline exceeded") {
+				deadlineMentions++
+			}
+		}
+		if deadlineMentions > 1 {
+			t.Fatalf("expected at most one deadline exceeded entry, got: %v", result.Errors)
 		}
 	})
 }