Guard GraphQL PR number conversion against int32 overflow (#56)

Copilot · skarim · web-flow · commit ad21053fe913 · 2026-04-23T12:21:43.000-04:00
* Initial plan * fix: validate int range before GraphQL Int conversion Agent-Logs-Url: https://github.com/github/gh-stack/sessions/dbb2b50f-34fb-4957-ac08-e19c1f96ba41 Co-authored-by: skarim <1701557+skarim@users.noreply.github.com> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: skarim <1701557+skarim@users.noreply.github.com>
diff --git a/internal/github/github.go b/internal/github/github.go
@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
+	"math"
 
 	"github.com/cli/go-gh/v2/pkg/api"
 	graphql "github.com/cli/shurcooL-graphql"
@@ -319,6 +320,11 @@ func (c *Client) FindPRDetailsForBranch(branch string) (*PRDetails, error) {
 
 // FindPRByNumber fetches a pull request by its number.
 func (c *Client) FindPRByNumber(number int) (*PullRequest, error) {
+	gqlNumber, err := toGraphQLInt(number)
+	if err != nil {
+		return nil, err
+	}
+
 	var query struct {
 		Repository struct {
 			PullRequest struct {
@@ -339,7 +345,7 @@ func (c *Client) FindPRByNumber(number int) (*PullRequest, error) {
 	variables := map[string]interface{}{
 		"owner":  graphql.String(c.owner),
 		"name":   graphql.String(c.repo),
-		"number": graphql.Int(number),
+		"number": gqlNumber,
 	}
 
 	if err := c.gql.Query("FindPRByNumber", &query, variables); err != nil {
@@ -364,6 +370,13 @@ func (c *Client) FindPRByNumber(number int) (*PullRequest, error) {
 	}, nil
 }
 
+func toGraphQLInt(n int) (graphql.Int, error) {
+	if n < math.MinInt32 || n > math.MaxInt32 {
+		return 0, fmt.Errorf("number %d is out of GraphQL Int range", n)
+	}
+	return graphql.Int(n), nil
+}
+
 type RemoteStack struct {
 	ID           int   `json:"id"`
 	PullRequests []int `json:"pull_requests"`
diff --git a/internal/github/github_test.go b/internal/github/github_test.go
@@ -3,6 +3,7 @@ package github
 import (
 	"testing"
 
+	graphql "github.com/cli/shurcooL-graphql"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -46,3 +47,16 @@ func TestPullRequest_IsQueued(t *testing.T) {
 		assert.False(t, pr.IsQueued())
 	})
 }
+
+func TestToGraphQLInt(t *testing.T) {
+	t.Run("in range", func(t *testing.T) {
+		got, err := toGraphQLInt(123)
+		assert.NoError(t, err)
+		assert.Equal(t, graphql.Int(123), got)
+	})
+
+	t.Run("out of range", func(t *testing.T) {
+		_, err := toGraphQLInt(1 << 40)
+		assert.Error(t, err)
+	})
+}
