🐛 add a codeowner expansion limit to prevent api exhaustion (#4817)

* add a codeowner expansion limit to prevent api exhaustion

Some repositories have 5,000+ CODEOWNERS, which completely exhaust API
quota. 100 was arbitrarily chosen, as a large but not extreme amount of
API quota to try and stay under.

https://github.com/DefinitelyTyped/DefinitelyTyped/blob/95890e39aca378c38427afd218e76cc2bbd3fc31/.github/CODEOWNERS

Signed-off-by: Spencer Schrock <[email protected]>

* add unit test for limiting contributors

Signed-off-by: Spencer Schrock <[email protected]>

---------

Signed-off-by: Spencer Schrock <[email protected]>

Author: spencerschrock

clients/githubrepo/contributors.go

@@ -18,7 +18,6 @@ import (
 	"context"
 	"fmt"
 	"io"
-	"maps"
 	"net/http"
 	"os"
 	"strings"
@@ -30,6 +29,8 @@ import (
 	"github.com/ossf/scorecard/v5/clients"
 )
 
+const codeownersLimit = 100
+
 // these are the paths where CODEOWNERS files can be found see
 // https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-file-location
 //
@@ -75,7 +76,7 @@ func (handler *contributorsHandler) setup(codeOwnerFile io.ReadCloser) error {
 			return
 		}
 
-		for contributor := range maps.Values(contributors) {
+		for _, contributor := range contributors {
 			orgs, _, err := handler.ghClient.Organizations.List(handler.ctx, contributor.Login, nil)
 			// This call can fail due to token scopes. So ignore error.
 			if err == nil {
@@ -132,12 +133,16 @@ func mapCodeOwners(handler *contributorsHandler, codeOwnerFile io.ReadCloser, co
 
 	// expanding owners
 	owners := make([]*clients.User, 0)
+outer:
 	for _, rule := range ruleset {
 		for _, owner := range rule.Owners {
 			switch owner.Type {
 			case codeowners.UsernameOwner:
 				// if usernameOwner just add to owners list
 				owners = append(owners, &clients.User{Login: owner.Value, NumContributions: 0, IsCodeOwner: true})
+				if len(owners) >= codeownersLimit {
+					break outer
+				}
 			case codeowners.TeamOwner:
 				// if teamOwner expand and add to owners list (only accessible by org members with read:org token scope)
 				splitTeam := strings.Split(owner.Value, "/")
@@ -151,6 +156,9 @@ func mapCodeOwners(handler *contributorsHandler, codeOwnerFile io.ReadCloser, co
 					if err == nil && response.StatusCode == http.StatusOK {
 						for _, user := range users {
 							owners = append(owners, &clients.User{Login: user.GetLogin(), NumContributions: 0, IsCodeOwner: true})
+							if len(owners) >= codeownersLimit {
+								break outer
+							}
 						}
 					}
 				}

clients/githubrepo/contributors_test.go

@@ -0,0 +1,96 @@
+// Copyright 2025 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+package githubrepo
+
+import (
+	"bytes"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"testing"
+
+	"github.com/google/go-github/v53/github"
+
+	"github.com/ossf/scorecard/v5/clients"
+)
+
+type codeownerRoundTripper struct{}
+
+const tooManyCodeowners = 105
+
+func (c codeownerRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	switch req.URL.Path {
+	case "/orgs/ossf-tests/teams/foo/members":
+		type member struct {
+			Login string `json:"login"`
+		}
+		members := make([]member, 0, tooManyCodeowners)
+		for i := range tooManyCodeowners {
+			members = append(members, member{Login: fmt.Sprintf("user%d", i)})
+		}
+		jsonResp, err := json.Marshal(members)
+		if err != nil {
+			return nil, err
+		}
+		return &http.Response{
+			Status:     "200 OK",
+			StatusCode: http.StatusOK,
+			Body:       io.NopCloser(bytes.NewReader(jsonResp)),
+		}, nil
+	default:
+		return nil, errors.New("unsupported URL")
+	}
+}
+
+func Test_mapCodeOwners(t *testing.T) {
+	t.Parallel()
+	httpClient := &http.Client{
+		Transport: codeownerRoundTripper{},
+	}
+	client := github.NewClient(httpClient)
+	handler := &contributorsHandler{
+		ghClient: client,
+		ctx:      t.Context(),
+	}
+	t.Run("one team with more too many codeowners", func(t *testing.T) {
+		t.Parallel()
+		codeowners := io.NopCloser(strings.NewReader("* @ossf-tests/foo\n"))
+		contributors := map[string]clients.User{}
+		mapCodeOwners(handler, codeowners, contributors)
+		got := len(contributors)
+		if got != codeownersLimit {
+			t.Errorf("wanted less than %d CODEOWNERs, got %d", codeownersLimit, got)
+		}
+	})
+
+	t.Run("too many individual codeowners", func(t *testing.T) {
+		t.Parallel()
+		var sb strings.Builder
+		sb.WriteRune('*')
+		for i := range tooManyCodeowners {
+			sb.WriteString(fmt.Sprintf(" @user%d", i))
+		}
+		sb.WriteString("\n")
+		codeowners := io.NopCloser(strings.NewReader(sb.String()))
+		contributors := map[string]clients.User{}
+		mapCodeOwners(handler, codeowners, contributors)
+		got := len(contributors)
+		if got != codeownersLimit {
+			t.Errorf("wanted less than %d CODEOWNERs, got %d", codeownersLimit, got)
+		}
+	})
+}