go/gosec
1
0
Fork 0
mirror of https://github.com/securego/gosec.git synced 2025-11-27 22:28:20 +02:00
Code Issues Releases Activity

Fix G115 false positive when going from parsed uint to larger int

Browse Source 
Signed-off-by: Dave Henderson <dhenderson@gmail.com>
This commit is contained in:
Dave Henderson
2024-11-25 21:04:20 -05:00
committed by Cosmin Cojocar
parent 08ea2a57db
commit 9b13cd5ab4
2 changed files with 40 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
analyzers/conversion_overflow.go
View File

@@ -226,7 +226,12 @@ func isStringToIntConversion(instr *ssa.Convert, dstType string) bool {
if err != nil { if err != nil {
return false return false
} }
isSafe := bitSizeValue <= dstInt.size && signed == dstInt.signed
// we're good if:
// - signs match and bit size is <= than destination
// - parsing unsigned and bit size is < than destination
isSafe := (bitSizeValue <= dstInt.size && signed == dstInt.signed) ||
(bitSizeValue < dstInt.size && !signed)
return isSafe return isSafe
} }
} }

34
testutils/g115_samples.go
View File

@@ -426,6 +426,40 @@ import (
"strconv" "strconv"
) )
func main() {
var a string = "13"
b, _ := strconv.ParseUint(a, 10, 16)
c := int(b)
fmt.Printf("%d\n", c)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"strconv"
)
func main() {
var a string = "13"
b, _ := strconv.ParseUint(a, 10, 31)
c := int32(b)
fmt.Printf("%d\n", c)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"strconv"
)
func main() { func main() {
var a string = "13" var a string = "13"
b, _ := strconv.ParseInt(a, 10, 8) b, _ := strconv.ParseInt(a, 10, 8)