mirror of
https://github.com/securego/gosec.git
synced 2025-07-03 00:27:05 +02:00
Improvement the int conversion overflow logic to handle bound checks (#1194)
* add test cases Signed-off-by: czechbol <adamludes@gmail.com> * fix bounds check logic Signed-off-by: czechbol <adamludes@gmail.com> * tweak test cases Signed-off-by: czechbol <adamludes@gmail.com> * fix codestyle Signed-off-by: czechbol <adamludes@gmail.com> * improve bounds check logic Signed-off-by: czechbol <adamludes@gmail.com> * max recursion depth Signed-off-by: czechbol <adamludes@gmail.com> * add test case for len function Signed-off-by: czechbol <adamludes@gmail.com> * relax len function bounds checks Co-authored-by: Ben Krieger <ben.krieger@intel.com> * handle cases when convert instruction is after the if blocks Signed-off-by: czechbol <adamludes@gmail.com> * improve range check discovery, add tests Signed-off-by: czechbol <adamludes@gmail.com> * refactor for readability Signed-off-by: czechbol <adamludes@gmail.com> * add cap function test Signed-off-by: czechbol <adamludes@gmail.com> * calculate signed min without throwing overflow warnings Signed-off-by: czechbol <adamludes@gmail.com> * perform bounds checks int size calculations Signed-off-by: czechbol <adamludes@gmail.com> * basic equal operator logic Signed-off-by: czechbol <adamludes@gmail.com> * uintptr -> unsafe.Pointer test case Signed-off-by: czechbol <adamludes@gmail.com> * fix review comments Signed-off-by: czechbol <adamludes@gmail.com> * Rebase and fix go module Change-Id: I8da6495eaaf25b1739389aa98492bd7df338085b Signed-off-by: Cosmin Cojocar <ccojocar@google.com> * fix false positive for negated value Signed-off-by: czechbol <adamludes@gmail.com> * fix range conditions Signed-off-by: czechbol <adamludes@gmail.com> * Ignore the golangci/gosec G115 warning Change-Id: I0db56cb0a5f9ab6e815e2480ec0b66d7061b23d3 Signed-off-by: Cosmin Cojocar <ccojocar@google.com> --------- Signed-off-by: czechbol <adamludes@gmail.com> Signed-off-by: Cosmin Cojocar <ccojocar@google.com> Co-authored-by: Ben Krieger <ben.krieger@intel.com> Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
This commit is contained in:
@ -287,10 +287,54 @@ package main
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
var a int64 = 13
|
||||
a := rand.Int63()
|
||||
if a < math.MinInt32 {
|
||||
panic("out of range")
|
||||
}
|
||||
if a > math.MaxInt32 {
|
||||
panic("out of range")
|
||||
}
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a < math.MinInt32 && a > math.MaxInt32 {
|
||||
panic("out of range")
|
||||
}
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 1, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a < math.MinInt32 || a > math.MaxInt32 {
|
||||
panic("out of range")
|
||||
}
|
||||
@ -330,7 +374,7 @@ import (
|
||||
|
||||
func main() {
|
||||
var a int32 = math.MaxInt32
|
||||
if a < math.MinInt32 || a > math.MaxInt32 {
|
||||
if a < math.MinInt32 && a > math.MaxInt32 {
|
||||
panic("out of range")
|
||||
}
|
||||
var b int64 = int64(a) * 2
|
||||
@ -390,4 +434,286 @@ func main() {
|
||||
}
|
||||
`,
|
||||
}, 1, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a < 0 {
|
||||
panic("out of range")
|
||||
}
|
||||
if a > math.MaxUint32 {
|
||||
panic("out of range")
|
||||
}
|
||||
b := uint32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a < 0 {
|
||||
panic("out of range")
|
||||
}
|
||||
b := uint32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 1, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"math"
|
||||
)
|
||||
|
||||
func foo(x int) uint32 {
|
||||
if x < 0 {
|
||||
return 0
|
||||
}
|
||||
if x > math.MaxUint32 {
|
||||
return math.MaxUint32
|
||||
}
|
||||
return uint32(x)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"math"
|
||||
)
|
||||
|
||||
func foo(items []string) uint32 {
|
||||
x := len(items)
|
||||
if x > math.MaxUint32 {
|
||||
return math.MaxUint32
|
||||
}
|
||||
return uint32(x)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"math"
|
||||
)
|
||||
|
||||
func foo(items []string) uint32 {
|
||||
x := cap(items)
|
||||
if x > math.MaxUint32 {
|
||||
return math.MaxUint32
|
||||
}
|
||||
return uint32(x)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"math"
|
||||
)
|
||||
|
||||
func foo(items []string) uint32 {
|
||||
x := len(items)
|
||||
if x < math.MaxUint32 {
|
||||
return uint32(x)
|
||||
}
|
||||
return math.MaxUint32
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a >= math.MinInt32 && a <= math.MaxInt32 {
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
panic("out of range")
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a >= math.MinInt32 && a <= math.MaxInt32 {
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
panic("out of range")
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if !(a >= math.MinInt32) && a > math.MaxInt32 {
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
panic("out of range")
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if !(a >= math.MinInt32) || a > math.MaxInt32 {
|
||||
panic("out of range")
|
||||
}
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if math.MinInt32 <= a && math.MaxInt32 >= a {
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
panic("out of range")
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a == 3 || a == 4 {
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
panic("out of range")
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a != 3 || a != 4 {
|
||||
panic("out of range")
|
||||
}
|
||||
b := int32(a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import "unsafe"
|
||||
|
||||
func main() {
|
||||
i := uintptr(123)
|
||||
p := unsafe.Pointer(i)
|
||||
_ = p
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
{[]string{
|
||||
`
|
||||
package main
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"math/rand"
|
||||
)
|
||||
|
||||
func main() {
|
||||
a := rand.Int63()
|
||||
if a >= 0 {
|
||||
panic("no positivity allowed")
|
||||
}
|
||||
b := uint64(-a)
|
||||
fmt.Printf("%d\n", b)
|
||||
}
|
||||
`,
|
||||
}, 0, gosec.NewConfig()},
|
||||
}
|
||||
|
Reference in New Issue
Block a user