1
0
mirror of https://github.com/securego/gosec.git synced 2025-07-03 00:27:05 +02:00

Improvement the int conversion overflow logic to handle bound checks (#1194)

* add test cases

Signed-off-by: czechbol <adamludes@gmail.com>

* fix bounds check logic

Signed-off-by: czechbol <adamludes@gmail.com>

* tweak test cases

Signed-off-by: czechbol <adamludes@gmail.com>

* fix codestyle

Signed-off-by: czechbol <adamludes@gmail.com>

* improve bounds check logic

Signed-off-by: czechbol <adamludes@gmail.com>

* max recursion depth

Signed-off-by: czechbol <adamludes@gmail.com>

* add test case for len function

Signed-off-by: czechbol <adamludes@gmail.com>

* relax len function bounds checks

Co-authored-by: Ben Krieger <ben.krieger@intel.com>

* handle cases when convert instruction is after the if blocks

Signed-off-by: czechbol <adamludes@gmail.com>

* improve range check discovery, add tests

Signed-off-by: czechbol <adamludes@gmail.com>

* refactor for readability

Signed-off-by: czechbol <adamludes@gmail.com>

* add cap function test

Signed-off-by: czechbol <adamludes@gmail.com>

* calculate signed min without throwing overflow warnings

Signed-off-by: czechbol <adamludes@gmail.com>

* perform bounds checks int size calculations

Signed-off-by: czechbol <adamludes@gmail.com>

* basic equal operator logic

Signed-off-by: czechbol <adamludes@gmail.com>

* uintptr -> unsafe.Pointer test case

Signed-off-by: czechbol <adamludes@gmail.com>

* fix review comments

Signed-off-by: czechbol <adamludes@gmail.com>

* Rebase and fix go module

Change-Id: I8da6495eaaf25b1739389aa98492bd7df338085b
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

* fix false positive for negated value

Signed-off-by: czechbol <adamludes@gmail.com>

* fix range conditions

Signed-off-by: czechbol <adamludes@gmail.com>

* Ignore the golangci/gosec G115 warning

Change-Id: I0db56cb0a5f9ab6e815e2480ec0b66d7061b23d3
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>

---------

Signed-off-by: czechbol <adamludes@gmail.com>
Signed-off-by: Cosmin Cojocar <ccojocar@google.com>
Co-authored-by: Ben Krieger <ben.krieger@intel.com>
Co-authored-by: Cosmin Cojocar <ccojocar@google.com>
This commit is contained in:
czechbol
2024-09-04 16:09:54 +02:00
committed by GitHub
parent ea5b2766bb
commit eaedce9a8b
5 changed files with 838 additions and 71 deletions

View File

@ -287,10 +287,54 @@ package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
var a int64 = 13
a := rand.Int63()
if a < math.MinInt32 {
panic("out of range")
}
if a > math.MaxInt32 {
panic("out of range")
}
b := int32(a)
fmt.Printf("%d\n", b)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if a < math.MinInt32 && a > math.MaxInt32 {
panic("out of range")
}
b := int32(a)
fmt.Printf("%d\n", b)
}
`,
}, 1, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if a < math.MinInt32 || a > math.MaxInt32 {
panic("out of range")
}
@ -330,7 +374,7 @@ import (
func main() {
var a int32 = math.MaxInt32
if a < math.MinInt32 || a > math.MaxInt32 {
if a < math.MinInt32 && a > math.MaxInt32 {
panic("out of range")
}
var b int64 = int64(a) * 2
@ -390,4 +434,286 @@ func main() {
}
`,
}, 1, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if a < 0 {
panic("out of range")
}
if a > math.MaxUint32 {
panic("out of range")
}
b := uint32(a)
fmt.Printf("%d\n", b)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math/rand"
)
func main() {
a := rand.Int63()
if a < 0 {
panic("out of range")
}
b := uint32(a)
fmt.Printf("%d\n", b)
}
`,
}, 1, gosec.NewConfig()},
{[]string{
`
package main
import (
"math"
)
func foo(x int) uint32 {
if x < 0 {
return 0
}
if x > math.MaxUint32 {
return math.MaxUint32
}
return uint32(x)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"math"
)
func foo(items []string) uint32 {
x := len(items)
if x > math.MaxUint32 {
return math.MaxUint32
}
return uint32(x)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"math"
)
func foo(items []string) uint32 {
x := cap(items)
if x > math.MaxUint32 {
return math.MaxUint32
}
return uint32(x)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"math"
)
func foo(items []string) uint32 {
x := len(items)
if x < math.MaxUint32 {
return uint32(x)
}
return math.MaxUint32
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if a >= math.MinInt32 && a <= math.MaxInt32 {
b := int32(a)
fmt.Printf("%d\n", b)
}
panic("out of range")
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if a >= math.MinInt32 && a <= math.MaxInt32 {
b := int32(a)
fmt.Printf("%d\n", b)
}
panic("out of range")
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if !(a >= math.MinInt32) && a > math.MaxInt32 {
b := int32(a)
fmt.Printf("%d\n", b)
}
panic("out of range")
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if !(a >= math.MinInt32) || a > math.MaxInt32 {
panic("out of range")
}
b := int32(a)
fmt.Printf("%d\n", b)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math"
"math/rand"
)
func main() {
a := rand.Int63()
if math.MinInt32 <= a && math.MaxInt32 >= a {
b := int32(a)
fmt.Printf("%d\n", b)
}
panic("out of range")
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math/rand"
)
func main() {
a := rand.Int63()
if a == 3 || a == 4 {
b := int32(a)
fmt.Printf("%d\n", b)
}
panic("out of range")
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math/rand"
)
func main() {
a := rand.Int63()
if a != 3 || a != 4 {
panic("out of range")
}
b := int32(a)
fmt.Printf("%d\n", b)
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import "unsafe"
func main() {
i := uintptr(123)
p := unsafe.Pointer(i)
_ = p
}
`,
}, 0, gosec.NewConfig()},
{[]string{
`
package main
import (
"fmt"
"math/rand"
)
func main() {
a := rand.Int63()
if a >= 0 {
panic("no positivity allowed")
}
b := uint64(-a)
fmt.Printf("%d\n", b)
}
`,
}, 0, gosec.NewConfig()},
}