Fix G115 false positive when going from parsed uint to larger int

Signed-off-by: Dave Henderson <dhenderson@gmail.com>
2025-01-12 04:45:53 +00:00 · 2024-11-25 21:04:20 -05:00 · 2024-11-25 21:04:20 -05:00 · 9b13cd5ab4
commit 9b13cd5ab4
parent 08ea2a57db
2 changed files with 40 additions and 1 deletions
--- a/analyzers/conversion_overflow.go
+++ b/analyzers/conversion_overflow.go
@ -226,7 +226,12 @@ func isStringToIntConversion(instr *ssa.Convert, dstType string) bool {
 						if err != nil {
 							return false
 						}
-						isSafe := bitSizeValue <= dstInt.size && signed == dstInt.signed
+
+						// we're good if:
+						// - signs match and bit size is <= than destination
+						// - parsing unsigned and bit size is < than destination
+						isSafe := (bitSizeValue <= dstInt.size && signed == dstInt.signed) ||
+							(bitSizeValue < dstInt.size && !signed)
 						return isSafe
 					}
 				}
--- a/testutils/g115_samples.go
+++ b/testutils/g115_samples.go
@ -426,6 +426,40 @@ import (
        "strconv"
 )

+func main() {
+        var a string = "13"
+        b, _ := strconv.ParseUint(a, 10, 16)
+        c := int(b)
+        fmt.Printf("%d\n", c)
+}
+	`,
+	}, 0, gosec.NewConfig()},
+	{[]string{
+		`
+package main
+
+import (
+        "fmt"
+        "strconv"
+)
+
+func main() {
+        var a string = "13"
+        b, _ := strconv.ParseUint(a, 10, 31)
+        c := int32(b)
+        fmt.Printf("%d\n", c)
+}
+	`,
+	}, 0, gosec.NewConfig()},
+	{[]string{
+		`
+package main
+
+import (
+        "fmt"
+        "strconv"
+)
+
 func main() {
        var a string = "13"
        b, _ := strconv.ParseInt(a, 10, 8)