-
-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
G115: integer overflow conversion uint8 -> int64 #1185
Comments
Agree, lots of alerts from yesterday in our CI/CD pipeline |
Yes same here, could you add documentation about how to make G115 pass? Otherwise we are going to ignore all alerts :( We've tried to add bound checks and nothing works |
Broken in this change I guess #1130 This seems like a seriously under-cooked change which is currently mandating a lot of //nolint flags for us. Example of another goof -> |
I was also surprised to see #1149 being merged so fast. While the idea is good, why not after all. But it should have been reviewed by testing the behavior of the rules on large codebase. Or make this rule optional at first |
The rule can be simply excluded from the scanning if is causing too many issues on your code base:
|
For my toolchain I've opted for adding //nolint:gosec to lines where casting is required and otherwise reviewed casting, so I suppose it's a useful exercise for code tidiness... |
@FairlySadPanda the |
@ldemailly the false positive from |
I actually had not considered this, and it's a good point, but this doesn't sit completely right still. Casting is ultimately the executive decision of the programmer; having to specifically disable the rule or add a flag to skip specific casts as known-good means the value of the test itself becomes questionable. Int and the other core builtins being variable in size would be good to communicate as part of the failure string when doing this sort of check, regardless - both for this and 109. Whilst 64-bit is the default these days, the specification itself is written to cope with 32 bit, and it's easy to get led astray by the documentation. |
@FairlySadPanda You are free to skip this rule if you don't find it useful for your use case. Nobody is dictating its usage, but it some cases, integer overflow can lead to security issues. Unfortunately go runtime doesn't protect against this. |
I don't see that test and I definitely see the error. unless it's been fixed since the version golanglint-ci picked in 1.60.2 - on phone but will link ci output as well as repro in a bit |
This rule seems to be broken. More info on: securego/gosec#1185
@ccojocar I updated the repro, it was simplified too much: this reproes
package main
import (
"fmt"
)
func main() {
str := "A\xFF"
i := int64(str[0])
fmt.Printf("%d\n", i)
} |
Thanks to the OP for reporting this and the gosec contributors for working on it. Without being too critical: Its much more difficult to detect but I think most of the existing detections are a lot more accurate. |
FIY bounds checks which are not implicit in the int type are not yet handled, this should be addressed by #1187. Please add any code sample which handles the bound checks explicitly in that issue. Thanks |
how im supposed to fix something like this? i mean i parse a string via |
@xsteadfastx your options are:
linters-settings:
gosec:
excludes:
# Flags for potentially-unsafe casting of ints, similar problem to globally-disabled G103
- G115
I've gone with a mix of 2 and 3 for the time being. I suspect there's other folks like me who got caught out here when pulling a latest from golang-ci. Given other bossy rules from gosec are globally-disabled there, I might raise an issue there to see if G115 should get added. |
@xsteadfastx the If you try to scan this code sample, you can see that gosec doesn't return any warning:
|
I've opened a discussion on golangci's repo as this is probably more of a concern for folks doing CI than people wanting to do one-off security sweeps, where detecting possible overflows is of higher value :) golangci/golangci-lint#4939 |
For info, G115 was disabled by default in golangci-lint |
Thanks for the quick fix for the original issue I reported (and thanks for the thoughts on figuring out code that does bound check to auto not flag)
Will be once this merge, which will create yet another set of nolintlint now errors in CI |
ParseInt(x,x,32) makes sure it will fit into int32. See also securego/gosec#1185 Signed-off-by: Víctor Cuadrado Juan <[email protected]>
ParseInt(x,x,32) makes sure it will fit into int32. See also securego/gosec#1185 Signed-off-by: Víctor Cuadrado Juan <[email protected]>
Changes were made to this check in v1.60.2, which introduced a lot of noise and false positives. This commit disables this for now. Ref: securego/gosec#1185 Signed-off-by: Prajwal S N <[email protected]>
A change to the rule gosec(G115) made a large amount of FP for gosec appear when updating to the latest golang-ci linter. securego/gosec#1185 securego/gosec#1149 We're going to ignore this rule for the time being while waiting for gosec to get updates so that bound checking and example snippets of `valid` code is added for this rule Signed-off-by: Christopher Phillips <[email protected]>
* chore(deps): update tools to latest versions Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * chore: disable gosec(G115) A change to the rule gosec(G115) made a large amount of FP for gosec appear when updating to the latest golang-ci linter. securego/gosec#1185 securego/gosec#1149 We're going to ignore this rule for the time being while waiting for gosec to get updates so that bound checking and example snippets of `valid` code is added for this rule Signed-off-by: Christopher Phillips <[email protected]> --------- Signed-off-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Signed-off-by: Christopher Phillips <[email protected]> Co-authored-by: spiffcs <[email protected]>
Ignoring this rule as this doesn't break anything but causes lint errors. Upstream ref: securego/gosec#1185
…8.0 (#1813) * Bump github.com/grafana/synthetic-monitoring-agent from 0.25.2 to 0.28.0 Bumps [github.com/grafana/synthetic-monitoring-agent](https://github.com/grafana/synthetic-monitoring-agent) from 0.25.2 to 0.28.0. - [Release notes](https://github.com/grafana/synthetic-monitoring-agent/releases) - [Changelog](https://github.com/grafana/synthetic-monitoring-agent/blob/main/CHANGELOG.md) - [Commits](grafana/synthetic-monitoring-agent@v0.25.2...v0.28.0) --- updated-dependencies: - dependency-name: github.com/grafana/synthetic-monitoring-agent dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * rever go/toolchain versioning * fix(lint): ensure golangci-lint works with go1.23 and fix lint errors * chore: disable gosec(G115) Ignoring this rule as this doesn't break anything but causes lint errors. Upstream ref: securego/gosec#1185 * test: fix test throwing 'addDataSourceConflict {"message":"data source with the same name already exists"}' I can't get this test to work, I've tried: - Replacing ParallelTest() with just Test() - Replacing 'foo' with a random string I keep getting this: ``` === RUN TestAccResourceJob resource_job_test.go:23: Step 1/3 error: Error running apply: exit status 1 Error: [POST /datasources][409] addDataSourceConflict {"message":"data source with the same name already exists"} with grafana_data_source.foo, on terraform_plugin_test.tf line 1, in resource "grafana_data_source" "foo": 1: resource "grafana_data_source" "foo" { --- FAIL: TestAccResourceJob (1.26s) ``` --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Duologic <[email protected]>
…8.0 (#1813) * Bump github.com/grafana/synthetic-monitoring-agent from 0.25.2 to 0.28.0 Bumps [github.com/grafana/synthetic-monitoring-agent](https://github.com/grafana/synthetic-monitoring-agent) from 0.25.2 to 0.28.0. - [Release notes](https://github.com/grafana/synthetic-monitoring-agent/releases) - [Changelog](https://github.com/grafana/synthetic-monitoring-agent/blob/main/CHANGELOG.md) - [Commits](grafana/synthetic-monitoring-agent@v0.25.2...v0.28.0) --- updated-dependencies: - dependency-name: github.com/grafana/synthetic-monitoring-agent dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> * rever go/toolchain versioning * fix(lint): ensure golangci-lint works with go1.23 and fix lint errors * chore: disable gosec(G115) Ignoring this rule as this doesn't break anything but causes lint errors. Upstream ref: securego/gosec#1185 * test: fix test throwing 'addDataSourceConflict {"message":"data source with the same name already exists"}' I can't get this test to work, I've tried: - Replacing ParallelTest() with just Test() - Replacing 'foo' with a random string I keep getting this: ``` === RUN TestAccResourceJob resource_job_test.go:23: Step 1/3 error: Error running apply: exit status 1 Error: [POST /datasources][409] addDataSourceConflict {"message":"data source with the same name already exists"} with grafana_data_source.foo, on terraform_plugin_test.tf line 1, in resource "grafana_data_source" "foo": 1: resource "grafana_data_source" "foo" { --- FAIL: TestAccResourceJob (1.26s) ``` --------- Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Duologic <[email protected]>
Summary
uint8 -> int64 has no overflow
Steps to reproduce the behavior
gosec version
81cda2f
Go version (output of 'go version')
go version go1.22.6 darwin/arm64
Operating system / Environment
n/a
Expected behavior
no complaint
Actual behavior
complains
G115: integer overflow conversion uint8 -> int64:
The text was updated successfully, but these errors were encountered: