Skip to content

IncorrectIntegerConversionQuery precision is overly ambitious and its help should warn about false positives #17570

New issue
New issue
Closed
Closed
IncorrectIntegerConversionQuery precision is overly ambitious and its help should warn about false positives#17570
Assignees
owen-mc
@jsoref

Description

@jsoref
jsoref
opened on Sep 25, 2024

codeql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.ql

Line 13 in 590e93d

* @precision very-high

We've seen people trying to "fix" reports based on this tooling. I spent some time tracing the flow of one such incident:
argoproj/argo-cd#18436 (comment)

For my reference, I used https://github.com/check-spelling-sandbox/argo-cd/security/code-scanning/3

@jketema wrote:

The @precision very-high on the query suggests that there should near 0 false positives on this query, maybe the precision should be lowered?

@owen-mc wrote:

We do try to detect bounds checks, but we can only do it when the value you are checking against is a constant, and in this case you pass a constant into the function and then use the corresponding parameter as the bound, which our analysis isn't able to detect.
...
It is a fair comment that the precision of that query should be lowered to high. At the same time, I can try to explain in the qhelp file which ways of fixing this problem we try to detect, and when they don't work.

The current help doesn't warn about bounds checks that could be sufficient but which aren't understood by the checker:

codeql/go/ql/src/Security/CWE-681/IncorrectIntegerConversionQuery.qhelp

Lines 18 to 28 in 590e93d

If you need to parse integer values with specific bit sizes, avoid <code>strconv.Atoi</code>, and instead
use <code>strconv.ParseInt</code> or <code>strconv.ParseUint</code>, which also allow specifying the
bit size.
</p>
<p>
When using those functions, be careful to not convert the result to another type with a smaller bit size than
the bit size you specified when parsing the number.
</p>
<p>
If this is not possible, then add upper (and lower) bound checks specific to each type and
bit size (you can find the minimum and maximum value for each type in the <code>math</code> package).

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions