rules/sdk: handle two integer overflow edge cases (cosmos#20)

kirbyquerby · web-flow · commit cfeebb886112 · 2022-05-28T19:02:58.000-07:00
diff --git a/rules/sdk/integer.go b/rules/sdk/integer.go
@@ -38,8 +38,7 @@ func (i *integerOverflowCheck) ID() string {
 // TODO: restrict it to just the possible bit-sizes for X (unspecified, 8, 16, 32, 64)
 // TODO: check if y's bit-size is greater than X
 func (i *integerOverflowCheck) Match(node ast.Node, ctx *gosec.Context) (*gosec.Issue, error) {
-
-	// ignore if its protobuf
+	// ignore if it's protobuf
 	fileName := ctx.FileSet.File(node.Pos()).Name()
 	if strings.HasSuffix(fileName, ".pb.go") {
 		return nil, nil
@@ -70,6 +69,19 @@ func (i *integerOverflowCheck) Match(node ast.Node, ctx *gosec.Context) (*gosec.
 			return nil, nil
 		}
 
+		switch arg := arg.(type) {
+		case *ast.CallExpr:
+			// len() returns an int that is always >= 0, so it will fit in a uint, uint64, or int64.
+			if argFun, ok := arg.Fun.(*ast.Ident); ok && argFun.Name == "len" && (fun.Name == "uint" || fun.Name == "uint64" || fun.Name == "int64") {
+				return nil, nil
+			}
+		case *ast.SelectorExpr:
+			// If the argument is being cast to its underlying type, there's no risk.
+			if ctx.Info.TypeOf(arg).Underlying() == ctx.Info.TypeOf(fun) {
+				return nil, nil
+			}
+		}
+
 		// TODO: run the go type checker to determine the
 		// type of arg so we can check if the type
 		// conversion is reducing the bit-size and could overflow.
