crytic
diff --git a/‎lints/type_cosplay/Cargo.toml‎
Lines changed: 4 additions & 0 deletions b/‎lints/type_cosplay/Cargo.toml‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎lints/type_cosplay/notes.md‎ renamed to ‎lints/type_cosplay/NOTES.md‎
Lines changed: 7 additions & 9 deletions b/‎lints/type_cosplay/notes.md‎ renamed to ‎lints/type_cosplay/NOTES.md‎
Lines changed: 7 additions & 9 deletions
diff --git a/‎lints/type_cosplay/src/lib.rs‎
Lines changed: 10 additions & 5 deletions b/‎lints/type_cosplay/src/lib.rs‎
Lines changed: 10 additions & 5 deletions
@@ -29,6 +29,10 @@ path = "ui/recommended/src/lib.rs"
 name = "secure"
 path = "ui/secure/src/lib.rs"
 
+[[example]]
+name = "secure-2"
+path = "ui/secure-2/src/lib.rs"
+
 [dependencies]
 clippy_utils = { git = "https://github.com/rust-lang/rust-clippy", rev = "0cb0f7636851f9fcc57085cf80197a2ef6db098f" }
 dylint_linting = "2.0.1"
 
@@ -46,12 +46,10 @@ Two circumstances avoid the type cosplay attack.
 Whenever we refer to a type, we refer to whether it was deserialized in the program, not
 to the type definition.
 
-- single deserialized type; is enum => SECURE
-- single deserialized type; is not enum; has discriminant => SECURE
-- single deserialized type; is not enum; no discriminant => INSECURE (insecure)
-  NOTE: do we really need to check if one is an enum?
-- multiple deserialized types; one is enum; all structs have discriminant => SECURE
-- multiple deserialized types; one is enum; some struct doesn't have discriminant => INSECURE
-- multiple deserialized types; multiple enums => INSECURE (insecure-2)
-- multiple deserialized types; no enums; all structs have discriminant => SECURE
-- multiple deserialized types; no enums; some struct doesn't have discriminant => INSECURE
+- single deserialized type-kind; is not enum; no discriminant => INSECURE (insecure)
+- single deserialized type-kind; is enum; multiple enums => INSECURE (insecure-2)
+- multiple deserialized type-kinds => INSECURE (insecure-3)
+- single deserialized type-kind; is not enum; has discriminant => SECURE (secure)
+- single deserialized type-kind; is enum; single enum => SECURE* (secure-2)
+
+*caveat: if the program defines another identical enum, but never uses it, could be a vulnerability
@@ -93,7 +93,7 @@ impl<'tcx> LateLintPass<'tcx> for TypeCosplay {
                 cx,
                 TYPE_COSPLAY,
                 spans[0],
-                "Deserializing from multiple ADT types.",
+                "Deserializing from different ADT types.",
                 Some(spans[1]),
                 "help: deserialize from only structs with a discriminant, or an enum encapsulating all structs."
             )
@@ -191,11 +191,16 @@ fn insecure_3() {
 }
 
 #[test]
-fn recommended() {
-    dylint_testing::ui_test_example(env!("CARGO_PKG_NAME"), "recommended");
+fn secure() {
+    dylint_testing::ui_test_example(env!("CARGO_PKG_NAME"), "secure");
 }
 
 #[test]
-fn secure() {
-    dylint_testing::ui_test_example(env!("CARGO_PKG_NAME"), "secure");
+fn secure_two() {
+    dylint_testing::ui_test_example(env!("CARGO_PKG_NAME"), "secure-2");
+}
+
+#[test]
+fn recommended() {
+    dylint_testing::ui_test_example(env!("CARGO_PKG_NAME"), "recommended");
 }