Address review comments 3

Author: owen-mc

ql/src/Security/CWE-681/IncorrectIntegerConversion.qhelp

@@ -64,4 +64,11 @@ or check bounds before making the conversion as in <code>parseAllocateGood4</cod
 </p>
 <sample src="IncorrectIntegerConversionGood.go"/>
 </example>
+<references>
+<li>Wikipedia <a href="https://en.wikipedia.org/wiki/Integer_overflow">Integer overflow</a>.</li>
+<li>Go language specification <a href="https://golang.org/ref/spec#Integer_overflow">Integer overflow</a>.</li>
+<li>Documentation for <a href="https://golang.org/pkg/strconv/#Atoi"><code>strconv.Atoi</code></a>.</li>
+<li>Documentation for <a href="https://golang.org/pkg/strconv/#ParseInt"><code>strconv.ParseInt</code></a>.</li>
+<li>Documentation for <a href="https://golang.org/pkg/strconv/#ParseUint"><code>strconv.ParseUint</code></a>.</li>
+</references>
 </qhelp>

ql/src/Security/CWE-681/IncorrectIntegerConversion.ql

@@ -61,6 +61,7 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
     this = "ConversionWithoutBoundsCheckConfig" + sourceBitSize + sourceIsSigned + sinkBitSize
   }
 
+  /** Gets the bit size of the source. */
   int getSourceBitSize() { result = sourceBitSize }
 
   override predicate isSource(DataFlow::Node source) {
@@ -73,8 +74,14 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
         else sourceIsSigned = false
       ) and
       (
-        bitSize = ip.getTargetBitSize() or
-        bitSize = ip.getTargetBitSizeInput().getNode(c).getIntValue()
+        bitSize = ip.getTargetBitSize()
+        or
+        if
+          exists(StrConv::IntSize intSize |
+            ip.getTargetBitSizeInput().getNode(c).(DataFlow::ReadNode).reads(intSize)
+          )
+        then bitSize = 0
+        else bitSize = ip.getTargetBitSizeInput().getNode(c).getIntValue()
       ) and
       // `bitSize` could be any value between 0 and 64, but we can round
       // it up to the nearest size of an integer type without changing
@@ -129,7 +136,7 @@ class UpperBoundCheckGuard extends DataFlow::BarrierGuard, DataFlow::RelationalC
     exists(int strictnessOffset |
       if expr.isStrict() then strictnessOffset = 1 else strictnessOffset = 0
     |
-      result = expr.getAnOperand().getIntValue() - strictnessOffset
+      result = expr.getAnOperand().getExactValue().toFloat() - strictnessOffset
     )
   }
 

ql/src/semmle/go/frameworks/Stdlib.qll

@@ -524,8 +524,8 @@ module IntegerParser {
 
     /**
      * Gets the `FunctionInput` containing the maximum bit size of the
-     * return value, if this makes sense, where 0 represents the bit
-     * size of `int` and `uint`.
+     * return value, if this makes sense. Note that if the value of the
+     * input is 0 then it means the bit size of `int` and `uint`.
      */
     FunctionInput getTargetBitSizeInput() { none() }
   }

ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.expected

@@ -53,6 +53,12 @@ edges
 | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | IncorrectIntegerConversion.go:287:7:287:19 | type conversion |
 | IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:307:7:307:18 | type conversion |
 | IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:317:7:317:19 | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:326:6:326:17 | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:327:6:327:18 | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:328:6:328:18 | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:329:6:329:19 | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:330:6:330:18 | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:331:6:331:19 | type conversion |
 nodes
 | IncorrectIntegerConversion.go:26:2:26:28 | ... := ...[0] : int | semmle.label | ... := ...[0] : int |
 | IncorrectIntegerConversion.go:35:41:35:50 | type conversion | semmle.label | type conversion |
@@ -139,6 +145,15 @@ nodes
 | IncorrectIntegerConversion.go:307:7:307:18 | type conversion | semmle.label | type conversion |
 | IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
 | IncorrectIntegerConversion.go:317:7:317:19 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:326:6:326:17 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:327:6:327:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:328:6:328:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:329:6:329:19 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:330:6:330:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:331:6:331:19 | type conversion | semmle.label | type conversion |
 #select
 | IncorrectIntegerConversion.go:26:2:26:28 | ... := ...[0] | IncorrectIntegerConversion.go:26:2:26:28 | ... := ...[0] : int | IncorrectIntegerConversion.go:35:41:35:50 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.Atoi to a lower bit size type int32 without an upper bound check. |
 | IncorrectIntegerConversion.go:65:3:65:49 | ... := ...[0] | IncorrectIntegerConversion.go:65:3:65:49 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:69:7:69:18 | type conversion | Incorrect conversion of a 16-bit integer from strconv.ParseInt to a lower bit size type int8 without an upper bound check. |
@@ -194,3 +209,9 @@ nodes
 | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | IncorrectIntegerConversion.go:287:7:287:19 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseUint to a lower bit size type uint8 without an upper bound check. |
 | IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] | IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:307:7:307:18 | type conversion | Incorrect conversion of a 16-bit integer from strconv.ParseInt to a lower bit size type uint8 without an upper bound check. |
 | IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] | IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:317:7:317:19 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:326:6:326:17 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int8 without an upper bound check. |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:327:6:327:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint8 without an upper bound check. |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:328:6:328:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:329:6:329:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint16 without an upper bound check. |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:330:6:330:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int32 without an upper bound check. |
+| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:331:6:331:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint32 without an upper bound check. |

ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.go

@@ -317,3 +317,20 @@ func testPathWithMoreThanOneSink(input string) {
 	v := int16(parsed) // NOT OK
 	_ = int8(v)        // OK
 }
+
+func testUsingStrConvIntSize(input string) {
+	parsed, err := strconv.ParseInt(input, 10, strconv.IntSize)
+	if err != nil {
+		panic(err)
+	}
+	_ = int8(parsed)   // NOT OK
+	_ = uint8(parsed)  // NOT OK
+	_ = int16(parsed)  // NOT OK
+	_ = uint16(parsed) // NOT OK
+	_ = int32(parsed)  // NOT OK
+	_ = uint32(parsed) // NOT OK
+	_ = int64(parsed)  // OK
+	_ = uint64(parsed) // OK
+	_ = int(parsed)    // OK
+	_ = uint(parsed)   // OK
+}