Add query for incorrect integer conversion

owen-mc · owen-mc · commit 329888e62c58 · 2020-08-10T11:04:25.000+01:00
diff --git a/ql/src/Security/CWE-681/IncorrectIntegerConversion.go b/ql/src/Security/CWE-681/IncorrectIntegerConversion.go
@@ -0,0 +1,20 @@
+package main
+
+import (
+	"strconv"
+)
+
+func parseAllocateBad1(wanted string) int32 {
+	parsed, err := strconv.Atoi(wanted)
+	if err != nil {
+		panic(err)
+	}
+	return int32(parsed)
+}
+func parseAllocateBad2(wanted string) int32 {
+	parsed, err := strconv.ParseInt(wanted, 10, 64)
+	if err != nil {
+		panic(err)
+	}
+	return int32(parsed)
+}
diff --git a/ql/src/Security/CWE-681/IncorrectIntegerConversion.qhelp b/ql/src/Security/CWE-681/IncorrectIntegerConversion.qhelp
@@ -0,0 +1,67 @@
+<!DOCTYPE qhelp PUBLIC
+"-//Semmle//qhelp//EN"
+"qhelp.dtd">
+<qhelp>
+<overview>
+<p>
+If a string is parsed into an int using <code>strconv.Atoi</code>, and subsequently that int
+is converted into another integer type of a smaller size, the result can produce unexpected values.
+</p>
+<p>
+This also applies to the results of <code>strconv.ParseInt</code> and <code>strconv.ParseUint</code> when
+the specified size is larger than the size of the type that number is converted to.
+</p>
+</overview>
+
+<recommendation>
+<p>
+If you need to parse integer values with specific bit sizes, avoid <code>strconv.Atoi</code>, and instead
+use <code>strconv.ParseInt</code> or <code>strconv.ParseUint</code>, which also allow specifying the
+bit size.
+</p>
+<p>
+When using those functions, be careful to not convert the result to another type with a smaller bit size than
+the bit size you specified when parsing the number.
+</p>
+<p>
+If this is not possible, then add upper (and lower) bound checks specific to each type and
+bit size (you can find the minimum and maximum value for each type in the `math` package).
+</p>
+</recommendation>
+
+<example>
+<p>
+In the first example, assume that an input string is passed to <code>parseAllocateBad1</code> function,
+parsed by <code>strconv.Atoi</code>, and then converted into an <code>int32</code> type:
+</p>
+<sample src="IncorrectIntegerConversion.go"/>
+<p>
+The bounds are not checked, so this means that if the provided number is greater than the maximum value of type <code>int32</code>,
+the resulting value from the conversion will be different from the actual provided value.
+</p>
+<p>
+To avoid unexpected values, you should either use the other functions provided by the <code>strconv</code>
+package to parse the specific types and bit sizes as shown in the
+<code>parseAllocateGood2</code> function; or check bounds as in the <code>parseAllocateGood1</code>
+function.
+</p>
+<sample src="IncorrectIntegerConversionGood.go"/>
+</example>
+
+<example>
+<p>
+In the second example, assume that an input string is passed to <code>parseAllocateBad2</code> function,
+parsed by <code>strconv.ParseInt</code> with a bit size set to 64, and then converted into an <code>int32</code> type:
+</p>
+<sample src="IncorrectIntegerConversion.go"/>
+<p>
+If the provided number is greater than the maximum value of type <code>int32</code>, the resulting value from the conversion will be
+different from the actual provided value.
+</p>
+<p>
+To avoid unexpected values, you should specify the correct bit size as in <code>parseAllocateGood3</code>;
+or check bounds before making the conversion as in <code>parseAllocateGood4</code>.
+</p>
+<sample src="IncorrectIntegerConversionGood.go"/>
+</example>
+</qhelp>
diff --git a/ql/src/Security/CWE-681/IncorrectIntegerConversion.ql b/ql/src/Security/CWE-681/IncorrectIntegerConversion.ql
@@ -0,0 +1,142 @@
+/**
+ * @name Incorrect conversion between integer types
+ * @description Converting the result of strconv.Atoi, strconv.ParseInt and strconv.ParseUint
+ *              to integer types of smaller bit size can produce unexpected values.
+ * @kind path-problem
+ * @problem.severity warning
+ * @id go/incorrect-integer-conversion
+ * @tags security
+ *       external/cwe/cwe-190
+ *       external/cwe/cwe-681
+ * @precision very-high
+ */
+
+import go
+import DataFlow::PathGraph
+
+/**
+ * Gets the maximum value of an integer (signed if `isSigned`
+ * is true, unsigned otherwise) with `bitSize` bits.
+ */
+float getMaxIntValue(int bitSize, boolean isSigned) {
+  bitSize in [8, 16, 32, 64] and
+  (
+    isSigned = true and result = 2.pow(bitSize - 1) - 1
+    or
+    isSigned = false and result = 2.pow(bitSize) - 1
+  )
+}
+
+/**
+ * Holds if converting from an integer types with size `sourceBitSize` to
+ * one with size `sinkBitSize` can produce unexpected values, where 0 means
+ * architecture-dependent.
+ */
+private predicate isIncorrectIntegerConversion(int sourceBitSize, int sinkBitSize) {
+  sourceBitSize in [0, 16, 32, 64] and
+  sinkBitSize in [0, 8, 16, 32] and
+  not (sourceBitSize = 0 and sinkBitSize = 0) and
+  exists(int source, int sink |
+    (if sourceBitSize = 0 then source = 64 else source = sourceBitSize) and
+    if sinkBitSize = 0 then sink = 32 else sink = sinkBitSize
+  |
+    source > sink
+  )
+}
+
+/**
+ * A taint-tracking configuration for reasoning about when an integer
+ * obtained from parsing a string flows to a type conversion to a smaller
+ * integer types, which could cause unexpected values.
+ */
+class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
+  boolean sourceIsSigned;
+  int sourceBitSize;
+  int sinkBitSize;
+
+  ConversionWithoutBoundsCheckConfig() {
+    sourceIsSigned in [true, false] and
+    isIncorrectIntegerConversion(sourceBitSize, sinkBitSize) and
+    this =
+      sourceBitSize.toString() + sourceIsSigned.toString() + sinkBitSize.toString() +
+        "ConversionWithoutBoundsCheckConfig"
+  }
+
+  override predicate isSource(DataFlow::Node source) {
+    exists(ParserCall pc, int bitSize | source = pc.getResult(0) |
+      sourceIsSigned = pc.getTargetIsSigned() and
+      (if pc.getTargetBitSize() = 0 then bitSize = 0 else bitSize = pc.getTargetBitSize()) and
+      // `bitSize` could be any value between 0 and 64, but we can round
+      // it up to the nearest size of an integer type without changing
+      // behaviour.
+      sourceBitSize = min(int b | b in [0, 8, 16, 32, 64] and b >= bitSize)
+    )
+  }
+
+  /**
+   * Holds if sink is a typecast to an integer type with size `bitSize` (where
+   * 0 represents architecture-dependent) and the expression being typecast is
+   * not also in a right-shift expression.
+   */
+  predicate isSink(DataFlow::TypeCastNode sink, int bitSize) {
+    exists(IntegerType integerType | sink.getType().getUnderlyingType() = integerType |
+      bitSize = integerType.getSize()
+      or
+      (
+        integerType instanceof IntType or
+        integerType instanceof UintType
+      ) and
+      bitSize = 0
+    ) and
+    not exists(ShrExpr shrExpr |
+      shrExpr.getLeftOperand().getGlobalValueNumber() =
+        sink.getOperand().asExpr().getGlobalValueNumber()
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) { isSink(sink, sinkBitSize) }
+
+  override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    exists(int bitSize | if sinkBitSize != 0 then bitSize = sinkBitSize else bitSize = 32 |
+      guard.(UpperBoundCheckGuard).getBound() <= getMaxIntValue(bitSize, sourceIsSigned)
+    )
+  }
+
+  override predicate isSanitizerOut(DataFlow::Node node) {
+    exists(int bitSize | isIncorrectIntegerConversion(sourceBitSize, bitSize) |
+      isSink(node, bitSize)
+    )
+  }
+}
+
+/** An upper bound check that compares a variable to a constant value. */
+class UpperBoundCheckGuard extends DataFlow::BarrierGuard, DataFlow::RelationalComparisonNode {
+  UpperBoundCheckGuard() { count(expr.getAnOperand().getIntValue()) = 1 }
+
+  /**
+   * Gets the constant value which this upper bound check ensures the
+   * other value is less than or equal to.
+   */
+  float getBound() {
+    exists(int strictnessOffset |
+      if expr.isStrict() then strictnessOffset = 1 else strictnessOffset = 0
+    |
+      result = expr.getAnOperand().getIntValue() - strictnessOffset
+    )
+  }
+
+  override predicate checks(Expr e, boolean branch) {
+    this.leq(branch, DataFlow::exprNode(e), _, _) and
+    not exists(e.getIntValue())
+  }
+}
+
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, ConversionWithoutBoundsCheckConfig cfg,
+  ParserCall pc
+where cfg.hasFlowPath(source, sink) and pc.getResult(0) = source.getNode()
+select source.getNode(), source, sink,
+  "Incorrect conversion of " + pc.getBitSizeString() + " from " + pc.getParserName() +
+    " to a lower bit size type " +
+    sink.getNode().(DataFlow::TypeCastNode).getType().getUnderlyingType().getName() +
+    " without an upper bound check."
diff --git a/ql/src/Security/CWE-681/IncorrectIntegerConversionGood.go b/ql/src/Security/CWE-681/IncorrectIntegerConversionGood.go
@@ -0,0 +1,51 @@
+package main
+
+import (
+	"math"
+	"strconv"
+)
+
+func main() {
+
+}
+
+const DefaultAllocate int32 = 256
+
+func parseAllocateGood1(desired string) int32 {
+	parsed, err := strconv.Atoi(desired)
+	if err != nil {
+		return DefaultAllocate
+	}
+	// GOOD: check for lower and upper bounds
+	if parsed > 0 && parsed <= math.MaxInt32 {
+		return int32(parsed)
+	}
+	return DefaultAllocate
+}
+func parseAllocateGood2(desired string) int32 {
+	// GOOD: parse specifying the bit size
+	parsed, err := strconv.ParseInt(desired, 10, 32)
+	if err != nil {
+		return DefaultAllocate
+	}
+	return int32(parsed)
+}
+
+func parseAllocateGood3(wanted string) int32 {
+	parsed, err := strconv.ParseInt(wanted, 10, 32)
+	if err != nil {
+		panic(err)
+	}
+	return int32(parsed)
+}
+func parseAllocateGood4(wanted string) int32 {
+	parsed, err := strconv.ParseInt(wanted, 10, 64)
+	if err != nil {
+		panic(err)
+	}
+	// GOOD: check for lower and uppper bounds
+	if parsed > 0 && parsed <= math.MaxInt32 {
+		return int32(parsed)
+	}
+	return DefaultAllocate
+}
