Address review comments 4

owen-mc · owen-mc · commit 4907f6529edb · 2020-08-11T07:24:58.000+01:00
diff --git a/ql/src/Security/CWE-681/IncorrectIntegerConversion.ql b/ql/src/Security/CWE-681/IncorrectIntegerConversion.ql
@@ -32,15 +32,24 @@ float getMaxIntValue(int bitSize, boolean isSigned) {
  * Holds if converting from an integer types with size `sourceBitSize` to
  * one with size `sinkBitSize` can produce unexpected values, where 0 means
  * architecture-dependent.
+ *
+ * Architecture-dependent bit sizes can be 32 or 64. To catch flows that
+ * only manifest on 64-bit architectures we consider an
+ * architecture-dependent source bit size to be 64. To catch flows that
+ * only happen on 32-bit architectures we consider an
+ * architecture-dependent sink bit size to be 32. We exclude the case where
+ * both source and sink have architecture-dependent bit sizes.
  */
 private predicate isIncorrectIntegerConversion(int sourceBitSize, int sinkBitSize) {
   sourceBitSize in [16, 32, 64] and
   sinkBitSize in [8, 16, 32] and
   sourceBitSize > sinkBitSize
   or
+  // Treat `sourceBitSize = 0` like `sourceBitSize = 64`, and exclude `sinkBitSize = 0`
   sourceBitSize = 0 and
   sinkBitSize in [8, 16, 32]
   or
+  // Treat `sinkBitSize = 0` like `sinkBitSize = 32`, and exclude `sourceBitSize = 0`
   sourceBitSize = 64 and
   sinkBitSize = 0
 }
@@ -76,6 +85,8 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
       (
         bitSize = ip.getTargetBitSize()
         or
+        // If we are reading a variable, check if it is
+        // `strconv.IntSize`, and use 0 if it is.
         if
           exists(StrConv::IntSize intSize |
             ip.getTargetBitSizeInput().getNode(c).(DataFlow::ReadNode).reads(intSize)
@@ -105,13 +116,17 @@ class ConversionWithoutBoundsCheckConfig extends TaintTracking::Configuration {
     ) and
     not exists(ShrExpr shrExpr |
       shrExpr.getLeftOperand().getGlobalValueNumber() =
+        sink.getOperand().asExpr().getGlobalValueNumber() or
+      shrExpr.getLeftOperand().(AndExpr).getAnOperand().getGlobalValueNumber() =
         sink.getOperand().asExpr().getGlobalValueNumber()
     )
   }
 
   override predicate isSink(DataFlow::Node sink) { isSink(sink, sinkBitSize) }
 
   override predicate isSanitizerGuard(DataFlow::BarrierGuard guard) {
+    // To catch flows that only happen on 32-bit architectures we
+    // consider an architecture-dependent sink bit size to be 32.
     exists(int bitSize | if sinkBitSize != 0 then bitSize = sinkBitSize else bitSize = 32 |
       guard.(UpperBoundCheckGuard).getBound() <= getMaxIntValue(bitSize, sourceIsSigned)
     )
diff --git a/ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.expected b/ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.expected
@@ -50,15 +50,14 @@ edges
 | IncorrectIntegerConversion.go:235:3:235:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:241:7:241:23 | type conversion |
 | IncorrectIntegerConversion.go:247:3:247:36 | ... := ...[0] : int | IncorrectIntegerConversion.go:261:8:261:19 | type conversion |
 | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | IncorrectIntegerConversion.go:282:8:282:21 | type conversion |
-| IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | IncorrectIntegerConversion.go:287:7:287:19 | type conversion |
-| IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:307:7:307:18 | type conversion |
-| IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:317:7:317:19 | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:326:6:326:17 | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:327:6:327:18 | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:328:6:328:18 | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:329:6:329:19 | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:330:6:330:18 | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:331:6:331:19 | type conversion |
+| IncorrectIntegerConversion.go:319:3:319:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:323:7:323:18 | type conversion |
+| IncorrectIntegerConversion.go:329:2:329:47 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:333:7:333:19 | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:342:6:342:17 | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:343:6:343:18 | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:344:6:344:18 | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:345:6:345:19 | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:346:6:346:18 | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:347:6:347:19 | type conversion |
 nodes
 | IncorrectIntegerConversion.go:26:2:26:28 | ... := ...[0] : int | semmle.label | ... := ...[0] : int |
 | IncorrectIntegerConversion.go:35:41:35:50 | type conversion | semmle.label | type conversion |
@@ -138,22 +137,20 @@ nodes
 | IncorrectIntegerConversion.go:247:3:247:36 | ... := ...[0] : int | semmle.label | ... := ...[0] : int |
 | IncorrectIntegerConversion.go:261:8:261:19 | type conversion | semmle.label | type conversion |
 | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | semmle.label | ... := ...[0] : uint64 |
-| IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | semmle.label | ... := ...[0] : uint64 |
 | IncorrectIntegerConversion.go:282:8:282:21 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:287:7:287:19 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
-| IncorrectIntegerConversion.go:307:7:307:18 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
-| IncorrectIntegerConversion.go:317:7:317:19 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
-| IncorrectIntegerConversion.go:326:6:326:17 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:327:6:327:18 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:328:6:328:18 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:329:6:329:19 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:330:6:330:18 | type conversion | semmle.label | type conversion |
-| IncorrectIntegerConversion.go:331:6:331:19 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:319:3:319:48 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:323:7:323:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:329:2:329:47 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:333:7:333:19 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | semmle.label | ... := ...[0] : int64 |
+| IncorrectIntegerConversion.go:342:6:342:17 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:343:6:343:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:344:6:344:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:345:6:345:19 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:346:6:346:18 | type conversion | semmle.label | type conversion |
+| IncorrectIntegerConversion.go:347:6:347:19 | type conversion | semmle.label | type conversion |
 #select
 | IncorrectIntegerConversion.go:26:2:26:28 | ... := ...[0] | IncorrectIntegerConversion.go:26:2:26:28 | ... := ...[0] : int | IncorrectIntegerConversion.go:35:41:35:50 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.Atoi to a lower bit size type int32 without an upper bound check. |
 | IncorrectIntegerConversion.go:65:3:65:49 | ... := ...[0] | IncorrectIntegerConversion.go:65:3:65:49 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:69:7:69:18 | type conversion | Incorrect conversion of a 16-bit integer from strconv.ParseInt to a lower bit size type int8 without an upper bound check. |
@@ -206,12 +203,11 @@ nodes
 | IncorrectIntegerConversion.go:235:3:235:48 | ... := ...[0] | IncorrectIntegerConversion.go:235:3:235:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:241:7:241:23 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
 | IncorrectIntegerConversion.go:247:3:247:36 | ... := ...[0] | IncorrectIntegerConversion.go:247:3:247:36 | ... := ...[0] : int | IncorrectIntegerConversion.go:261:8:261:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.Atoi to a lower bit size type int8 without an upper bound check. |
 | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | IncorrectIntegerConversion.go:282:8:282:21 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseUint to a lower bit size type uint16 without an upper bound check. |
-| IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] | IncorrectIntegerConversion.go:268:3:268:49 | ... := ...[0] : uint64 | IncorrectIntegerConversion.go:287:7:287:19 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseUint to a lower bit size type uint8 without an upper bound check. |
-| IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] | IncorrectIntegerConversion.go:303:3:303:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:307:7:307:18 | type conversion | Incorrect conversion of a 16-bit integer from strconv.ParseInt to a lower bit size type uint8 without an upper bound check. |
-| IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] | IncorrectIntegerConversion.go:313:2:313:47 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:317:7:317:19 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:326:6:326:17 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int8 without an upper bound check. |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:327:6:327:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint8 without an upper bound check. |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:328:6:328:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:329:6:329:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint16 without an upper bound check. |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:330:6:330:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int32 without an upper bound check. |
-| IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] | IncorrectIntegerConversion.go:322:2:322:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:331:6:331:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint32 without an upper bound check. |
+| IncorrectIntegerConversion.go:319:3:319:48 | ... := ...[0] | IncorrectIntegerConversion.go:319:3:319:48 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:323:7:323:18 | type conversion | Incorrect conversion of a 16-bit integer from strconv.ParseInt to a lower bit size type uint8 without an upper bound check. |
+| IncorrectIntegerConversion.go:329:2:329:47 | ... := ...[0] | IncorrectIntegerConversion.go:329:2:329:47 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:333:7:333:19 | type conversion | Incorrect conversion of a 32-bit integer from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] | IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:342:6:342:17 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int8 without an upper bound check. |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] | IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:343:6:343:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint8 without an upper bound check. |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] | IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:344:6:344:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int16 without an upper bound check. |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] | IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:345:6:345:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint16 without an upper bound check. |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] | IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:346:6:346:18 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type int32 without an upper bound check. |
+| IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] | IncorrectIntegerConversion.go:338:2:338:60 | ... := ...[0] : int64 | IncorrectIntegerConversion.go:347:6:347:19 | type conversion | Incorrect conversion of an integer with architecture-dependent bit size from strconv.ParseInt to a lower bit size type uint32 without an upper bound check. |
diff --git a/ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.go b/ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.go
@@ -299,6 +299,22 @@ func testRightShifted(input string) {
 		_ = byte(parsed >> 16)
 		_ = byte(parsed >> 24)
 	}
+	{
+		parsed, err := strconv.ParseInt(input, 10, 16)
+		if err != nil {
+			panic(err)
+		}
+		_ = byte(parsed) // OK
+		_ = byte(parsed & 0xff00 >> 8)
+	}
+	{
+		parsed, err := strconv.ParseInt(input, 10, 32)
+		if err != nil {
+			panic(err)
+		}
+		_ = byte(parsed) // OK
+		_ = byte(parsed >> 8 & 0xff)
+	}
 	{
 		parsed, err := strconv.ParseInt(input, 10, 16)
 		if err != nil {
