Make type assertions transform the flow state

owen-mc · owen-mc · commit 611f98bca49c · 2024-04-17T16:32:30.000+01:00
diff --git a/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll b/go/ql/lib/semmle/go/security/IncorrectIntegerConversionLib.qll
@@ -397,6 +397,39 @@ class UpperBoundCheck extends FlowStateTransformer {
   }
 }
 
+private predicate integerTypeBound(IntegerType it, int bitSize, int architectureBitSize) {
+  bitSize = validBitSize() and
+  architectureBitSize = [32, 64] and
+  exists(int offset | if it instanceof SignedIntegerType then offset = 1 else offset = 0 |
+    if it instanceof IntType or it instanceof UintType
+    then bitSize >= architectureBitSize - offset
+    else bitSize >= it.getSize() - offset
+  )
+}
+
+/**
+ * An expression which a type assertion guarantees will have a particular
+ * integer type.
+ *
+ * If this is a checked type expression then this value will only be used if
+ * the type assertion succeeded. If it is not checked then there will be a
+ * run-time panic if the type assertion fails, so we can assume it succeeded.
+ */
+class TypeAssertionCheck extends DataFlow::ExprNode, FlowStateTransformer {
+  IntegerType it;
+
+  TypeAssertionCheck() {
+    exists(TypeAssertExpr tae |
+      this = DataFlow::exprNode(tae.getExpr()) and
+      it = tae.getTypeExpr().getType()
+    )
+  }
+
+  override predicate barrierFor(int bitSize, int architectureBitSize) {
+    integerTypeBound(it, bitSize, architectureBitSize)
+  }
+}
+
 /**
  * Holds if `source` is the result of a call to `strconv.Atoi`,
  * `strconv.ParseInt`, or `strconv.ParseUint`, `bitSize` is the `bitSize`
diff --git a/go/ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.go b/go/ql/test/query-tests/Security/CWE-681/IncorrectIntegerConversion.go
@@ -507,8 +507,8 @@ func typeSwitch1(s string) {
 		if _, ok := input.(string); ok {
 			return
 		}
-		_ = int16(v.(int16)) // $ SPURIOUS: hasValueFlow="type assertion"
-		_ = int8(v.(int16))  // $ hasValueFlow="type assertion"
+		_ = int16(v.(int16))
+		_ = int8(v.(int16)) // $ hasValueFlow="type assertion"
 	case int32:
 		_ = int32(v) // $ SPURIOUS: hasValueFlow="v"
 		_ = int8(v)  // $ hasValueFlow="v"
@@ -527,11 +527,11 @@ func typeSwitch2(s string) {
 		if _, ok := input.(string); ok {
 			return
 		}
-		_ = int16(input.(int16)) // $ SPURIOUS: hasValueFlow="type assertion"
-		_ = int8(input.(int16))  // $ hasValueFlow="type assertion"
+		_ = int16(input.(int16))
+		_ = int8(input.(int16)) // $ hasValueFlow="type assertion"
 	case int32:
-		_ = int32(input.(int32)) // $ SPURIOUS: hasValueFlow="type assertion"
-		_ = int8(input.(int32))  // $ hasValueFlow="type assertion"
+		_ = int32(input.(int32))
+		_ = int8(input.(int32)) // $ hasValueFlow="type assertion"
 	case int64:
 		_ = int8(input.(int64)) // $ hasValueFlow="type assertion"
 	default:
@@ -544,8 +544,8 @@ func checkedTypeAssertion(s string) {
 	var input any = i64
 	if v, ok := input.(int16); ok {
 		// Need to account for the fact that within this case clause, v is an int16
-		_ = int16(v) // $ SPURIOUS: hasValueFlow="v"
-		_ = int8(v)  // $ hasValueFlow="v"
+		_ = int16(v)
+		_ = int8(v) // $ hasValueFlow="v"
 	} else if v, ok := input.(int32); ok {
 		_ = int16(v) // $ hasValueFlow="v"
 	}
