✨ [safecast] Introduced utilities to perform casting safely (#511)

acabarbaye · web-flow · commit 878f149063f6 · 2024-11-07T16:47:36.000Z
### Description protect against [CWE-190](https://cwe.mitre.org/data/definitions/190.html) ### Test Coverage  - [x] This change is covered by existing or additional automated tests. - [ ] Manual testing has been performed (and evidence provided) as automated testing was not feasible. - [ ] Additional tests are not required for this change (e.g. documentation update).
diff --git a/changes/20241107160700.feature b/changes/20241107160700.feature
@@ -0,0 +1 @@
+:sparkles: `[safecast]` Introduced utilities to perform casting safely and protect against [CWE-190](https://cwe.mitre.org/data/definitions/190.html)
diff --git a/utils/field/fields_test.go b/utils/field/fields_test.go
@@ -10,6 +10,8 @@ import (
 
 	"github.com/go-faker/faker/v4"
 	"github.com/stretchr/testify/assert"
+
+	"github.com/ARM-software/golang-utils/utils/safecast"
 )
 
 func TestOptionalField(t *testing.T) {
@@ -22,7 +24,7 @@ func TestOptionalField(t *testing.T) {
 	}{
 		{
 			fieldType:    "Int",
-			value:        time.Now().Second(),
+			value:        safecast.ToInt(time.Now().Second()),
 			defaultValue: 76,
 			setFunction: func(a any) any {
 				return ToOptionalInt(a.(int))
@@ -37,8 +39,8 @@ func TestOptionalField(t *testing.T) {
 		},
 		{
 			fieldType:    "UInt",
-			value:        uint(time.Now().Second()), //nolint:gosec // time is positive and uint has more bits than int so no overflow
-			defaultValue: uint(76),
+			value:        safecast.ToUint(time.Now().Second()),
+			defaultValue: safecast.ToUint(76),
 			setFunction: func(a any) any {
 				return ToOptionalUint(a.(uint))
 			},
@@ -52,8 +54,8 @@ func TestOptionalField(t *testing.T) {
 		},
 		{
 			fieldType:    "Int32",
-			value:        int32(time.Now().Second()), //nolint:gosec // this should be okay until 2038
-			defaultValue: int32(97894),
+			value:        safecast.ToInt32(time.Now().Second()),
+			defaultValue: safecast.ToInt32(97894),
 			setFunction: func(a any) any {
 				return ToOptionalInt32(a.(int32))
 			},
@@ -67,8 +69,8 @@ func TestOptionalField(t *testing.T) {
 		},
 		{
 			fieldType:    "UInt32",
-			value:        uint32(time.Now().Second()), //nolint:gosec // this should be okay until 2038
-			defaultValue: uint32(97894),
+			value:        safecast.ToUint32(time.Now().Second()),
+			defaultValue: safecast.ToUint32(97894),
 			setFunction: func(a any) any {
 				return ToOptionalUint32(a.(uint32))
 			},
@@ -83,7 +85,7 @@ func TestOptionalField(t *testing.T) {
 		{
 			fieldType:    "Int64",
 			value:        time.Now().Unix(),
-			defaultValue: int64(97894),
+			defaultValue: safecast.ToInt64(97894),
 			setFunction: func(a any) any {
 				return ToOptionalInt64(a.(int64))
 			},
@@ -97,8 +99,8 @@ func TestOptionalField(t *testing.T) {
 		},
 		{
 			fieldType:    "UInt64",
-			value:        uint64(time.Now().Unix()), //nolint:gosec // time is positive and uint64 has more bits than int64 so no overflow
-			defaultValue: uint64(97894),
+			value:        safecast.ToUint64(time.Now().Unix()),
+			defaultValue: safecast.ToUint64(97894),
 			setFunction: func(a any) any {
 				return ToOptionalUint64(a.(uint64))
 			},
diff --git a/utils/filesystem/zip.go b/utils/filesystem/zip.go
@@ -18,6 +18,7 @@ import (
 	"github.com/ARM-software/golang-utils/utils/collection"
 	"github.com/ARM-software/golang-utils/utils/commonerrors"
 	"github.com/ARM-software/golang-utils/utils/parallelisation"
+	"github.com/ARM-software/golang-utils/utils/safecast"
 	"github.com/ARM-software/golang-utils/utils/safeio"
 )
 
@@ -356,16 +357,16 @@ func (fs *VFS) unzip(ctx context.Context, source string, destination string, lim
 					fileCounter.Inc()
 					fileList = append(fileList, filePath)
 				}
-				totalSizeOnDisk.Add(uint64(fileSizeOnDisk)) //nolint:gosec // file size is positive and uint64 has more bits than int64 so no overflow
+				totalSizeOnDisk.Add(safecast.ToUint64(fileSizeOnDisk))
 			}
 		} else {
-			totalSizeOnDisk.Add(uint64(fileSizeOnDisk)) //nolint:gosec // file size is positive and uint64 has more bits than int64 so no overflow
+			totalSizeOnDisk.Add(safecast.ToUint64(fileSizeOnDisk))
 		}
 
 		if limits.Apply() && totalSizeOnDisk.Load() > limits.GetMaxTotalSize() {
 			return fileList, fileCounter.Load(), totalSizeOnDisk.Load(), fmt.Errorf("%w: more than %v B of disk space was used while unzipping %v (%v B used already)", commonerrors.ErrTooLarge, limits.GetMaxTotalSize(), source, totalSizeOnDisk.Load())
 		}
-		if filecount := fileCounter.Load(); limits.Apply() && filecount <= math.MaxInt64 && int64(filecount) > limits.GetMaxFileCount() { //nolint:gosec // if filecount of uint64 is greater than the max value of int64 then it must be greater than GetMaxFileCount as that is an int64
+		if filecount := fileCounter.Load(); limits.Apply() && filecount <= math.MaxInt64 && safecast.ToInt64(filecount) > limits.GetMaxFileCount() {
 			return fileList, filecount, totalSizeOnDisk.Load(), fmt.Errorf("%w: more than %v files were created while unzipping %v (%v files created already)", commonerrors.ErrTooLarge, limits.GetMaxFileCount(), source, filecount)
 		}
 	}
diff --git a/utils/idgen/uuid.go b/utils/idgen/uuid.go
@@ -4,13 +4,19 @@
  */
 package idgen
 
-import "github.com/gofrs/uuid"
+import (
+	"fmt"
+
+	"github.com/gofrs/uuid"
+
+	"github.com/ARM-software/golang-utils/utils/commonerrors"
+)
 
 // Generates a UUID.
 func GenerateUUID4() (string, error) {
 	uuid, err := uuid.NewV4()
 	if err != nil {
-		return "", err
+		return "", fmt.Errorf("%w: failed generating uuid: %v", commonerrors.ErrUnexpected, err.Error())
 	}
 	return uuid.String(), nil
 }
diff --git a/utils/idgen/uuid_test.go b/utils/idgen/uuid_test.go
@@ -13,17 +13,17 @@ import (
 
 func TestUuidUniqueness(t *testing.T) {
 	uuid1, err := GenerateUUID4()
-	require.Nil(t, err)
+	require.NoError(t, err)
 
 	uuid2, err := GenerateUUID4()
-	require.Nil(t, err)
+	require.NoError(t, err)
 
 	assert.NotEqual(t, uuid1, uuid2)
 }
 
 func TestUuidLength(t *testing.T) {
 	uuid, err := GenerateUUID4()
-	require.Nil(t, err)
+	require.NoError(t, err)
 
 	assert.Equal(t, 36, len(uuid))
 }
diff --git a/utils/platform/os.go b/utils/platform/os.go
@@ -19,6 +19,7 @@ import (
 	"github.com/shirou/gopsutil/v3/mem"
 
 	"github.com/ARM-software/golang-utils/utils/commonerrors"
+	"github.com/ARM-software/golang-utils/utils/safecast"
 )
 
 var (
@@ -114,7 +115,7 @@ func UpTime() (uptime time.Duration, err error) {
 		err = fmt.Errorf("%w: could not convert uptime '%v' to duration as it exceeds the upper limit for time.Duration", commonerrors.ErrOutOfRange, _uptime)
 		return
 	}
-	uptime = time.Duration(_uptime) * time.Second //nolint:gosec // we have verified the value of _uptime is whithin the upper limit for time.Duration in the above check
+	uptime = time.Duration(safecast.ToInt64(_uptime)) * time.Second
 	return
 }
 
@@ -128,7 +129,7 @@ func BootTime() (bootime time.Time, err error) {
 		err = fmt.Errorf("%w: could not convert uptime '%v' to duration as it exceeds the upper limit for time.Duration", commonerrors.ErrOutOfRange, _bootime)
 		return
 	}
-	bootime = time.Unix(int64(_bootime), 0) //nolint:gosec // we have verified the value of _bootime is whithin the upper limit for time.Duration in the above check
+	bootime = time.Unix(safecast.ToInt64(_bootime), 0)
 	return
 
 }
diff --git a/utils/proc/process.go b/utils/proc/process.go
@@ -14,6 +14,7 @@ import (
 	"github.com/ARM-software/golang-utils/utils/collection"
 	"github.com/ARM-software/golang-utils/utils/commonerrors"
 	"github.com/ARM-software/golang-utils/utils/parallelisation"
+	"github.com/ARM-software/golang-utils/utils/safecast"
 )
 
 const (
@@ -245,7 +246,7 @@ func isProcessRunning(p *process.Process) (running bool) {
 // to get more information about the process. An error will be returned
 // if the process does not exist.
 func NewProcess(ctx context.Context, pid int) (pr IProcess, err error) {
-	p, err := process.NewProcessWithContext(ctx, int32(pid)) //nolint:gosec // Max PID is 2^22 which is within int32 range https://stackoverflow.com/a/6294196
+	p, err := process.NewProcessWithContext(ctx, safecast.ToInt32(pid))
 	err = ConvertProcessError(err)
 	if err != nil {
 		return
diff --git a/utils/reflection/reflection.go b/utils/reflection/reflection.go
@@ -20,7 +20,7 @@ func GetStructureField(field reflect.Value) interface{} {
 	if !field.IsValid() {
 		return nil
 	}
-	return reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445
+	return reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445
 										Elem().
 										Interface()
 }
@@ -31,7 +31,7 @@ func SetStructureField(field reflect.Value, value interface{}) {
 	if !field.IsValid() {
 		return
 	}
-	reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445
+	reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445
 										Elem().
 										Set(reflect.ValueOf(value))
 }
diff --git a/utils/retry/retry.go b/utils/retry/retry.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-logr/logr"
 
 	"github.com/ARM-software/golang-utils/utils/commonerrors"
+	"github.com/ARM-software/golang-utils/utils/safecast"
 )
 
 // RetryIf will retry fn when the value returned from retryConditionFn is true
@@ -39,7 +40,7 @@ func RetryIf(ctx context.Context, logger logr.Logger, retryPolicy *RetryPolicyCo
 			retry.MaxDelay(retryPolicy.RetryWaitMax),
 			retry.MaxJitter(25*time.Millisecond),
 			retry.DelayType(retryType),
-			retry.Attempts(uint(retryPolicy.RetryMax)), //nolint:gosec // in normal use this will have had Validate() called which enforces that the minimum number of RetryMax is 0 so it won't overflow
+			retry.Attempts(safecast.ToUint(retryPolicy.RetryMax)),
 			retry.RetryIf(retryConditionFn),
 			retry.LastErrorOnly(true),
 			retry.Context(ctx),
diff --git a/utils/safecast/ReadMe.md b/utils/safecast/ReadMe.md
@@ -0,0 +1,19 @@
+# Safecast
+
+the purpose of this utilities is to perform safe number conversion in go similarly to [go-safecast](https://github.com/ccoVeille/go-safecast) from which they are inspired from.
+It should help tackling gosec [G115 rule](https://github.com/securego/gosec/pull/1149)
+
+    G115: Potential overflow when converting between integer types.
+
+ and [CWE-190](https://cwe.mitre.org/data/definitions/190.html) 
+
+
+    infinite loop
+    access to wrong resource by id
+    grant access to someone who exhausted their quota
+
+Contrary to `go-safecast` no error is returned when attempting casting and the MAX or MIN value of the type is returned instead if the value is beyond the allowed window.
+For instance, `toInt8(255)-> 127` and `toInt8(-255)-> -128`
+
+
+
diff --git a/utils/safecast/boundary.go b/utils/safecast/boundary.go
@@ -0,0 +1,35 @@
+package safecast
+
+func greaterThanUpperBoundary[C1 IConvertable, C2 IConvertable](value C1, upperBoundary C2) (greater bool) {
+	if value <= 0 {
+		return
+	}
+
+	switch f := any(value).(type) {
+	case float64:
+		greater = f >= float64(upperBoundary)
+	case float32:
+		greater = float64(f) >= float64(upperBoundary)
+	default:
+		// for all other integer types, it fits in an uint64 without overflow as we know value is positive.
+		greater = uint64(value) > uint64(upperBoundary)
+	}
+
+	return
+}
+
+func lessThanLowerBoundary[T IConvertable, T2 IConvertable](value T, boundary T2) (lower bool) {
+	if value >= 0 {
+		return
+	}
+
+	switch f := any(value).(type) {
+	case float64:
+		lower = f <= float64(boundary)
+	case float32:
+		lower = float64(f) <= float64(boundary)
+	default:
+		lower = int64(value) < int64(boundary)
+	}
+	return
+}
diff --git a/utils/safecast/cast.go b/utils/safecast/cast.go
diff --git a/utils/safecast/cast_test.go b/utils/safecast/cast_test.go
diff --git a/utils/safecast/fuzzcast_test.go b/utils/safecast/fuzzcast_test.go
diff --git a/utils/safecast/number.go b/utils/safecast/number.go

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	+:sparkles: `[safecast]` Introduced utilities to perform casting safely and protect against [CWE-190](https://cwe.mitre.org/data/definitions/190.html)
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@ import (`
`18`	`18`	`"github.com/ARM-software/golang-utils/utils/collection"`
`19`	`19`	`"github.com/ARM-software/golang-utils/utils/commonerrors"`
`20`	`20`	`"github.com/ARM-software/golang-utils/utils/parallelisation"`
	`21`	`+ "github.com/ARM-software/golang-utils/utils/safecast"`
`21`	`22`	`"github.com/ARM-software/golang-utils/utils/safeio"`
`22`	`23`	`)`
`23`	`24`
`@@ -356,16 +357,16 @@ func (fs *VFS) unzip(ctx context.Context, source string, destination string, lim`
`356`	`357`	`fileCounter.Inc()`
`357`	`358`	`fileList = append(fileList, filePath)`
`358`	`359`	`}`
`359`		`- totalSizeOnDisk.Add(uint64(fileSizeOnDisk)) //nolint:gosec // file size is positive and uint64 has more bits than int64 so no overflow`
	`360`	`+ totalSizeOnDisk.Add(safecast.ToUint64(fileSizeOnDisk))`
`360`	`361`	`}`
`361`	`362`	`} else {`
`362`		`- totalSizeOnDisk.Add(uint64(fileSizeOnDisk)) //nolint:gosec // file size is positive and uint64 has more bits than int64 so no overflow`
	`363`	`+ totalSizeOnDisk.Add(safecast.ToUint64(fileSizeOnDisk))`
`363`	`364`	`}`
`364`	`365`
`365`	`366`	`if limits.Apply() && totalSizeOnDisk.Load() > limits.GetMaxTotalSize() {`
`366`	`367`	`return fileList, fileCounter.Load(), totalSizeOnDisk.Load(), fmt.Errorf("%w: more than %v B of disk space was used while unzipping %v (%v B used already)", commonerrors.ErrTooLarge, limits.GetMaxTotalSize(), source, totalSizeOnDisk.Load())`
`367`	`368`	`}`
`368`		`- if filecount := fileCounter.Load(); limits.Apply() && filecount <= math.MaxInt64 && int64(filecount) > limits.GetMaxFileCount() { //nolint:gosec // if filecount of uint64 is greater than the max value of int64 then it must be greater than GetMaxFileCount as that is an int64`
	`369`	`+ if filecount := fileCounter.Load(); limits.Apply() && filecount <= math.MaxInt64 && safecast.ToInt64(filecount) > limits.GetMaxFileCount() {`
`369`	`370`	`return fileList, filecount, totalSizeOnDisk.Load(), fmt.Errorf("%w: more than %v files were created while unzipping %v (%v files created already)", commonerrors.ErrTooLarge, limits.GetMaxFileCount(), source, filecount)`
`370`	`371`	`}`
`371`	`372`	`}`
Original file line number	Diff line number	Diff line change
`@@ -19,6 +19,7 @@ import (`
`19`	`19`	`"github.com/shirou/gopsutil/v3/mem"`
`20`	`20`
`21`	`21`	`"github.com/ARM-software/golang-utils/utils/commonerrors"`
	`22`	`+ "github.com/ARM-software/golang-utils/utils/safecast"`
`22`	`23`	`)`
`23`	`24`
`24`	`25`	`var (`
`@@ -114,7 +115,7 @@ func UpTime() (uptime time.Duration, err error) {`
`114`	`115`	`err = fmt.Errorf("%w: could not convert uptime '%v' to duration as it exceeds the upper limit for time.Duration", commonerrors.ErrOutOfRange, _uptime)`
`115`	`116`	`return`
`116`	`117`	`}`
`117`		`- uptime = time.Duration(_uptime) * time.Second //nolint:gosec // we have verified the value of _uptime is whithin the upper limit for time.Duration in the above check`
	`118`	`+ uptime = time.Duration(safecast.ToInt64(_uptime)) * time.Second`
`118`	`119`	`return`
`119`	`120`	`}`
`120`	`121`
`@@ -128,7 +129,7 @@ func BootTime() (bootime time.Time, err error) {`
`128`	`129`	`err = fmt.Errorf("%w: could not convert uptime '%v' to duration as it exceeds the upper limit for time.Duration", commonerrors.ErrOutOfRange, _bootime)`
`129`	`130`	`return`
`130`	`131`	`}`
`131`		`- bootime = time.Unix(int64(_bootime), 0) //nolint:gosec // we have verified the value of _bootime is whithin the upper limit for time.Duration in the above check`
	`132`	`+ bootime = time.Unix(safecast.ToInt64(_bootime), 0)`
`132`	`133`	`return`
`133`	`134`
`134`	`135`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ func GetStructureField(field reflect.Value) interface{} {`
`20`	`20`	`if !field.IsValid() {`
`21`	`21`	`return nil`
`22`	`22`	`}`
`23`		`- return reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445`
	`23`	`+ return reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445`
`24`	`24`	`Elem().`
`25`	`25`	`Interface()`
`26`	`26`	`}`
`@@ -31,7 +31,7 @@ func SetStructureField(field reflect.Value, value interface{}) {`
`31`	`31`	`if !field.IsValid() {`
`32`	`32`	`return`
`33`	`33`	`}`
`34`		`- reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445`
	`34`	`+ reflect.NewAt(field.Type(), unsafe.Pointer(field.UnsafeAddr())). //nolint:gosec // this conversion is between types recommended by Go https://cs.opensource.google/go/go/+/master:src/reflect/value.go;l=2445`
`35`	`35`	`Elem().`
`36`	`36`	`Set(reflect.ValueOf(value))`
`37`	`37`	`}`