fix: fix cast security issue #3243

Yisaer · 2024-09-27T03:34:07Z

No description provided.

Signed-off-by: Song Gao <[email protected]>

codecov · 2024-09-27T04:36:58Z

Codecov Report

Attention: Patch coverage is 15.78947% with 32 lines in your changes missing coverage. Please review.

Project coverage is 70.74%. Comparing base (b898083) to head (3762f80).
Report is 11 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/cast/cast.go	0.00%	10 Missing and 5 partials ⚠️
...rnal/converter/protobuf/fieldConverterSingleton.go	0.00%	8 Missing and 4 partials ⚠️
pkg/tracer/manager.go	60.00%	2 Missing ⚠️
pkg/tracer/tracer.go	0.00%	2 Missing ⚠️
internal/server/tracer.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3243      +/-   ##
==========================================
- Coverage   70.85%   70.74%   -0.11%     
==========================================
  Files         395      395              
  Lines       44335    44424      +89     
==========================================
+ Hits        31411    31427      +16     
- Misses      10430    10488      +58     
- Partials     2494     2509      +15

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

internal/converter/protobuf/fieldConverterSingleton.go

ngjaying · 2024-09-29T00:59:29Z

internal/converter/protobuf/fieldConverterSingleton.go

@@ -122,6 +126,9 @@ func (fc *FieldConverter) EncodeField(field *desc.FieldDescriptor, v interface{}
 				if err != nil {
 					return 0, nil
 				} else {
+					if r > math.MaxUint32 {
+						return 0, fmt.Errorf("value %d is out of uint32 range", v)


The same as above

ngjaying · 2024-09-29T00:59:39Z

internal/converter/protobuf/fieldConverterSingleton.go

@@ -174,6 +181,9 @@ func (fc *FieldConverter) encodeSingleField(field *desc.FieldDescriptor, v inter
 	case dpb.FieldDescriptorProto_TYPE_INT32, dpb.FieldDescriptorProto_TYPE_SFIXED32, dpb.FieldDescriptorProto_TYPE_SINT32, dpb.FieldDescriptorProto_TYPE_ENUM:
 		r, err := cast.ToInt(v, cast.CONVERT_SAMEKIND)
 		if err == nil {
+			if r > math.MaxInt32 {
+				return 0, fmt.Errorf("value %d is out of int32 range", v)


The same as above

ngjaying · 2024-09-29T00:59:48Z

internal/converter/protobuf/fieldConverterSingleton.go

@@ -188,6 +198,9 @@ func (fc *FieldConverter) encodeSingleField(field *desc.FieldDescriptor, v inter
 	case dpb.FieldDescriptorProto_TYPE_FIXED32, dpb.FieldDescriptorProto_TYPE_UINT32:
 		r, err := cast.ToUint64(v, cast.CONVERT_SAMEKIND)
 		if err == nil {
+			if r > math.MaxUint32 {
+				return 0, fmt.Errorf("value %d is out of uint32 range", v)


The same as above

Signed-off-by: Song Gao <[email protected]>

fix cast issue

334c25b

Signed-off-by: Song Gao <[email protected]>

Yisaer requested a review from ngjaying September 27, 2024 03:34

fix sec issue

c71dc04

Signed-off-by: Song Gao <[email protected]>

ngjaying reviewed Sep 29, 2024

View reviewed changes

fix

3762f80

Signed-off-by: Song Gao <[email protected]>

ngjaying approved these changes Sep 29, 2024

View reviewed changes

ngjaying merged commit 58c15a6 into lf-edge:master Sep 29, 2024
53 of 56 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: fix cast security issue #3243

fix: fix cast security issue #3243

Yisaer commented Sep 27, 2024

codecov bot commented Sep 27, 2024 •

edited

Loading

ngjaying Sep 29, 2024

ngjaying Sep 29, 2024

ngjaying Sep 29, 2024

fix: fix cast security issue #3243

fix: fix cast security issue #3243

Conversation

Yisaer commented Sep 27, 2024

codecov bot commented Sep 27, 2024 • edited Loading

Codecov Report

ngjaying Sep 29, 2024

Choose a reason for hiding this comment

ngjaying Sep 29, 2024

Choose a reason for hiding this comment

ngjaying Sep 29, 2024

Choose a reason for hiding this comment

codecov bot commented Sep 27, 2024 •

edited

Loading