Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix potential array out of bounds in the runtime #437

Merged
merged 4 commits into from
Oct 8, 2024
Merged

Fix potential array out of bounds in the runtime #437

merged 4 commits into from
Oct 8, 2024

Conversation

mattjohnsonpint
Copy link
Collaborator

@mattjohnsonpint mattjohnsonpint commented Oct 8, 2024
edited
Loading

Fixes https://github.com/hypermodeinc/modus/security/code-scanning/2

To fix the problem, we need to ensure that the value returned by strconv.Atoi is within the bounds of uint32 before performing the conversion. This can be done by checking if the parsed integer is within the range of 0 to math.MaxUint32. If the value is out of bounds, we should return an error.

  1. Modify the ArrayLength function to include bounds checking for the parsed integer.
  2. Use strconv.ParseUint with a bit size of 32 to directly parse the string into a uint32 if possible.

mattjohnsonpint and others added 3 commits October 7, 2024 18:48
@mattjohnsonpint @github-advanced-security
Fix code scanning alert no. 2: Incorrect conversion between integer t…
8a0e1e1 
…ypes

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@mattjohnsonpint
.
a02f0b5
@mattjohnsonpint
Update CHANGELOG.md
c7a8de2
@mattjohnsonpint mattjohnsonpint changed the title Fix code scanning alert no. 2: Incorrect conversion between integer types Fix potential array out of bounds in the runtime Oct 8, 2024
@mattjohnsonpint
Copy link
Collaborator Author

Note, this is unlikely, and not really a security issue. But fixed nonetheless.

@mattjohnsonpint mattjohnsonpint marked this pull request as ready for review October 8, 2024 01:59
@mattjohnsonpint mattjohnsonpint requested a review from a team as a code owner October 8, 2024 01:59
@mattjohnsonpint mattjohnsonpint enabled auto-merge (squash) October 8, 2024 02:00
jairad26
jairad26 previously approved these changes Oct 8, 2024
View reviewed changes
@mattjohnsonpint mattjohnsonpint merged commit 1ed5256 into main Oct 8, 2024
70 checks passed
@mattjohnsonpint mattjohnsonpint deleted the autofix/alert-2-27a726da92 branch October 8, 2024 02:11
@mattjohnsonpint mattjohnsonpint added this to the v0.13.0 milestone Oct 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jairad26 jairad26 jairad26 approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
v0.13.0
Development

Successfully merging this pull request may close these issues.
2 participants
@mattjohnsonpint @jairad26