Go-SCP icon indicating copy to clipboard operation
Go-SCP copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Validation of integers needs a review

Open lojikil opened this issue 4 years ago • 4 comments

I'm just picking on integers right now, because that's top of mind, but:

  • strconv.Atoi is almost never correct; I cover this in a few different talks
  • We list strconv.ParseInt but not ParseUint (thanks @disconnect3d for pointing that out)
  • We need to explain that many things take flows that are int but can pun those flows to int32 or int64 or uint flavors without the compiler complaining, but can lead to various issues. I spoke about this vis-a-vis Kubernetes in my talk at OWASP Global AppSec DC.

lojikil avatar Sep 21 '20 13:09 lojikil

These are interesting @lojikil. You are more than welcome to contribute.

ErezYalon avatar Sep 29 '20 07:09 ErezYalon

@ErezYalon I actually spoke with @PauloASilva about these in OWASP Slack; I'll try to issue some PRs this week!

lojikil avatar Oct 09 '20 08:10 lojikil

I would like to work on it. Please assign me this @ErezYalon

tusharxoxoxo avatar Dec 09 '21 18:12 tusharxoxoxo

@tusharxoxoxo feel free to open a PR with the required changes, with a reference to this issue.

Cheers, Paulo A. silva

PauloASilva avatar Dec 13 '21 14:12 PauloASilva