Skip to content

[L-6] Integer truncation on 32-bit platforms #430

New issue
New issue
Closed
#472
Closed
[L-6] Integer truncation on 32-bit platforms#430
#472
Labels
securitySecurity vulnerability or hardeningseverity/lowLow severity
@chaliy

Description

@chaliy
chaliy
opened on Mar 1, 2026

Finding L-6: Integer Truncation on 32-bit Platforms

Severity: LOW
Files:

  • crates/bashkit/src/network/client.rs:236,419 (content_length as usize)
  • crates/bashkit-python/src/lib.rs:197,200 (u64 as usize for limits)
    Threat ID: TM-DOS-040

Description

On 32-bit platforms, casting u64 to usize silently truncates large values. A Content-Length: 5368709120 (5GB) truncates to ~1GB on 32-bit, potentially bypassing size checks.

Recommended Fix

Use usize::try_from() or check that the value fits before casting:

```rust
let size = usize::try_from(content_length)
.unwrap_or(usize::MAX);
```

Write a failing test first per AGENTS.md.

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerability or hardeningseverity/lowLow severity

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions