Overview
Running gosec -quiet -fmt=json ./... reported 277 findings.
Breakdown:
G115 integer overflow conversion: 272 findingsG103 use of unsafe calls should be audited: 5 findings
Most findings are integer conversions in MessagePack encode/decode paths.
The decode-side narrowing conversions should be treated as the highest priority because they can silently truncate or wrap attacker-controlled input.
Action Items
1. Add range checks for decode-side narrowing conversions
Affected areas include:
internal/decoding/interface.gointernal/decoding/slice.gointernal/decoding/map.gointernal/stream/decoding/interface.gointernal/stream/decoding/slice.gointernal/stream/decoding/map.go
Examples:
uint64 -> uint8uint64 -> uint16uint64 -> uint32int64 -> int8int64 -> int16int64 -> int32
These conversions can currently wrap if the encoded value is outside the destination type’s range. Add explicit checks using limits such as math.MaxUint8, math.MaxUint16, math.MaxUint32, math.MinInt8, etc., and
return a decode error when the value is out of range.
2. Review signed/unsigned conversion behavior
Affected areas include:
internal/decoding/int.gointernal/decoding/uint.gointernal/stream/decoding/int.gointernal/stream/decoding/uint.go
Examples:
uint64 -> int64- negative integer values decoded into
uint64
uint16 -> int16uint32 -> int32
Clarify the intended behavior for decoding negative MessagePack integers into unsigned Go types. If negative values should not be accepted for unsigned destinations, return an error instead of converting them to large
unsigned values. Also reject uint64 values that do not fit into int64.
3. Clean up or suppress intentional encode-side byte conversions
Affected areas include:
internal/encoding/set.gointernal/stream/encoding/set.goext/encode.goext/encode_stream.go
Many findings here are likely intentional byte extraction for MessagePack wire encoding, such as byte(value >> 8). Prefer encoding/binary.BigEndian.PutUint16/32/64 where it improves clarity. For conversions that are
required by the MessagePack format, add narrowly scoped // #nosec G115 -- ... comments with a clear reason.
4. Remove or audit unsafe string/byte conversions
Affected areas include:
internal/encoding/string.gointernal/stream/encoding/string.gointernal/decoding/bin.gointernal/stream/decoding/bin.go
The encode-side string -> []byte usage appears unnecessary when only the length is needed; len(str) should be enough. For decode-side []byte -> string, decide whether the copy avoidance is worth the aliasing risk.
Suggested approach:
- Replace with safe conversions where practical.
- Run benchmarks if performance is a concern.
- If
unsafe remains necessary, add narrowly scoped // #nosec G103 -- ... comments explaining why it is safe.
Done Criteria
Overview
Running
gosec -quiet -fmt=json ./...reported 277 findings.Breakdown:
G115integer overflow conversion: 272 findingsG103use of unsafe calls should be audited: 5 findingsMost findings are integer conversions in MessagePack encode/decode paths.
The decode-side narrowing conversions should be treated as the highest priority because they can silently truncate or wrap attacker-controlled input.
Action Items
1. Add range checks for decode-side narrowing conversions
Affected areas include:
internal/decoding/interface.gointernal/decoding/slice.gointernal/decoding/map.gointernal/stream/decoding/interface.gointernal/stream/decoding/slice.gointernal/stream/decoding/map.goExamples:
uint64 -> uint8uint64 -> uint16uint64 -> uint32int64 -> int8int64 -> int16int64 -> int32These conversions can currently wrap if the encoded value is outside the destination type’s range. Add explicit checks using limits such as
math.MaxUint8,math.MaxUint16,math.MaxUint32,math.MinInt8, etc., andreturn a decode error when the value is out of range.
2. Review signed/unsigned conversion behavior
Affected areas include:
internal/decoding/int.gointernal/decoding/uint.gointernal/stream/decoding/int.gointernal/stream/decoding/uint.goExamples:
uint64 -> int64uint64uint16 -> int16uint32 -> int32Clarify the intended behavior for decoding negative MessagePack integers into unsigned Go types. If negative values should not be accepted for unsigned destinations, return an error instead of converting them to large
unsigned values. Also reject
uint64values that do not fit intoint64.3. Clean up or suppress intentional encode-side byte conversions
Affected areas include:
internal/encoding/set.gointernal/stream/encoding/set.goext/encode.goext/encode_stream.goMany findings here are likely intentional byte extraction for MessagePack wire encoding, such as
byte(value >> 8). Preferencoding/binary.BigEndian.PutUint16/32/64where it improves clarity. For conversions that arerequired by the MessagePack format, add narrowly scoped
// #nosec G115 -- ...comments with a clear reason.4. Remove or audit unsafe string/byte conversions
Affected areas include:
internal/encoding/string.gointernal/stream/encoding/string.gointernal/decoding/bin.gointernal/stream/decoding/bin.goThe encode-side
string -> []byteusage appears unnecessary when only the length is needed;len(str)should be enough. For decode-side[]byte -> string, decide whether the copy avoidance is worth the aliasing risk.Suggested approach:
unsaferemains necessary, add narrowly scoped// #nosec G103 -- ...comments explaining why it is safe.Done Criteria
gosec ./...reports only fixed or intentionally suppressed findings.