Validation of integers needs a review #72

lojikil · 2020-09-21T13:37:14Z

I'm just picking on integers right now, because that's top of mind, but:

strconv.Atoi is almost never correct; I cover this in a few different talks
We list strconv.ParseInt but not ParseUint (thanks @disconnect3d for pointing that out)
We need to explain that many things take flows that are int but can pun those flows to int32 or int64 or uint flavors without the compiler complaining, but can lead to various issues. I spoke about this vis-a-vis Kubernetes in my talk at OWASP Global AppSec DC.

The text was updated successfully, but these errors were encountered:

ErezYalon · 2020-09-29T07:27:30Z

These are interesting @lojikil. You are more than welcome to contribute.

lojikil · 2020-10-09T08:47:09Z

@ErezYalon I actually spoke with @PauloASilva about these in OWASP Slack; I'll try to issue some PRs this week!

tusharxoxoxo · 2021-12-09T18:22:41Z

I would like to work on it. Please assign me this @ErezYalon

PauloASilva · 2021-12-13T14:27:02Z

@tusharxoxoxo feel free to open a PR with the required changes, with a reference to this issue.

Cheers,
Paulo A. silva

Provide feedback