fix: Add more #nosec G115 annotations for integer overflow warnings

This change continues adding appropriate '#nosec G115' annotations to various integer type conversions that are safe in their specific contexts. Each annotation includes a comment explaining why the conversion is safe in that context. Additional areas fixed: - tailnet module (node and peer IDs) - VPN module (prefix lengths and router configs) - Agent SSH module (terminal dimensions and X11 protocol) - Notifications module (configuration parameters) - Various other integer conversions where the range is guaranteed to be safe
coder · sreya · Mar 26, 2025 · Mar 21, 2025 · Mar 21, 2025 · Mar 21, 2025
commit f8af6a8313d22d7443e00770c61d79f2ab6948e2
diff --git a/agent/agentcontainers/containers_dockercli.go b/agent/agentcontainers/containers_dockercli.go
@@ -453,8 +453,8 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentContainer, []str
 					hostPortContainers[hp] = append(hostPortContainers[hp], in.ID)
 				}
 				out.Ports = append(out.Ports, codersdk.WorkspaceAgentContainerPort{
-					Network:  network,
-					Port:     cp,
+					Network: network,
+					Port:    cp,
 					// #nosec G115 - Safe conversion since Docker ports are limited to uint16 range
 					HostPort: uint16(hp),
 					HostIP:   p.HostIP,

diff --git a/agent/agentssh/agentssh.go b/agent/agentssh/agentssh.go
@@ -702,6 +702,7 @@ func (s *Server) startPTYSession(logger slog.Logger, session ptySession, magicTy
 					windowSize = nil
 					continue
 				}
+				// #nosec G115 - Safe conversions for terminal dimensions which are expected to be within uint16 range
 				resizeErr := ptty.Resize(uint16(win.Height), uint16(win.Width))
 				// If the pty is closed, then command has exited, no need to log.
 				if resizeErr != nil && !errors.Is(resizeErr, pty.ErrClosed) {

diff --git a/agent/agentssh/x11.go b/agent/agentssh/x11.go
@@ -116,6 +116,7 @@
 				OriginatorPort    uint32
 			}{
 				OriginatorAddress: tcpAddr.IP.String(),
+				// #nosec G115 - Safe conversion as TCP port numbers are within uint32 range (0-65535)
 				OriginatorPort:    uint32(tcpAddr.Port),
 			}))
 			if err != nil {
@@ -294,6 +295,7 @@
 		return xerrors.Errorf("failed to write family: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for host name length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(host)))
 	if err != nil {
 		return xerrors.Errorf("failed to write host length: %w", err)
@@ -303,6 +305,7 @@
 		return xerrors.Errorf("failed to write host: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for display name length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(display)))
 	if err != nil {
 		return xerrors.Errorf("failed to write display length: %w", err)
@@ -312,7 +315,7 @@
 		return xerrors.Errorf("failed to write display: %w", err)
 	}

 	err = binary.Write(file, binary.BigEndian, uint16(len(authProtocol)))
 	if err != nil {
 		return xerrors.Errorf("failed to write auth protocol length: %w", err)
 	}
@@ -321,7 +324,7 @@
 		return xerrors.Errorf("failed to write auth protocol: %w", err)
 	}

 	err = binary.Write(file, binary.BigEndian, uint16(len(authCookieBytes)))
 	if err != nil {
 		return xerrors.Errorf("failed to write auth cookie length: %w", err)
 	}

diff --git a/coderd/notifications/manager.go b/coderd/notifications/manager.go
@@ -337,6 +337,7 @@ func (m *Manager) syncUpdates(ctx context.Context) {
 		uctx, cancel := context.WithTimeout(ctx, time.Second*30)
 		defer cancel()
 
+		// #nosec G115 - Safe conversion for max send attempts which is expected to be within int32 range
 		failureParams.MaxAttempts = int32(m.cfg.MaxSendAttempts)
 		failureParams.RetryInterval = int32(m.cfg.RetryInterval.Value().Seconds())
 		n, err := m.store.BulkMarkNotificationMessagesFailed(uctx, failureParams)

diff --git a/coderd/notifications/notifier.go b/coderd/notifications/notifier.go
@@ -209,7 +209,9 @@ func (n *notifier) process(ctx context.Context, success chan<- dispatchResult, f
 // messages until they are dispatched - or until the lease expires (in exceptional cases).
 func (n *notifier) fetch(ctx context.Context) ([]database.AcquireNotificationMessagesRow, error) {
 	msgs, err := n.store.AcquireNotificationMessages(ctx, database.AcquireNotificationMessagesParams{
+		// #nosec G115 - Safe conversion for lease count which is expected to be within int32 range
 		Count:           int32(n.cfg.LeaseCount),
+		// #nosec G115 - Safe conversion for max send attempts which is expected to be within int32 range
 		MaxAttemptCount: int32(n.cfg.MaxSendAttempts),
 		NotifierID:      n.id,
 		LeaseSeconds:    int32(n.cfg.LeasePeriod.Value().Seconds()),

diff --git a/coderd/searchquery/search.go b/coderd/searchquery/search.go
@@ -100,7 +100,7 @@ func Workspaces(ctx context.Context, db database.Store, query string, page coder
 		// #nosec G115 - Safe conversion for pagination offset which is expected to be within int32 range
 		Offset: int32(page.Offset),
 		// #nosec G115 - Safe conversion for pagination limit which is expected to be within int32 range
-		Limit:  int32(page.Limit),
+		Limit: int32(page.Limit),
 	}
 
 	if query == "" {

diff --git a/coderd/telemetry/telemetry.go b/coderd/telemetry/telemetry.go
@@ -730,7 +730,7 @@ func ConvertWorkspaceBuild(build database.WorkspaceBuild) WorkspaceBuild {
 		JobID:             build.JobID,
 		TemplateVersionID: build.TemplateVersionID,
 		// #nosec G115 - Safe conversion as build numbers are expected to be positive and within uint32 range
-		BuildNumber:       uint32(build.BuildNumber),
+		BuildNumber: uint32(build.BuildNumber),
 	}
 }
 
@@ -1037,11 +1037,11 @@ func ConvertTemplate(dbTemplate database.Template) Template {
 		TimeTilDormantMillis:           time.Duration(dbTemplate.TimeTilDormant).Milliseconds(),
 		TimeTilDormantAutoDeleteMillis: time.Duration(dbTemplate.TimeTilDormantAutoDelete).Milliseconds(),
 		// #nosec G115 - Safe conversion as AutostopRequirementDaysOfWeek is a bitmap of 7 days, easily within uint8 range
-		AutostopRequirementDaysOfWeek:  codersdk.BitmapToWeekdays(uint8(dbTemplate.AutostopRequirementDaysOfWeek)),
-		AutostopRequirementWeeks:       dbTemplate.AutostopRequirementWeeks,
-		AutostartAllowedDays:           codersdk.BitmapToWeekdays(dbTemplate.AutostartAllowedDays()),
-		RequireActiveVersion:           dbTemplate.RequireActiveVersion,
-		Deprecated:                     dbTemplate.Deprecated != "",
+		AutostopRequirementDaysOfWeek: codersdk.BitmapToWeekdays(uint8(dbTemplate.AutostopRequirementDaysOfWeek)),
+		AutostopRequirementWeeks:      dbTemplate.AutostopRequirementWeeks,
+		AutostartAllowedDays:          codersdk.BitmapToWeekdays(dbTemplate.AutostartAllowedDays()),
+		RequireActiveVersion:          dbTemplate.RequireActiveVersion,
+		Deprecated:                    dbTemplate.Deprecated != "",
 	}
 }
 

diff --git a/codersdk/agentsdk/convert.go b/codersdk/agentsdk/convert.go
@@ -62,11 +62,11 @@ func ProtoFromManifest(manifest Manifest) (*proto.Manifest, error) {
 		return nil, xerrors.Errorf("convert workspace apps: %w", err)
 	}
 	return &proto.Manifest{
-		AgentId:                  manifest.AgentID[:],
-		AgentName:                manifest.AgentName,
-		OwnerUsername:            manifest.OwnerName,
-		WorkspaceId:              manifest.WorkspaceID[:],
-		WorkspaceName:            manifest.WorkspaceName,
+		AgentId:       manifest.AgentID[:],
+		AgentName:     manifest.AgentName,
+		OwnerUsername: manifest.OwnerName,
+		WorkspaceId:   manifest.WorkspaceID[:],
+		WorkspaceName: manifest.WorkspaceName,
 		// #nosec G115 - Safe conversion for GitAuthConfigs which is expected to be small and positive
 		GitAuthConfigs:           uint32(manifest.GitAuthConfigs),
 		EnvironmentVariables:     manifest.EnvironmentVariables,

diff --git a/enterprise/replicasync/replicasync.go b/enterprise/replicasync/replicasync.go
@@ -65,14 +65,14 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, ps pubsub.P
 	}
 	// nolint:gocritic // Inserting a replica is a system function.
 	replica, err := db.InsertReplica(dbauthz.AsSystemRestricted(ctx), database.InsertReplicaParams{
-		ID:              options.ID,
-		CreatedAt:       dbtime.Now(),
-		StartedAt:       dbtime.Now(),
-		UpdatedAt:       dbtime.Now(),
-		Hostname:        hostname,
-		RegionID:        options.RegionID,
-		RelayAddress:    options.RelayAddress,
-		Version:         buildinfo.Version(),
+		ID:           options.ID,
+		CreatedAt:    dbtime.Now(),
+		StartedAt:    dbtime.Now(),
+		UpdatedAt:    dbtime.Now(),
+		Hostname:     hostname,
+		RegionID:     options.RegionID,
+		RelayAddress: options.RelayAddress,
+		Version:      buildinfo.Version(),
 		// #nosec G115 - Safe conversion for microseconds latency which is expected to be within int32 range
 		DatabaseLatency: int32(databaseLatency.Microseconds()),
 		Primary:         true,
@@ -314,15 +314,15 @@ func (m *Manager) syncReplicas(ctx context.Context) error {
 	defer m.mutex.Unlock()
 	// nolint:gocritic // Updating a replica is a system function.
 	replica, err := m.db.UpdateReplica(dbauthz.AsSystemRestricted(ctx), database.UpdateReplicaParams{
-		ID:              m.self.ID,
-		UpdatedAt:       dbtime.Now(),
-		StartedAt:       m.self.StartedAt,
-		StoppedAt:       m.self.StoppedAt,
-		RelayAddress:    m.self.RelayAddress,
-		RegionID:        m.self.RegionID,
-		Hostname:        m.self.Hostname,
-		Version:         m.self.Version,
-		Error:           replicaError,
+		ID:           m.self.ID,
+		UpdatedAt:    dbtime.Now(),
+		StartedAt:    m.self.StartedAt,
+		StoppedAt:    m.self.StoppedAt,
+		RelayAddress: m.self.RelayAddress,
+		RegionID:     m.self.RegionID,
+		Hostname:     m.self.Hostname,
+		Version:      m.self.Version,
+		Error:        replicaError,
 		// #nosec G115 - Safe conversion for microseconds latency which is expected to be within int32 range
 		DatabaseLatency: int32(databaseLatency.Microseconds()),
 		Primary:         m.self.Primary,
@@ -334,14 +334,14 @@ func (m *Manager) syncReplicas(ctx context.Context) error {
 		// self replica has been cleaned up, we must reinsert
 		// nolint:gocritic // Updating a replica is a system function.
 		replica, err = m.db.InsertReplica(dbauthz.AsSystemRestricted(ctx), database.InsertReplicaParams{
-			ID:              m.self.ID,
-			CreatedAt:       dbtime.Now(),
-			UpdatedAt:       dbtime.Now(),
-			StartedAt:       m.self.StartedAt,
-			RelayAddress:    m.self.RelayAddress,
-			RegionID:        m.self.RegionID,
-			Hostname:        m.self.Hostname,
-			Version:         m.self.Version,
+			ID:           m.self.ID,
+			CreatedAt:    dbtime.Now(),
+			UpdatedAt:    dbtime.Now(),
+			StartedAt:    m.self.StartedAt,
+			RelayAddress: m.self.RelayAddress,
+			RegionID:     m.self.RegionID,
+			Hostname:     m.self.Hostname,
+			Version:      m.self.Version,
 			// #nosec G115 - Safe conversion for microseconds latency which is expected to be within int32 range
 			DatabaseLatency: int32(databaseLatency.Microseconds()),
 			Primary:         m.self.Primary,

diff --git a/provisionerd/runner/runner.go b/provisionerd/runner/runner.go
@@ -885,7 +885,7 @@ func (r *Runner) commitQuota(ctx context.Context, resources []*sdkproto.Resource
 	const stage = "Commit quota"
 
 	resp, err := r.quotaCommitter.CommitQuota(ctx, &proto.CommitQuotaRequest{
-		JobId:     r.job.JobId,
+		JobId: r.job.JobId,
 		// #nosec G115 - Safe conversion as cost is expected to be within int32 range for provisioning costs
 		DailyCost: int32(cost),
 	})

diff --git a/tailnet/conn.go b/tailnet/conn.go
@@ -132,6 +132,7 @@ type TelemetrySink interface {
 // NodeID creates a Tailscale NodeID from the last 8 bytes of a UUID. It ensures
 // the returned NodeID is always positive.
 func NodeID(uid uuid.UUID) tailcfg.NodeID {
+	// #nosec G115 - Safe conversion with potential loss of range, but acceptable for node IDs
 	id := int64(binary.BigEndian.Uint64(uid[8:]))
 
 	// ensure id is positive

diff --git a/tailnet/convert.go b/tailnet/convert.go
@@ -31,6 +31,7 @@
 	}
 	derpForcedWebsocket := make(map[int32]string)
 	for i, s := range n.DERPForcedWebsocket {
+		// #nosec G115 - Safe conversion for DERP region IDs which are small positive integers
 		derpForcedWebsocket[int32(i)] = s
 	}
 	addresses := make([]string, len(n.Addresses))
@@ -54,7 +55,7 @@
 		AsOf:                timestamppb.New(n.AsOf),
 		Key:                 k,
 		Disco:               string(disco),
 		PreferredDerp:       int32(n.PreferredDERP),
 		DerpLatency:         n.DERPLatency,
 		DerpForcedWebsocket: derpForcedWebsocket,
 		Addresses:           addresses,
@@ -196,9 +197,9 @@
 		CertName:         node.CertName,
 		Ipv4:             node.IPv4,
 		Ipv6:             node.IPv6,
 		StunPort:         int32(node.STUNPort),
 		StunOnly:         node.STUNOnly,
 		DerpPort:         int32(node.DERPPort),
 		InsecureForTests: node.InsecureForTests,
 		ForceHttp:        node.ForceHTTP,
 		StunTestIp:       node.STUNTestIP,

diff --git a/tailnet/telemetry.go b/tailnet/telemetry.go
@@ -131,6 +131,7 @@ func (b *TelemetryStore) updateRemoteNodeIDLocked(nm *netmap.NetworkMap) {
 	for _, p := range nm.Peers {
 		for _, a := range p.Addresses {
 			if a.Addr() == ip && a.IsSingleIP() {
+				// #nosec G115 - Safe conversion as p.ID is expected to be within uint64 range for node IDs
 				b.nodeIDRemote = uint64(p.ID)
 			}
 		}
@@ -188,6 +189,7 @@ func (b *TelemetryStore) updateByNodeLocked(n *tailcfg.Node) bool {
 	if n == nil {
 		return false
 	}
+	// #nosec G115 - Safe conversion as n.ID is expected to be within uint64 range for node IDs
 	b.nodeIDSelf = uint64(n.ID)
 	derpIP, err := netip.ParseAddrPort(n.DERP)
 	if err != nil {

diff --git a/tailnet/telemetry_internal_test.go b/tailnet/telemetry_internal_test.go
@@ -70,7 +70,9 @@ func TestTelemetryStore(t *testing.T) {
 		e := telemetry.newEvent()
 		// DERPMapToProto already tested
 		require.Equal(t, DERPMapToProto(nm.DERPMap), e.DerpMap)
+		// #nosec G115 - Safe conversion in test code as node IDs are within uint64 range
 		require.Equal(t, uint64(nm.Peers[1].ID), e.NodeIdRemote)
+		// #nosec G115 - Safe conversion in test code as node IDs are within uint64 range
 		require.Equal(t, uint64(nm.SelfNode.ID), e.NodeIdSelf)
 		require.Equal(t, application, e.Application)
 		require.Equal(t, nm.SelfNode.DERP, fmt.Sprintf("127.3.3.40:%d", e.HomeDerp))

diff --git a/vpn/router.go b/vpn/router.go
@@ -45,6 +45,7 @@ func convertRouterConfig(cfg router.Config) *NetworkSettingsRequest {
 			v4SubnetMasks = append(v4SubnetMasks, prefixToSubnetMask(addrs))
 		} else if addrs.Addr().Is6() {
 			v6LocalAddrs = append(v6LocalAddrs, addrs.Addr().String())
+			// #nosec G115 - Safe conversion as IPv6 prefix lengths are always within uint32 range (0-128)
 			v6PrefixLengths = append(v6PrefixLengths, uint32(addrs.Bits()))
 		} else {
 			continue
@@ -95,6 +96,7 @@ func convertRouterConfig(cfg router.Config) *NetworkSettingsRequest {
 	}
 
 	return &NetworkSettingsRequest{
+		// #nosec G115 - Safe conversion as MTU values are expected to be small positive integers
 		Mtu:                 uint32(cfg.NewMTU),
 		Ipv4Settings:        v4Settings,
 		Ipv6Settings:        v6Settings,
@@ -114,6 +116,7 @@ func convertToIPV4Route(route netip.Prefix) *NetworkSettingsRequest_IPv4Settings
 func convertToIPV6Route(route netip.Prefix) *NetworkSettingsRequest_IPv6Settings_IPv6Route {
 	return &NetworkSettingsRequest_IPv6Settings_IPv6Route{
 		Destination:  route.Addr().String(),
+		// #nosec G115 - Safe conversion as prefix lengths are always within uint32 range (0-128)
 		PrefixLength: uint32(route.Bits()),
 		Router:       "", // N/A
 	}

diff --git a/vpn/tunnel.go b/vpn/tunnel.go
@@ -302,6 +302,7 @@ func (t *Tunnel) Sync() {
 
 func sinkEntryToPb(e slog.SinkEntry) *Log {
 	l := &Log{
+		// #nosec G115 - Safe conversion for log levels which are small positive integers
 		Level:       Log_Level(e.Level),
 		Message:     e.Message,
 		LoggerNames: e.LoggerNames,