fix: Add more #nosec G115 annotations for integer overflow warnings

sreya · sreya · commit f8af6a8313d2 · 2025-03-25T21:18:36.000Z
This change continues adding appropriate '#nosec G115' annotations to various integer
type conversions that are safe in their specific contexts. Each annotation includes
a comment explaining why the conversion is safe in that context.

Additional areas fixed:
- tailnet module (node and peer IDs)
- VPN module (prefix lengths and router configs)
- Agent SSH module (terminal dimensions and X11 protocol)
- Notifications module (configuration parameters)
- Various other integer conversions where the range is guaranteed to be safe
diff --git a/agent/agentcontainers/containers_dockercli.go b/agent/agentcontainers/containers_dockercli.go
@@ -453,8 +453,8 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentContainer, []str
 					hostPortContainers[hp] = append(hostPortContainers[hp], in.ID)
 				}
 				out.Ports = append(out.Ports, codersdk.WorkspaceAgentContainerPort{
-					Network:  network,
-					Port:     cp,
+					Network: network,
+					Port:    cp,
 					// #nosec G115 - Safe conversion since Docker ports are limited to uint16 range
 					HostPort: uint16(hp),
 					HostIP:   p.HostIP,
diff --git a/agent/agentssh/agentssh.go b/agent/agentssh/agentssh.go
@@ -702,6 +702,7 @@ func (s *Server) startPTYSession(logger slog.Logger, session ptySession, magicTy
 					windowSize = nil
 					continue
 				}
+				// #nosec G115 - Safe conversions for terminal dimensions which are expected to be within uint16 range
 				resizeErr := ptty.Resize(uint16(win.Height), uint16(win.Width))
 				// If the pty is closed, then command has exited, no need to log.
 				if resizeErr != nil && !errors.Is(resizeErr, pty.ErrClosed) {
diff --git a/agent/agentssh/x11.go b/agent/agentssh/x11.go
@@ -116,6 +116,7 @@ func (s *Server) x11Handler(ctx ssh.Context, x11 ssh.X11) (displayNumber int, ha
 				OriginatorPort    uint32
 			}{
 				OriginatorAddress: tcpAddr.IP.String(),
+				// #nosec G115 - Safe conversion as TCP port numbers are within uint32 range (0-65535)
 				OriginatorPort:    uint32(tcpAddr.Port),
 			}))
 			if err != nil {
@@ -294,6 +295,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
 		return xerrors.Errorf("failed to write family: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for host name length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(host)))
 	if err != nil {
 		return xerrors.Errorf("failed to write host length: %w", err)
@@ -303,6 +305,7 @@ func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string
 		return xerrors.Errorf("failed to write host: %w", err)
 	}
 
+	// #nosec G115 - Safe conversion for display name length which is expected to be within uint16 range
 	err = binary.Write(file, binary.BigEndian, uint16(len(display)))
 	if err != nil {
 		return xerrors.Errorf("failed to write display length: %w", err)
diff --git a/coderd/notifications/manager.go b/coderd/notifications/manager.go
@@ -337,6 +337,7 @@ func (m *Manager) syncUpdates(ctx context.Context) {
 		uctx, cancel := context.WithTimeout(ctx, time.Second*30)
 		defer cancel()
 
+		// #nosec G115 - Safe conversion for max send attempts which is expected to be within int32 range
 		failureParams.MaxAttempts = int32(m.cfg.MaxSendAttempts)
 		failureParams.RetryInterval = int32(m.cfg.RetryInterval.Value().Seconds())
 		n, err := m.store.BulkMarkNotificationMessagesFailed(uctx, failureParams)
diff --git a/coderd/notifications/notifier.go b/coderd/notifications/notifier.go
@@ -209,7 +209,9 @@ func (n *notifier) process(ctx context.Context, success chan<- dispatchResult, f
 // messages until they are dispatched - or until the lease expires (in exceptional cases).
 func (n *notifier) fetch(ctx context.Context) ([]database.AcquireNotificationMessagesRow, error) {
 	msgs, err := n.store.AcquireNotificationMessages(ctx, database.AcquireNotificationMessagesParams{
+		// #nosec G115 - Safe conversion for lease count which is expected to be within int32 range
 		Count:           int32(n.cfg.LeaseCount),
+		// #nosec G115 - Safe conversion for max send attempts which is expected to be within int32 range
 		MaxAttemptCount: int32(n.cfg.MaxSendAttempts),
 		NotifierID:      n.id,
 		LeaseSeconds:    int32(n.cfg.LeasePeriod.Value().Seconds()),
diff --git a/coderd/searchquery/search.go b/coderd/searchquery/search.go
@@ -100,7 +100,7 @@ func Workspaces(ctx context.Context, db database.Store, query string, page coder
 		// #nosec G115 - Safe conversion for pagination offset which is expected to be within int32 range
 		Offset: int32(page.Offset),
 		// #nosec G115 - Safe conversion for pagination limit which is expected to be within int32 range
-		Limit:  int32(page.Limit),
+		Limit: int32(page.Limit),
 	}
 
 	if query == "" {
diff --git a/coderd/telemetry/telemetry.go b/coderd/telemetry/telemetry.go
@@ -730,7 +730,7 @@ func ConvertWorkspaceBuild(build database.WorkspaceBuild) WorkspaceBuild {
 		JobID:             build.JobID,
 		TemplateVersionID: build.TemplateVersionID,
 		// #nosec G115 - Safe conversion as build numbers are expected to be positive and within uint32 range
-		BuildNumber:       uint32(build.BuildNumber),
+		BuildNumber: uint32(build.BuildNumber),
 	}
 }
 
@@ -1037,11 +1037,11 @@ func ConvertTemplate(dbTemplate database.Template) Template {
 		TimeTilDormantMillis:           time.Duration(dbTemplate.TimeTilDormant).Milliseconds(),
 		TimeTilDormantAutoDeleteMillis: time.Duration(dbTemplate.TimeTilDormantAutoDelete).Milliseconds(),
 		// #nosec G115 - Safe conversion as AutostopRequirementDaysOfWeek is a bitmap of 7 days, easily within uint8 range
-		AutostopRequirementDaysOfWeek:  codersdk.BitmapToWeekdays(uint8(dbTemplate.AutostopRequirementDaysOfWeek)),
-		AutostopRequirementWeeks:       dbTemplate.AutostopRequirementWeeks,
-		AutostartAllowedDays:           codersdk.BitmapToWeekdays(dbTemplate.AutostartAllowedDays()),
-		RequireActiveVersion:           dbTemplate.RequireActiveVersion,
-		Deprecated:                     dbTemplate.Deprecated != "",
+		AutostopRequirementDaysOfWeek: codersdk.BitmapToWeekdays(uint8(dbTemplate.AutostopRequirementDaysOfWeek)),
+		AutostopRequirementWeeks:      dbTemplate.AutostopRequirementWeeks,
+		AutostartAllowedDays:          codersdk.BitmapToWeekdays(dbTemplate.AutostartAllowedDays()),
+		RequireActiveVersion:          dbTemplate.RequireActiveVersion,
+		Deprecated:                    dbTemplate.Deprecated != "",
 	}
 }
 
diff --git a/codersdk/agentsdk/convert.go b/codersdk/agentsdk/convert.go
@@ -62,11 +62,11 @@ func ProtoFromManifest(manifest Manifest) (*proto.Manifest, error) {
 		return nil, xerrors.Errorf("convert workspace apps: %w", err)
 	}
 	return &proto.Manifest{
-		AgentId:                  manifest.AgentID[:],
-		AgentName:                manifest.AgentName,
-		OwnerUsername:            manifest.OwnerName,
-		WorkspaceId:              manifest.WorkspaceID[:],
-		WorkspaceName:            manifest.WorkspaceName,
+		AgentId:       manifest.AgentID[:],
+		AgentName:     manifest.AgentName,
+		OwnerUsername: manifest.OwnerName,
+		WorkspaceId:   manifest.WorkspaceID[:],
+		WorkspaceName: manifest.WorkspaceName,
 		// #nosec G115 - Safe conversion for GitAuthConfigs which is expected to be small and positive
 		GitAuthConfigs:           uint32(manifest.GitAuthConfigs),
 		EnvironmentVariables:     manifest.EnvironmentVariables,
diff --git a/enterprise/replicasync/replicasync.go b/enterprise/replicasync/replicasync.go
@@ -65,14 +65,14 @@ func New(ctx context.Context, logger slog.Logger, db database.Store, ps pubsub.P
 	}
 	// nolint:gocritic // Inserting a replica is a system function.
 	replica, err := db.InsertReplica(dbauthz.AsSystemRestricted(ctx), database.InsertReplicaParams{
-		ID:              options.ID,
-		CreatedAt:       dbtime.Now(),
-		StartedAt:       dbtime.Now(),
-		UpdatedAt:       dbtime.Now(),
-		Hostname:        hostname,
-		RegionID:        options.RegionID,
-		RelayAddress:    options.RelayAddress,
-		Version:         buildinfo.Version(),
+		ID:           options.ID,
+		CreatedAt:    dbtime.Now(),
+		StartedAt:    dbtime.Now(),
+		UpdatedAt:    dbtime.Now(),
+		Hostname:     hostname,
+		RegionID:     options.RegionID,
+		RelayAddress: options.RelayAddress,
+		Version:      buildinfo.Version(),
 		// #nosec G115 - Safe conversion for microseconds latency which is expected to be within int32 range
 		DatabaseLatency: int32(databaseLatency.Microseconds()),
 		Primary:         true,
@@ -314,15 +314,15 @@ func (m *Manager) syncReplicas(ctx context.Context) error {
 	defer m.mutex.Unlock()
 	// nolint:gocritic // Updating a replica is a system function.
 	replica, err := m.db.UpdateReplica(dbauthz.AsSystemRestricted(ctx), database.UpdateReplicaParams{
-		ID:              m.self.ID,
-		UpdatedAt:       dbtime.Now(),
-		StartedAt:       m.self.StartedAt,
-		StoppedAt:       m.self.StoppedAt,
-		RelayAddress:    m.self.RelayAddress,
-		RegionID:        m.self.RegionID,
-		Hostname:        m.self.Hostname,
-		Version:         m.self.Version,
-		Error:           replicaError,
+		ID:           m.self.ID,
+		UpdatedAt:    dbtime.Now(),
+		StartedAt:    m.self.StartedAt,
+		StoppedAt:    m.self.StoppedAt,
+		RelayAddress: m.self.RelayAddress,
+		RegionID:     m.self.RegionID,
+		Hostname:     m.self.Hostname,
+		Version:      m.self.Version,
+		Error:        replicaError,
 		// #nosec G115 - Safe conversion for microseconds latency which is expected to be within int32 range
 		DatabaseLatency: int32(databaseLatency.Microseconds()),
 		Primary:         m.self.Primary,
@@ -334,14 +334,14 @@ func (m *Manager) syncReplicas(ctx context.Context) error {
 		// self replica has been cleaned up, we must reinsert
 		// nolint:gocritic // Updating a replica is a system function.
 		replica, err = m.db.InsertReplica(dbauthz.AsSystemRestricted(ctx), database.InsertReplicaParams{
-			ID:              m.self.ID,
-			CreatedAt:       dbtime.Now(),
-			UpdatedAt:       dbtime.Now(),
-			StartedAt:       m.self.StartedAt,
-			RelayAddress:    m.self.RelayAddress,
-			RegionID:        m.self.RegionID,
-			Hostname:        m.self.Hostname,
-			Version:         m.self.Version,
+			ID:           m.self.ID,
+			CreatedAt:    dbtime.Now(),
+			UpdatedAt:    dbtime.Now(),
+			StartedAt:    m.self.StartedAt,
+			RelayAddress: m.self.RelayAddress,
+			RegionID:     m.self.RegionID,
+			Hostname:     m.self.Hostname,
+			Version:      m.self.Version,
 			// #nosec G115 - Safe conversion for microseconds latency which is expected to be within int32 range
 			DatabaseLatency: int32(databaseLatency.Microseconds()),
 			Primary:         m.self.Primary,
diff --git a/provisionerd/runner/runner.go b/provisionerd/runner/runner.go
@@ -885,7 +885,7 @@ func (r *Runner) commitQuota(ctx context.Context, resources []*sdkproto.Resource
 	const stage = "Commit quota"
 
 	resp, err := r.quotaCommitter.CommitQuota(ctx, &proto.CommitQuotaRequest{
-		JobId:     r.job.JobId,
+		JobId: r.job.JobId,
 		// #nosec G115 - Safe conversion as cost is expected to be within int32 range for provisioning costs
 		DailyCost: int32(cost),
 	})
diff --git a/tailnet/conn.go b/tailnet/conn.go
@@ -132,6 +132,7 @@ type TelemetrySink interface {
 // NodeID creates a Tailscale NodeID from the last 8 bytes of a UUID. It ensures
 // the returned NodeID is always positive.
 func NodeID(uid uuid.UUID) tailcfg.NodeID {
+	// #nosec G115 - Safe conversion with potential loss of range, but acceptable for node IDs
 	id := int64(binary.BigEndian.Uint64(uid[8:]))
 
 	// ensure id is positive
diff --git a/tailnet/convert.go b/tailnet/convert.go
@@ -31,6 +31,7 @@ func NodeToProto(n *Node) (*proto.Node, error) {
 	}
 	derpForcedWebsocket := make(map[int32]string)
 	for i, s := range n.DERPForcedWebsocket {
+		// #nosec G115 - Safe conversion for DERP region IDs which are small positive integers
 		derpForcedWebsocket[int32(i)] = s
 	}
 	addresses := make([]string, len(n.Addresses))
diff --git a/tailnet/telemetry.go b/tailnet/telemetry.go
@@ -131,6 +131,7 @@ func (b *TelemetryStore) updateRemoteNodeIDLocked(nm *netmap.NetworkMap) {
 	for _, p := range nm.Peers {
 		for _, a := range p.Addresses {
 			if a.Addr() == ip && a.IsSingleIP() {
+				// #nosec G115 - Safe conversion as p.ID is expected to be within uint64 range for node IDs
 				b.nodeIDRemote = uint64(p.ID)
 			}
 		}
@@ -188,6 +189,7 @@ func (b *TelemetryStore) updateByNodeLocked(n *tailcfg.Node) bool {
 	if n == nil {
 		return false
 	}
+	// #nosec G115 - Safe conversion as n.ID is expected to be within uint64 range for node IDs
 	b.nodeIDSelf = uint64(n.ID)
 	derpIP, err := netip.ParseAddrPort(n.DERP)
 	if err != nil {
diff --git a/tailnet/telemetry_internal_test.go b/tailnet/telemetry_internal_test.go
@@ -70,7 +70,9 @@ func TestTelemetryStore(t *testing.T) {
 		e := telemetry.newEvent()
 		// DERPMapToProto already tested
 		require.Equal(t, DERPMapToProto(nm.DERPMap), e.DerpMap)
+		// #nosec G115 - Safe conversion in test code as node IDs are within uint64 range
 		require.Equal(t, uint64(nm.Peers[1].ID), e.NodeIdRemote)
+		// #nosec G115 - Safe conversion in test code as node IDs are within uint64 range
 		require.Equal(t, uint64(nm.SelfNode.ID), e.NodeIdSelf)
 		require.Equal(t, application, e.Application)
 		require.Equal(t, nm.SelfNode.DERP, fmt.Sprintf("127.3.3.40:%d", e.HomeDerp))
diff --git a/vpn/router.go b/vpn/router.go
@@ -45,6 +45,7 @@ func convertRouterConfig(cfg router.Config) *NetworkSettingsRequest {
 			v4SubnetMasks = append(v4SubnetMasks, prefixToSubnetMask(addrs))
 		} else if addrs.Addr().Is6() {
 			v6LocalAddrs = append(v6LocalAddrs, addrs.Addr().String())
+			// #nosec G115 - Safe conversion as IPv6 prefix lengths are always within uint32 range (0-128)
 			v6PrefixLengths = append(v6PrefixLengths, uint32(addrs.Bits()))
 		} else {
 			continue
@@ -95,6 +96,7 @@ func convertRouterConfig(cfg router.Config) *NetworkSettingsRequest {
 	}
 
 	return &NetworkSettingsRequest{
+		// #nosec G115 - Safe conversion as MTU values are expected to be small positive integers
 		Mtu:                 uint32(cfg.NewMTU),
 		Ipv4Settings:        v4Settings,
 		Ipv6Settings:        v6Settings,
@@ -114,6 +116,7 @@ func convertToIPV4Route(route netip.Prefix) *NetworkSettingsRequest_IPv4Settings
 func convertToIPV6Route(route netip.Prefix) *NetworkSettingsRequest_IPv6Settings_IPv6Route {
 	return &NetworkSettingsRequest_IPv6Settings_IPv6Route{
 		Destination:  route.Addr().String(),
+		// #nosec G115 - Safe conversion as prefix lengths are always within uint32 range (0-128)
 		PrefixLength: uint32(route.Bits()),
 		Router:       "", // N/A
 	}
diff --git a/vpn/tunnel.go b/vpn/tunnel.go
@@ -302,6 +302,7 @@ func (t *Tunnel) Sync() {
 
 func sinkEntryToPb(e slog.SinkEntry) *Log {
 	l := &Log{
+		// #nosec G115 - Safe conversion for log levels which are small positive integers
 		Level:       Log_Level(e.Level),
 		Message:     e.Message,
 		LoggerNames: e.LoggerNames,

Original file line number	Diff line number	Diff line change
`@@ -702,6 +702,7 @@ func (s *Server) startPTYSession(logger slog.Logger, session ptySession, magicTy`
`702`	`702`	`windowSize = nil`
`703`	`703`	`continue`
`704`	`704`	`}`
	`705`	`+ // #nosec G115 - Safe conversions for terminal dimensions which are expected to be within uint16 range`
`705`	`706`	`resizeErr := ptty.Resize(uint16(win.Height), uint16(win.Width))`
`706`	`707`	`// If the pty is closed, then command has exited, no need to log.`
`707`	`708`	`if resizeErr != nil && !errors.Is(resizeErr, pty.ErrClosed) {`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ func Workspaces(ctx context.Context, db database.Store, query string, page coder`
`100`	`100`	`// #nosec G115 - Safe conversion for pagination offset which is expected to be within int32 range`
`101`	`101`	`Offset: int32(page.Offset),`
`102`	`102`	`// #nosec G115 - Safe conversion for pagination limit which is expected to be within int32 range`
`103`		`- Limit: int32(page.Limit),`
	`103`	`+ Limit: int32(page.Limit),`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	`if query == "" {`
Original file line number	Diff line number	Diff line change
`@@ -730,7 +730,7 @@ func ConvertWorkspaceBuild(build database.WorkspaceBuild) WorkspaceBuild {`
`730`	`730`	`JobID: build.JobID,`
`731`	`731`	`TemplateVersionID: build.TemplateVersionID,`
`732`	`732`	`// #nosec G115 - Safe conversion as build numbers are expected to be positive and within uint32 range`
`733`		`- BuildNumber: uint32(build.BuildNumber),`
	`733`	`+ BuildNumber: uint32(build.BuildNumber),`
`734`	`734`	`}`
`735`	`735`	`}`
`736`	`736`
`@@ -1037,11 +1037,11 @@ func ConvertTemplate(dbTemplate database.Template) Template {`
`1037`	`1037`	`TimeTilDormantMillis: time.Duration(dbTemplate.TimeTilDormant).Milliseconds(),`
`1038`	`1038`	`TimeTilDormantAutoDeleteMillis: time.Duration(dbTemplate.TimeTilDormantAutoDelete).Milliseconds(),`
`1039`	`1039`	`// #nosec G115 - Safe conversion as AutostopRequirementDaysOfWeek is a bitmap of 7 days, easily within uint8 range`
`1040`		`- AutostopRequirementDaysOfWeek: codersdk.BitmapToWeekdays(uint8(dbTemplate.AutostopRequirementDaysOfWeek)),`
`1041`		`- AutostopRequirementWeeks: dbTemplate.AutostopRequirementWeeks,`
`1042`		`- AutostartAllowedDays: codersdk.BitmapToWeekdays(dbTemplate.AutostartAllowedDays()),`
`1043`		`- RequireActiveVersion: dbTemplate.RequireActiveVersion,`
`1044`		`- Deprecated: dbTemplate.Deprecated != "",`
	`1040`	`+ AutostopRequirementDaysOfWeek: codersdk.BitmapToWeekdays(uint8(dbTemplate.AutostopRequirementDaysOfWeek)),`
	`1041`	`+ AutostopRequirementWeeks: dbTemplate.AutostopRequirementWeeks,`
	`1042`	`+ AutostartAllowedDays: codersdk.BitmapToWeekdays(dbTemplate.AutostartAllowedDays()),`
	`1043`	`+ RequireActiveVersion: dbTemplate.RequireActiveVersion,`
	`1044`	`+ Deprecated: dbTemplate.Deprecated != "",`
`1045`	`1045`	`}`
`1046`	`1046`	`}`
`1047`	`1047`
Original file line number	Diff line number	Diff line change
`@@ -31,6 +31,7 @@ func NodeToProto(n Node) (proto.Node, error) {`
`31`	`31`	`}`
`32`	`32`	`derpForcedWebsocket := make(map[int32]string)`
`33`	`33`	`for i, s := range n.DERPForcedWebsocket {`
	`34`	`+ // #nosec G115 - Safe conversion for DERP region IDs which are small positive integers`
`34`	`35`	`derpForcedWebsocket[int32(i)] = s`
`35`	`36`	`}`
`36`	`37`	`addresses := make([]string, len(n.Addresses))`
Original file line number	Diff line number	Diff line change
`@@ -131,6 +131,7 @@ func (b TelemetryStore) updateRemoteNodeIDLocked(nm netmap.NetworkMap) {`
`131`	`131`	`for _, p := range nm.Peers {`
`132`	`132`	`for _, a := range p.Addresses {`
`133`	`133`	`if a.Addr() == ip && a.IsSingleIP() {`
	`134`	`+ // #nosec G115 - Safe conversion as p.ID is expected to be within uint64 range for node IDs`
`134`	`135`	`b.nodeIDRemote = uint64(p.ID)`
`135`	`136`	`}`
`136`	`137`	`}`
`@@ -188,6 +189,7 @@ func (b TelemetryStore) updateByNodeLocked(n tailcfg.Node) bool {`
`188`	`189`	`if n == nil {`
`189`	`190`	`return false`
`190`	`191`	`}`
	`192`	`+ // #nosec G115 - Safe conversion as n.ID is expected to be within uint64 range for node IDs`
`191`	`193`	`b.nodeIDSelf = uint64(n.ID)`
`192`	`194`	`derpIP, err := netip.ParseAddrPort(n.DERP)`
`193`	`195`	`if err != nil {`