go-safecast

Library for safe type conversion in Go.

What is this

The type of int equals int64 on 64-bit machine in Go.
When you convert int(int64) to int32, int8 or int6, Your code could have Integer Overflow vulnerability.

In 2019, Kubernetes had the vulnerability. and the vulnerability was found on Security Audit Project by Trail of Bits.
You can use this library to prevent the vulnerability creation.

(This library is inspired by Kubernetes's Security Audit Report by Trail of Bits)

Usage

import "github.com/rung/go-safecast"

Convert int to int32 (instead of native int32() type conversion)

	i := 2147483647
	i32, err := safecast.Int32(i) // convert int to int32 in a safe way
	if err != nil {
		return err
	}

The function returns error when the value is out of the 32-bit range.
This library also has safecast.Int16 and safecast.Int8. You can use the functions in the same way as safecast.Int32

Convert string to int32 (instead of strconv.Atoi())

	s := "2147483647"
	i, err := safecast.Atoi32(s) // convert string to int32 in a safe way
	if err != nil {
		return err
	}

The function returns error when the value is out of the 32-bit range.
This library also has safecast.Atoi16 and safecast.Atoi8. You can use the functions in the same way as safecast.Atoi32

What happens when overflows

Range of each integer

int32 (32bit signed integer) int16 (16bit signed integer) int8 (8bit signed integer)
Range From -2,147,483,648 to 2,147,483,647 From -32,768 to 32,767 From -128 to 127

When using native int32(), the code causes overflows

native-int32
Native int32() type conversion doesn't return error when the code cause integer overflow.

Link: Go Playground


When using safecast.Int32() on this library, your code is safe

go-safecast-1
This library returns error when the value is out of the 32-bit range.
So you can convert integer in a safe way.

Link: Go Playground

GitHub