Metadata

ID: go-security/avoid-rat-setstring

Language: Go

Severity: Warning

Category: Security

CWE: 109

Description

Do not use the function SetString from big.Rat as it as a potential overflow in some Go versions. Even if your current Go runtime is not vulnerable to this issue, your code may be used by runtime that are. We recommend avoiding the function SetString from the math/big package for this reason.

Learn More

Non-Compliant Code Examples

package main

import (
	"math/big"
	"fmt"
)

func main() {
	var r = big.Rat{}
	r.SetString("13e-9223372036854775808")

	fmt.Println(r)
}
package main

import (
	"math/big"
	"fmt"
)

func anotherFunction() {
	r = big.Rat{}
	fmt.Println(r)
	r.SetString("13e-9223372036854775808")

	fmt.Println(r)
}

func anotherFunction2() {
	var r big.Rat
	fmt.Println(r)
	r.SetString("13e-9223372036854775808")

	fmt.Println(r)
}

func main() {
	var r = big.Rat{}
	r.SetString("13e-9223372036854775808")

	fmt.Println(r)
}
package main

import (
	"math/big"
	"fmt"
)

func main() {
	r := big.Rat{}
	r.SetString("13e-9223372036854775808")

	fmt.Println(r)
}

Compliant Code Examples

package main

import (
	"math/big"
	"fmt"
)

func main() {
	r := big.NewRat(10, 3)

	fmt.Println(r)
}