chore: codeql changes (#20091)

tac0turtle · web-flow · commit 13cf11aa9281 · 2024-04-20T14:23:39.000Z
diff --git a/.github/codeql/config.yml b/.github/codeql/config.yml
@@ -0,0 +1,11 @@
+packs:
+  - crypto-com/cosmos-sdk-codeql
+queries:
+  - uses: security-and-quality
+  - uses: security-experimental
+  - uses: security-extended
+paths-ignore:
+  - api
+  - '**/*_test.go'
+  - '**/*.pulsar.go'
+  - '**/*.pb.gp'
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -32,8 +32,8 @@ jobs:
         uses: github/codeql-action/init@v3
         with:
           languages: "go"
-          queries: +security-and-quality,github/codeql/go/ql/src/experimental/InconsistentCode/DeferInLoop.ql@main,github/codeql/go/ql/src/experimental/Unsafe/WrongUsageOfUnsafe.ql@main,github/codeql/go/ql/src/experimental/CWE-369/DivideByZero.ql@main
-          packs: +crypto-com/cosmos-sdk-codeql
+          config-file: ./.github/codeql/config.yml
+          
           # If you wish to specify custom queries, you can do so here or in a config file.
           # By default, queries listed here will override any specified in a config file.
           # Prefix the list here with "+" to use these queries and those in the config file.
diff --git a/crypto/keys/bcrypt/bcrypt.go b/crypto/keys/bcrypt/bcrypt.go
@@ -268,15 +268,15 @@ func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
 
 // decodeCost sbytes should begin where decodeVersion left off.
 func (p *hashed) decodeCost(sbytes []byte) (int, error) {
-	cost, err := strconv.Atoi(string(sbytes[0:2]))
+	cost, err := strconv.ParseUint(string(sbytes[0:2]), 10, 32)
 	if err != nil {
 		return -1, err
 	}
-	err = checkCost(uint32(cost))
+	err = checkCost(uint64to32(cost))
 	if err != nil {
 		return -1, err
 	}
-	p.cost = uint32(cost)
+	p.cost = uint64to32(cost)
 	return 3, nil
 }
 
@@ -290,3 +290,13 @@ func checkCost(cost uint32) error {
 	}
 	return nil
 }
+
+// uint64to32 converts a uint64 value to a uint32 value.
+// If the input value is greater than 0xFFFFFFFF, it returns 0xFFFFFFFF.
+// Otherwise, it returns the input value converted to uint32.
+func uint64to32(u uint64) uint32 {
+	if u > 0xFFFFFFFF {
+		return 0xFFFFFFFF
+	}
+	return uint32(u)
+}
diff --git a/store/db/db.go b/store/db/db.go
@@ -10,9 +10,9 @@ type RawDBType string
 
 const (
 	DBTypeGoLevelDB RawDBType = "goleveldb"
-	DBTypeRocksDB             = "rocksdb"
-	DBTypePebbleDB            = "pebbledb"
-	DBTypePrefixDB            = "prefixdb"
+	DBTypeRocksDB   RawDBType = "rocksdb"
+	DBTypePebbleDB  RawDBType = "pebbledb"
+	DBTypePrefixDB  RawDBType = "prefixdb"
 
 	DBFileSuffix string = ".db"
 )
diff --git a/store/db/rocksdb_noflag.go b/store/db/rocksdb_noflag.go
@@ -50,39 +50,3 @@ func (db *RocksDB) NewBatch() store.RawBatch {
 func (db *RocksDB) NewBatchWithSize(_ int) store.RawBatch {
 	return db.NewBatch()
 }
-
-var _ corestore.Iterator = (*rocksDBIterator)(nil)
-
-type rocksDBIterator struct{}
-
-func (itr *rocksDBIterator) Domain() (start, end []byte) {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) Valid() bool {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) Key() []byte {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) Value() []byte {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) Next() {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) Error() error {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) Close() error {
-	panic("rocksdb must be built with -tags rocksdb")
-}
-
-func (itr *rocksDBIterator) assertIsValid() {
-	panic("rocksdb must be built with -tags rocksdb")
-}
