Skip to content

No-op / Unused Return Value Checks #26553

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
4 tasks done
JonathanWilbur opened this issue Aug 20, 2018 · 2 comments
Closed
4 tasks done

No-op / Unused Return Value Checks #26553

JonathanWilbur opened this issue Aug 20, 2018 · 2 comments
Labels
Duplicate An existing issue was already created

Comments

@JonathanWilbur
Copy link

Search Terms

noop
no-op

Suggestion

Generate warnings when the return value of a function or method is not used.

Use Cases

To prevent security vulnerabilities like CVE-2009-0846:

The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in
the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4
allows remote attackers to cause a denial of service (daemon crash) or
possibly execute arbitrary code via vectors involving an invalid DER encoding
that triggers a free of an uninitialized pointer.

This bug was only caused by nothing being done with the return value of
asn1buf_remove_charstring. So when the program encountered a problem
decoding the ASN.1 element, the code would continue even though the
output buffer, s, was never actually initialized. The second line
below was added in version 1.6.4, which fixed this bug.

retval = asn1buf_remove_charstring(buf,15,&s);
if (retval) return retval;

Giving developers warnings about unused return values would be a cheap way to mitigate these vulnerabilities.

Examples

This code:

const SUCCESS = 0;
const ENEGMON = -1;
function depositMoney (amount : number) {
    if (amount < 0) return ENEGMON;
    // Modify something else somewhere
    return SUCCESS;
}

depositMoney(-50);

Would display a compiler warning that could look like:

TS12345: file.ts (12,34): WARNING: The return value of `depositMoney` is unused. Ensure this is not a security vulnerability and/or compile with the `--no-noop-check` flag.

Checklist

My suggestion meets these guidelines:

  • This wouldn't be a breaking change in existing TypeScript / JavaScript code
  • This wouldn't change the runtime behavior of existing JavaScript code
  • This could be implemented without emitting different JS based on the types of the expressions
  • This isn't a runtime feature (e.g. new expression-level syntax)
@RyanCavanaugh RyanCavanaugh added the Duplicate An existing issue was already created label Aug 20, 2018
@RyanCavanaugh
Copy link
Member

See #8240, #8615, #8584, #7770, #17282

@typescript-bot
Copy link
Collaborator

This issue has been marked as a 'Duplicate' and has seen no recent activity. It has been automatically closed for house-keeping purposes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Duplicate An existing issue was already created
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@RyanCavanaugh @JonathanWilbur @typescript-bot