CS.WRONG.CAST

This warning is reported in situations when one object is cast to another object with the possibility of lost data or even program failure.

Vulnerability and risk

Either data may be lost, or the program may fail. This can happen when a program tries to access a nonexistent class field after a cast.

Example

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
  public class Object1 : Object2 {
     public int a;
  }
  public class Object2 {
     public int a;
  }
  public class ClassCastTests {
     public void foo() {
        Object1 o1;
       Object2 o2 = new Object2();
       o1 = (Object1)o2;
    }
 }

Object o1 of class Object1 and object o2 of class Object2 are declared on lines 9-10. Then, on line 11, Object2 is cast to Object1, which is invalid.

External guidance

CWE-704: Incorrect Type Conversion or Cast

Security training

Application security training materials provided by Secure Code Warrior.

Type Confusion Training Video - Test your skills with a training example