CS.WRONG.CAST

This warning is reported in situations when one object is cast to another object with the possibility of lost data or even program failure.

Vulnerability and risk

Either data may be lost, or the program may fail. This can happen when a program tries to access a nonexistent class field after a cast.

Example

Copy

1
2
3
4
5
6
7
8
9
10
11
12
13
public class Base {
  public int b;
}
public class Derived : Base {
  public int a;
}
public class ClassCastTests {
  public void foo() {
    Derived d;
    Base b = new Base();
    d = (Derived)b;
  }
}

Object o1 of class Object1 and object o2 of class Object2 are declared on lines 9-10. Then, on line 11, Object2 is cast to Object1, which is invalid.

External guidance

CWE-704: Incorrect Type Conversion or Cast

Security training

Application security training materials provided by Secure Code Warrior.

Type Confusion Training Video - Test your skills with a training example