Codekhana

builtin/repack.c

3 issues

chmod - This accepts filename arguments; if an attacker can move those files, a race condition results.

Security

Line: 663 Column: 6 CWE codes: 362
Suggestion: Use fchmod( ) instead

              				struct stat statbuffer;
				if (!stat(fname_old, &statbuffer)) {
					statbuffer.st_mode &= ~(S_IWUSR | S_IWGRP | S_IWOTH);
					chmod(fname_old, statbuffer.st_mode);
				}

				if (rename(fname_old, fname))
					die_errno(_("renaming '%s' failed"), fname_old);
			} else if (!exts[ext].optional)

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 73 Column: 11 CWE codes: 126

              		return;

	/* Point at the slash at the end of ".../objects/pack/" */
	dirlen = strlen(packdir) + 1;
	strbuf_addstr(&buf, packtmp);
	/* Hold the length of  ".tmp-%d-pack-" */
	prefixlen = buf.len - dirlen;

	while ((e = readdir(dir))) {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 687 Column: 17 CWE codes: 126

              		string_list_sort(&names);
		for_each_string_list_item(item, &existing_packs) {
			char *sha1;
			size_t len = strlen(item->string);
			if (len < hexsz)
				continue;
			sha1 = item->string + len - hexsz;
			if (!string_list_has_string(&names, sha1))
				remove_redundant_pack(packdir, item->string);

Reported by FlawFinder.

wt-status.h

3 issues

printf - If format strings can be influenced by an attacker, they can be exploited

Security

Line: 169 Column: 24 CWE codes: 134
Suggestion: Use a constant for the format specification

              int wt_status_check_bisect(const struct worktree *wt,
			   struct wt_status_state *state);

__attribute__((format (printf, 3, 4)))
void status_printf_ln(struct wt_status *s, const char *color, const char *fmt, ...);
__attribute__((format (printf, 3, 4)))
void status_printf(struct wt_status *s, const char *color, const char *fmt, ...);

/* The following functions expect that the caller took care of reading the index. */

Reported by FlawFinder.

printf - If format strings can be influenced by an attacker, they can be exploited

Security

Line: 171 Column: 24 CWE codes: 134
Suggestion: Use a constant for the format specification

              
__attribute__((format (printf, 3, 4)))
void status_printf_ln(struct wt_status *s, const char *color, const char *fmt, ...);
__attribute__((format (printf, 3, 4)))
void status_printf(struct wt_status *s, const char *color, const char *fmt, ...);

/* The following functions expect that the caller took care of reading the index. */
int has_unstaged_changes(struct repository *repo,
			 int ignore_submodules);

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 120 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	enum show_ignored_type show_ignored_mode;
	enum untracked_status_type show_untracked_files;
	const char *ignore_submodule_arg;
	char color_palette[WT_STATUS_MAXSLOT][COLOR_MAXLEN];
	unsigned colopts;
	int null_termination;
	int commit_template;
	int show_branch;
	int show_stash;

Reported by FlawFinder.

copy.c

3 issues

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 6 Column: 3 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              int copy_fd(int ifd, int ofd)
{
	while (1) {
		char buffer[8192];
		ssize_t len = xread(ifd, buffer, sizeof(buffer));
		if (!len)
			break;
		if (len < 0)
			return COPY_READ_ERROR;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 36 Column: 13 CWE codes: 362

              	int fdi, fdo, status;

	mode = (mode & 0111) ? 0777 : 0666;
	if ((fdi = open(src, O_RDONLY)) < 0)
		return fdi;
	if ((fdo = open(dst, O_WRONLY | O_CREAT | O_EXCL, mode)) < 0) {
		close(fdi);
		return fdo;
	}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?

Security

Line: 38 Column: 13 CWE codes: 362

              	mode = (mode & 0111) ? 0777 : 0666;
	if ((fdi = open(src, O_RDONLY)) < 0)
		return fdi;
	if ((fdo = open(dst, O_WRONLY | O_CREAT | O_EXCL, mode)) < 0) {
		close(fdi);
		return fdo;
	}
	status = copy_fd(fdi, fdo);
	switch (status) {

Reported by FlawFinder.

sparse-index.c

3 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 245 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
	/* initialize basics of new index */
	full = xcalloc(1, sizeof(struct index_state));
	memcpy(full, istate, sizeof(struct index_state));

	/* then change the necessary things */
	full->sparse_index = 0;
	full->cache_alloc = (3 * istate->cache_alloc) / 2;
	full->cache_nr = 0;

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 285 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              	}

	/* Copy back into original index. */
	memcpy(&istate->name_hash, &full->name_hash, sizeof(full->name_hash));
	istate->sparse_index = 0;
	free(istate->cache);
	istate->cache = full->cache;
	istate->cache_nr = full->cache_nr;
	istate->cache_alloc = full->cache_alloc;

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 275 Column: 31 CWE codes: 126

              		ps.max_depth = -1;

		strbuf_setlen(&base, 0);
		strbuf_add(&base, ce->name, strlen(ce->name));

		read_tree_at(istate->repo, tree, &base, &ps,
			     add_path_to_index, full);

		/* free directory entries. full entries are re-used */

Reported by FlawFinder.

name-hash.c

3 issues

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 18 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	struct dir_entry *parent;
	int nr;
	unsigned int namelen;
	char name[FLEX_ARRAY];
};

static int dir_entry_cmp(const void *unused_cmp_data,
			 const struct hashmap_entry *eptr,
			 const struct hashmap_entry *entry_or_key,

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 708 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              
			dir = find_dir_entry(istate, name, ptr - name);
			if (dir) {
				memcpy((void *)startPtr, dir->name + (startPtr - name), ptr - startPtr);
				startPtr = ptr + 1;
			}
			ptr++;
		}
	}

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 698 Column: 31 CWE codes: 126

              	const char *ptr = startPtr;

	lazy_init_name_hash(istate);
	expand_to_path(istate, name, strlen(name), 0);
	while (*ptr) {
		while (*ptr && *ptr != '/')
			ptr++;

		if (*ptr == '/') {

Reported by FlawFinder.

compat/snprintf.c

3 issues

vsnprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate

Security

Line: 19 Column: 8 CWE codes: 134
Suggestion: Use a constant for the format specification

              #endif
#endif

#undef vsnprintf
int git_vsnprintf(char *str, size_t maxsize, const char *format, va_list ap)
{
	va_list cp;
	char *s;
	int ret = -1;

Reported by FlawFinder.

vsnprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate

Security

Line: 28 Column: 9 CWE codes: 134
Suggestion: Use a constant for the format specification

              
	if (maxsize > 0) {
		va_copy(cp, ap);
		ret = vsnprintf(str, maxsize-SNPRINTF_SIZE_CORR, format, cp);
		va_end(cp);
		if (ret == maxsize-1)
			ret = -1;
		/* Windows does not NUL-terminate if result fills buffer */
		str[maxsize-1] = 0;

Reported by FlawFinder.

vsnprintf - If format strings can be influenced by an attacker, they can be exploited, and note that sprintf variations do not always \0-terminate

Security

Line: 49 Column: 9 CWE codes: 134
Suggestion: Use a constant for the format specification

              			break;
		s = str;
		va_copy(cp, ap);
		ret = vsnprintf(str, maxsize-SNPRINTF_SIZE_CORR, format, cp);
		va_end(cp);
		if (ret == maxsize-1)
			ret = -1;
	}
	free(s);

Reported by FlawFinder.

strmap.c

3 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 29 Column: 2 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              void strmap_init(struct strmap *map)
{
	struct strmap blank = STRMAP_INIT;
	memcpy(map, &blank, sizeof(*map));
}

void strmap_init_with_options(struct strmap *map,
			      struct mem_pool *pool,
			      int strdup_strings)

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 93 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              			size_t len = st_add(strlen(str), 1); /* include NUL */
			entry = mem_pool_alloc(map->pool,
					       st_add(sizeof(*entry), len));
			memcpy(entry + 1, str, len);
			entry->key = (void *)(entry + 1);
		}
	} else if (!map->pool) {
		entry = xmalloc(sizeof(*entry));
	} else {

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 90 Column: 24 CWE codes: 126

              		if (!map->pool) {
			FLEXPTR_ALLOC_STR(entry, key, str);
		} else {
			size_t len = st_add(strlen(str), 1); /* include NUL */
			entry = mem_pool_alloc(map->pool,
					       st_add(sizeof(*entry), len));
			memcpy(entry + 1, str, len);
			entry->key = (void *)(entry + 1);
		}

Reported by FlawFinder.

write-or-die.c

3 issues

vfprintf - If format strings can be influenced by an attacker, they can be exploited

Security

Line: 49 Column: 8 CWE codes: 134
Suggestion: Use a constant for the format specification

              	int ret;

	va_start(ap, fmt);
	ret = vfprintf(f, fmt, ap);
	va_end(ap);

	if (ret < 0) {
		check_pipe(errno);
		die_errno("write error");

Reported by FlawFinder.

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once

Security

Line: 25 Column: 9 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them

              
	if (f == stdout) {
		if (skip_stdout_flush < 0) {
			cp = getenv("GIT_FLUSH");
			if (cp)
				skip_stdout_flush = (atoi(cp) == 0);
			else if ((fstat(fileno(stdout), &st) == 0) &&
				 S_ISREG(st.st_mode))
				skip_stdout_flush = 1;

Reported by FlawFinder.

atoi - Unless checked, the resulting number can exceed the expected range

Security

Line: 27 Column: 26 CWE codes: 190
Suggestion: If source untrusted, check both minimum and maximum, even if the input had no minus sign (large numbers can roll over into negative number; consider saving to an unsigned value if that is intended)

              		if (skip_stdout_flush < 0) {
			cp = getenv("GIT_FLUSH");
			if (cp)
				skip_stdout_flush = (atoi(cp) == 0);
			else if ((fstat(fileno(stdout), &st) == 0) &&
				 S_ISREG(st.st_mode))
				skip_stdout_flush = 1;
			else
				skip_stdout_flush = 0;

Reported by FlawFinder.

trace2/tr2_cfg.c

3 issues

getenv - Environment variables are untrustable input if they can be set by an attacker. They can have any content and length, and the same variable can be set more than once

Security

Line: 134 Column: 21 CWE codes: 807 20
Suggestion: Check environment variables carefully before using them

              
	for (s = tr2_cfg_env_vars; *s; s++) {
		struct strbuf *buf = *s;
		const char *val = getenv(buf->buf);
		if (val && *val)
			trace2_def_param_fl(file, line, buf->buf, val);
	}
}

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 31 Column: 46 CWE codes: 126

              	if (!envvar || !*envvar)
		return tr2_cfg_count_patterns;

	tr2_cfg_patterns = strbuf_split_buf(envvar, strlen(envvar), ',', -1);
	for (s = tr2_cfg_patterns; *s; s++) {
		struct strbuf *buf = *s;

		if (buf->len && buf->buf[buf->len - 1] == ',')
			strbuf_setlen(buf, buf->len - 1);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)

Security

Line: 70 Column: 47 CWE codes: 126

              	if (!varlist || !*varlist)
		return tr2_cfg_env_vars_count;

	tr2_cfg_env_vars = strbuf_split_buf(varlist, strlen(varlist), ',', -1);
	for (s = tr2_cfg_env_vars; *s; s++) {
		struct strbuf *buf = *s;

		if (buf->len && buf->buf[buf->len - 1] == ',')
			strbuf_setlen(buf, buf->len - 1);

Reported by FlawFinder.

diff-lib.c

3 issues

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 134 Column: 4 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              			dpath->path = (char *) &(dpath->parent[5]);

			dpath->next = NULL;
			memcpy(dpath->path, ce->name, path_len);
			dpath->path[path_len] = '\0';
			oidclr(&dpath->oid);
			memset(&(dpath->parent[0]), 0,
			       sizeof(struct combine_diff_parent)*5);

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination

Security

Line: 386 Column: 3 CWE codes: 120
Suggestion: Make sure destination can always hold the source data

              		p = xmalloc(combine_diff_path_size(2, pathlen));
		p->path = (char *) &p->parent[2];
		p->next = NULL;
		memcpy(p->path, new_entry->name, pathlen);
		p->path[pathlen] = 0;
		p->mode = mode;
		oidclr(&p->oid);
		memset(p->parent, 0, 2 * sizeof(struct combine_diff_parent));
		p->parent[0].status = DIFF_STATUS_MODIFIED;

Reported by FlawFinder.

char - Statically-sized arrays can be improperly restricted, leading to potential overflows or other issues

Security

Line: 599 Column: 2 CWE codes: 119 120
Suggestion: Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length

              	int merge_base = !!(option & DIFF_INDEX_MERGE_BASE);
	struct object_id oid;
	const char *name;
	char merge_base_hex[GIT_MAX_HEXSZ + 1];
	struct index_state *istate = revs->diffopt.repo->index;

	if (revs->pending.nr != 1)
		BUG("run_diff_index must be passed exactly one tree");

Reported by FlawFinder.

Modal title

The following issues were found

builtin/repack.c

3 issues

wt-status.h

3 issues

copy.c

3 issues

sparse-index.c

3 issues

name-hash.c

3 issues

compat/snprintf.c

3 issues

strmap.c

3 issues

write-or-die.c

3 issues

trace2/tr2_cfg.c

3 issues

diff-lib.c

3 issues