The following issues were found
buildscripts/resmokelib/hang_analyzer/process.py
3 issues
Line: 6
Suggestion:
https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
import logging
import os
import signal
import subprocess
import sys
import time
from distutils import spawn # pylint: disable=no-name-in-module
from datetime import datetime
Reported by Bandit.
Line: 30
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
logger.info(str(args))
# Use a common pipe for stdout & stderr for logging.
process = subprocess.Popen(args, stdout=subprocess.PIPE, stderr=subprocess.STDOUT)
logger_pipe = core.pipe.LoggerPipe(logger, logging.INFO, process.stdout)
logger_pipe.wait_until_started()
ret = process.wait()
logger_pipe.wait_until_finished()
Reported by Bandit.
Line: 55
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
def callo(args, logger):
"""Call subprocess on args string."""
logger.info("%s", str(args))
return subprocess.check_output(args).decode('utf-8', 'replace')
def signal_python(logger, pname, pid):
"""
Send appropriate dumping signal to python processes.
Reported by Bandit.
src/third_party/wiredtiger/ext/encryptors/nop/nop_encrypt.c
3 issues
Line: 209
CWE codes:
401
/* Return the new encryptor. */
*customp = (WT_ENCRYPTOR *)new;
return (0);
err:
free(new);
return (ret);
}
Reported by Cppcheck.
Line: 81
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
if (dst_len < src_len)
return (nop_error(nop_encryptor, session, ENOMEM, "encrypt buffer not big enough"));
memcpy(dst, src, src_len);
*result_lenp = src_len;
return (0);
}
/*! [WT_ENCRYPTOR encrypt] */
Reported by FlawFinder.
Line: 107
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
/*
* The destination length is the number of unencrypted bytes we're expected to return.
*/
memcpy(dst, src, dst_len);
*result_lenp = dst_len;
return (0);
}
/*! [WT_ENCRYPTOR decrypt] */
Reported by FlawFinder.
src/mongo/db/geo/hash_test.cpp
3 issues
Line: 57
using std::string;
using std::stringstream;
TEST(GeoHash, MakeZeroHash) {
unsigned x = 0, y = 0;
GeoHash hash(x, y);
}
static string makeRandomBitString(int length) {
Reported by Cppcheck.
Line: 64
Column: 25
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
static string makeRandomBitString(int length) {
stringstream ss;
mongo::PseudoRandom random(31337);
for (int i = 0; i < length; ++i) {
if (random.nextInt32() & 1) {
ss << "1";
} else {
ss << "0";
Reported by FlawFinder.
Line: 66
Column: 13
CWE codes:
327
Suggestion:
Use a more secure technique for acquiring random values
stringstream ss;
mongo::PseudoRandom random(31337);
for (int i = 0; i < length; ++i) {
if (random.nextInt32() & 1) {
ss << "1";
} else {
ss << "0";
}
}
Reported by FlawFinder.
src/mongo/db/storage/storage_engine_lock_file_posix.cpp
3 issues
Line: 71
Column: 16
CWE codes:
362
LOGV2_DEBUG(22275, 1, "flushing directory {dir_string}", "dir_string"_attr = dir.string());
int fd = ::open(dir.string().c_str(), O_RDONLY); // DO NOT THROW OR ASSERT BEFORE CLOSING
massert(40387,
str::stream() << "Couldn't open directory '" << dir.string()
<< "' for flushing: " << errnoWithDescription(),
fd >= 0);
if (fsync(fd) != 0) {
Reported by FlawFinder.
Line: 133
Column: 31
CWE codes:
362
return _uncleanShutdown;
}
Status StorageEngineLockFile::open() {
try {
if (!boost::filesystem::exists(_dbpath)) {
return Status(ErrorCodes::NonExistentPath, _getNonExistentPathMessage());
}
} catch (const std::exception& ex) {
Reported by FlawFinder.
Line: 146
Column: 11
CWE codes:
362
// Use file permissions 644
int lockFile =
::open(_filespec.c_str(), O_RDWR | O_CREAT, S_IRUSR | S_IWUSR | S_IRGRP | S_IROTH);
if (lockFile < 0) {
int errorcode = errno;
if (errorcode == EACCES) {
return Status(ErrorCodes::IllegalOperation,
str::stream()
Reported by FlawFinder.
buildscripts/idl/idl_compatibility_errors.py
3 issues
Line: 193
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
"""Get the first error in the error collection with the id error_id."""
error_id_list = [a for a in self._errors if a.error_id == error_id]
error = next(iter(error_id_list), None)
assert error is not None
return error
def get_error_by_command_name(self, command_name: str) -> IDLCompatibilityError:
"""Get the first error in the error collection with the command command_name."""
command_name_list = [a for a in self._errors if a.command_name == command_name]
Reported by Bandit.
Line: 200
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
"""Get the first error in the error collection with the command command_name."""
command_name_list = [a for a in self._errors if a.command_name == command_name]
error = next(iter(command_name_list), None)
assert error is not None
return error
def get_error_by_command_name_and_error_id(self, command_name: str,
error_id: str) -> IDLCompatibilityError:
"""Get the first error in the error collection from command_name with error_id."""
Reported by Bandit.
Line: 209
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b101_assert_used.html
command_name_list = [a for a in self._errors if a.command_name == command_name]
error_id_list = [a for a in command_name_list if a.error_id == error_id]
error = next(iter(error_id_list), None)
assert error is not None
return error
def get_all_errors_by_command_name(self, command_name: str) -> List[IDLCompatibilityError]:
"""Get all the errors in the error collection with the command command_name."""
return [a for a in self._errors if a.command_name == command_name]
Reported by Bandit.
src/third_party/wiredtiger/examples/c/ex_log.c
3 issues
Line: 87
Column: 5
CWE codes:
134
Suggestion:
Use a constant for the format specification
print_record(uint32_t log_file, uint32_t log_offset, uint32_t opcount, uint32_t rectype,
uint32_t optype, uint64_t txnid, uint32_t fileid, WT_ITEM *key, WT_ITEM *value)
{
printf("LSN [%" PRIu32 "][%" PRIu32 "].%" PRIu32 ": record type %" PRIu32 " optype %" PRIu32
" txnid %" PRIu64 " fileid %" PRIu32,
log_file, log_offset, opcount, rectype, optype, txnid, fileid);
printf(" key size %zu value size %zu\n", key->size, value->size);
if (rectype == WT_LOGREC_MESSAGE)
printf("Application Record: %s\n", (char *)value->data);
Reported by FlawFinder.
Line: 259
Column: 17
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
(void)snprintf(
cmd_buf, sizeof(cmd_buf), "rm -rf %s %s && mkdir %s %s", home1, home2, home1, home2);
error_check(system(cmd_buf));
error_check(wiredtiger_open(home1, NULL, CONN_CONFIG, &wt_conn));
error_check(wt_conn->open_session(wt_conn, NULL, NULL, &session));
error_check(session->create(session, uri, "key_format=S,value_format=S"));
count_min++;
Reported by FlawFinder.
Line: 250
Column: 5
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
WT_CURSOR *cursor;
WT_SESSION *session;
int count_min, i, record_count;
char cmd_buf[256], k[32], v[32];
(void)argc; /* Unused variable */
(void)testutil_set_progname(argv);
count_min = 0;
Reported by FlawFinder.
src/third_party/wiredtiger/ext/compressors/lz4/lz4_compress.c
3 issues
Line: 149
Column: 9
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
#ifdef WORDS_BIGENDIAN
lz4_prefix_swap(&prefix);
#endif
memcpy(dst, &prefix, sizeof(LZ4_PREFIX));
*result_lenp = (size_t)lz4_len + sizeof(LZ4_PREFIX);
*compression_failed = 0;
return (0);
}
Reported by FlawFinder.
Line: 179
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
* Retrieve the true length of the compressed block and source and the decompressed bytes to
* return from the start of the source buffer.
*/
memcpy(&prefix, src, sizeof(LZ4_PREFIX));
#ifdef WORDS_BIGENDIAN
lz4_prefix_swap(&prefix);
#endif
if (prefix.compressed_len + sizeof(LZ4_PREFIX) > src_len) {
(void)wt_api->err_printf(
Reported by FlawFinder.
Line: 211
Column: 13
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
(int)prefix.compressed_len, (int)prefix.uncompressed_len);
if (decoded >= 0)
memcpy(dst, dst_tmp, dst_len);
wt_api->scr_free(wt_api, session, dst_tmp);
} else
decoded = LZ4_decompress_safe((const char *)src + sizeof(LZ4_PREFIX), (char *)dst,
(int)prefix.compressed_len, (int)dst_len);
Reported by FlawFinder.
buildscripts/resmokelib/core/redirect.py
3 issues
Line: 3
Suggestion:
https://bandit.readthedocs.io/en/latest/blacklists/blacklist_imports.html#b404-import-subprocess
"""Helper classes for chaining process output."""
import subprocess
import sys
class StdoutRewrite(object):
"""A helper class that will overwrite `sys.stdout` and write incoming data to an underlying stream.
Reported by Bandit.
Line: 55
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
if read_from == sys.__stdout__:
# sys.stdout does not implement a `read` method so it cannot be passed as a `stdin`
# variable. Use a `StdoutRewrite` object to write the spawned `stdin`.
self.proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=write_to)
self.rewrite = StdoutRewrite(self.proc.stdin)
else:
self.proc = subprocess.Popen(cmd, stdin=read_from, stdout=write_to)
def get_stdin(self):
Reported by Bandit.
Line: 58
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b603_subprocess_without_shell_equals_true.html
self.proc = subprocess.Popen(cmd, stdin=subprocess.PIPE, stdout=write_to)
self.rewrite = StdoutRewrite(self.proc.stdin)
else:
self.proc = subprocess.Popen(cmd, stdin=read_from, stdout=write_to)
def get_stdin(self):
"""Return the stdin stream from the spawned process."""
return self.proc.stdin
Reported by Bandit.
src/third_party/wiredtiger/dist/docs_data.py
3 issues
Line: 1
Column: 1
# Create entries used by our doxygen filter to expand the arch_page
# macros in the documentation.
class ArchDocPage:
def __init__(self, doxygen_name, data_structures, files):
self.doxygen_name = doxygen_name
self.data_structures = data_structures
self.files = files
Reported by Pylint.
Line: 4
Column: 1
# Create entries used by our doxygen filter to expand the arch_page
# macros in the documentation.
class ArchDocPage:
def __init__(self, doxygen_name, data_structures, files):
self.doxygen_name = doxygen_name
self.data_structures = data_structures
self.files = files
Reported by Pylint.
Line: 4
Column: 1
# Create entries used by our doxygen filter to expand the arch_page
# macros in the documentation.
class ArchDocPage:
def __init__(self, doxygen_name, data_structures, files):
self.doxygen_name = doxygen_name
self.data_structures = data_structures
self.files = files
Reported by Pylint.
src/mongo/crypto/sha512_block_test.cpp
3 issues
Line: 77
};
TEST(CryptoVectors, SHA512) {
size_t numTests = sizeof(sha512Tests) / sizeof(sha512Tests[0]);
for (size_t i = 0; i < numTests; i++) {
SHA512Block result = SHA512Block::computeHash(sha512Tests[i].msg);
ASSERT(sha512Tests[i].hash == result) << "Failed SHA512 iteration " << i;
}
Reported by Cppcheck.
Line: 89
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const int maxDataSize = 54;
// HMAC-SHA-512 test vectors from https://tools.ietf.org/html/rfc4231#section-4.2
const struct {
unsigned char key[maxKeySize];
int keyLen;
unsigned char data[maxDataSize];
int dataLen;
SHA512Block hash;
} hmacSha512Tests[] = {
Reported by FlawFinder.
Line: 91
Column: 14
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const struct {
unsigned char key[maxKeySize];
int keyLen;
unsigned char data[maxDataSize];
int dataLen;
SHA512Block hash;
} hmacSha512Tests[] = {
// RFC test case 1
{{0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b, 0x0b,
Reported by FlawFinder.