The following issues were found

Userland/Applications/PixelPaint/PaletteWidget.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 224 Column: 11 CWE codes: 362 

              Result<Vector<Color>, String> PaletteWidget::load_palette_fd_and_close(int fd)
{
    auto file = Core::File::construct();
    file->open(fd, Core::OpenMode::ReadOnly, Core::File::ShouldCloseFileDescriptor::Yes);
    if (file->has_error())
        return String { file->error_string() };

    return load_palette_file(file);
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 233 Column: 38 CWE codes: 362 

              
Result<Vector<Color>, String> PaletteWidget::load_palette_path(String const& file_path)
{
    auto file_or_error = Core::File::open(file_path, Core::OpenMode::ReadOnly);
    if (file_or_error.is_error())
        return String { file_or_error.error().string() };

    auto& file = *file_or_error.value();
    return load_palette_file(file);

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 244 Column: 11 CWE codes: 362 

              Result<void, String> PaletteWidget::save_palette_fd_and_close(Vector<Color> palette, int fd)
{
    auto file = Core::File::construct();
    file->open(fd, Core::OpenMode::WriteOnly, Core::File::ShouldCloseFileDescriptor::Yes);
    if (file->has_error())
        return String { file->error_string() };

    for (auto& color : palette) {
        file->write(color.to_string_without_alpha());

Reported by FlawFinder.

Kernel/KBufferBuilder.cpp
3 issues
memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 52 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

              {
    if (!check_expand(bytes.size()))
        return;
    memcpy(insertion_ptr(), bytes.data(), bytes.size());
    m_size += bytes.size();
}

void KBufferBuilder::append(const StringView& str)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 62 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      return;
    if (!check_expand(str.length()))
        return;
    memcpy(insertion_ptr(), str.characters_without_null_termination(), str.length());
    m_size += str.length();
}

void KBufferBuilder::append(const char* characters, int length)
{

Reported by FlawFinder.

memcpy - Does not check for buffer overflows when copying to destination
Security

Line: 72 Column: 5 CWE codes: 120
Suggestion: Make sure destination can always hold the source data 

                      return;
    if (!check_expand(length))
        return;
    memcpy(insertion_ptr(), characters, length);
    m_size += length;
}

void KBufferBuilder::append(char ch)
{

Reported by FlawFinder.

Userland/Libraries/LibCore/IODevice.h
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 88 Column: 18 CWE codes: 362 

              
    bool seek(i64, SeekMode = SeekMode::SetPosition, off_t* = nullptr);

    virtual bool open(OpenMode) = 0;
    virtual bool close();

    LineIterator line_begin() & { return LineIterator(*this); }
    LineIterator line_end() { return LineIterator(*this, true); }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 71 Column: 9 CWE codes: 120 20 

              
    bool has_error() const { return m_error != 0; }

    int read(u8* buffer, int length);

    ByteBuffer read(size_t max_size);
    ByteBuffer read_all();
    String read_line(size_t max_size = 16384);

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 73 Column: 16 CWE codes: 120 20 

              
    int read(u8* buffer, int length);

    ByteBuffer read(size_t max_size);
    ByteBuffer read_all();
    String read_line(size_t max_size = 16384);

    bool write(const u8*, int size);
    bool write(const StringView&);

Reported by FlawFinder.

Userland/Libraries/LibCoreDump/Reader.cpp
3 issues
strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 81 Column: 89 CWE codes: 126 

                  switch (type()) {
    case ELF::Core::NotesEntryHeader::Type::ProcessInfo: {
        const auto* current = reinterpret_cast<const ELF::Core::ProcessInfo*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->json_data + strlen(current->json_data) + 1);
        break;
    }
    case ELF::Core::NotesEntryHeader::Type::ThreadInfo: {
        const auto* current = reinterpret_cast<const ELF::Core::ThreadInfo*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current + 1);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 91 Column: 91 CWE codes: 126 

                  }
    case ELF::Core::NotesEntryHeader::Type::MemoryRegionInfo: {
        const auto* current = reinterpret_cast<const ELF::Core::MemoryRegionInfo*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->region_name + strlen(current->region_name) + 1);
        break;
    }
    case ELF::Core::NotesEntryHeader::Type::Metadata: {
        const auto* current = reinterpret_cast<const ELF::Core::Metadata*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->json_data + strlen(current->json_data) + 1);

Reported by FlawFinder.

strlen - Does not handle strings that are not \0-terminated; if given one it may perform an over-read (it could cause a crash if unprotected)
Security

Line: 96 Column: 89 CWE codes: 126 

                  }
    case ELF::Core::NotesEntryHeader::Type::Metadata: {
        const auto* current = reinterpret_cast<const ELF::Core::Metadata*>(m_current);
        m_current = reinterpret_cast<const ELF::Core::NotesEntry*>(current->json_data + strlen(current->json_data) + 1);
        break;
    }
    default:
        VERIFY_NOT_REACHED();
    }

Reported by FlawFinder.

Userland/Libraries/LibCore/File.h
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 22 Column: 49 CWE codes: 362 

              public:
    virtual ~File() override;

    static Result<NonnullRefPtr<File>, OSError> open(String filename, OpenMode, mode_t = 0644);

    String filename() const { return m_filename; }
    void set_filename(const String filename) { m_filename = move(filename); }

    bool is_directory() const;

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 80 Column: 18 CWE codes: 362 

                  };
    static Result<void, RemoveError> remove(String const& path, RecursionMode, bool force);

    virtual bool open(OpenMode) override;

    enum class ShouldCloseFileDescriptor {
        No = 0,
        Yes
    };

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 86 Column: 10 CWE codes: 362 

                      No = 0,
        Yes
    };
    bool open(int fd, OpenMode, ShouldCloseFileDescriptor);
    [[nodiscard]] int leak_fd();

    static NonnullRefPtr<File> standard_input();
    static NonnullRefPtr<File> standard_output();
    static NonnullRefPtr<File> standard_error();

Reported by FlawFinder.

Userland/Applications/Help/ManualSectionNode.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 41 Column: 39 CWE codes: 362 

                      m_children.append(make<ManualPageNode>(*this, move(page_name)));
}

void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 43 Column: 19 CWE codes: 362 

              
void ManualSectionNode::set_open(bool open)
{
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 45 Column: 14 CWE codes: 362 

              {
    if (m_open == open)
        return;
    m_open = open;
}

Reported by FlawFinder.

Userland/Libraries/LibCrypt/crypt.cpp
3 issues
crypt - The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment
Security

Line: 18 Column: 7 CWE codes: 327
Suggestion: Use a different algorithm, such as SHA-256, with a larger, non-repeating salt 

              
static struct crypt_data crypt_data;

char* crypt(const char* key, const char* salt)
{
    crypt_data.initialized = true;
    return crypt_r(key, salt, &crypt_data);
}

Reported by FlawFinder.

crypt_r - The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment
Security

Line: 21 Column: 12 CWE codes: 327
Suggestion: Use a different algorithm, such as SHA-256, with a larger, non-repeating salt 

              char* crypt(const char* key, const char* salt)
{
    crypt_data.initialized = true;
    return crypt_r(key, salt, &crypt_data);
}

static constexpr size_t crypt_salt_max = 16;
static constexpr size_t sha_string_length = 44;

Reported by FlawFinder.

crypt_r - The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment
Security

Line: 27 Column: 7 CWE codes: 327
Suggestion: Use a different algorithm, such as SHA-256, with a larger, non-repeating salt 

              static constexpr size_t crypt_salt_max = 16;
static constexpr size_t sha_string_length = 44;

char* crypt_r(const char* key, const char* salt, struct crypt_data* data)
{
    if (!data->initialized) {
        errno = EINVAL;
        return nullptr;
    }

Reported by FlawFinder.

Userland/Libraries/LibCore/ConfigFile.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 37 Column: 39 CWE codes: 362 

                  return adopt_ref(*new ConfigFile(path));
}

NonnullRefPtr<ConfigFile> ConfigFile::open(const String& path)
{
    return adopt_ref(*new ConfigFile(path));
}

ConfigFile::ConfigFile(const String& filename)

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 58 Column: 16 CWE codes: 362 

                  m_groups.clear();

    auto file = File::construct(m_filename);
    if (!file->open(OpenMode::ReadOnly))
        return;

    HashMap<String, String>* current_group = nullptr;

    while (file->can_read_line()) {

Reported by FlawFinder.

fopen - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 152 Column: 16 CWE codes: 362 

                  if (!m_dirty)
        return true;

    FILE* fp = fopen(m_filename.characters(), "wb");
    if (!fp)
        return false;

    for (auto& it : m_groups) {
        outln(fp, "[{}]", it.key);

Reported by FlawFinder.

AK/CircularDuplexStream.h
3 issues
read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 42 Column: 12 CWE codes: 120 20 

                      return true;
    }

    size_t read(Bytes bytes) override
    {
        if (has_any_error())
            return 0;

        const auto nread = min(bytes.size(), m_queue.size());

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 55 Column: 12 CWE codes: 120 20 

                      return nread;
    }

    size_t read(Bytes bytes, size_t seekback)
    {
        if (seekback > Capacity || seekback > m_total_written) {
            set_recoverable_error();
            return 0;
        }

Reported by FlawFinder.

read - Check buffer boundaries if used in a loop including recursive loops
Security

Line: 79 Column: 9 CWE codes: 120 20 

                          return false;
        }

        read(bytes);
        return true;
    }

    bool discard_or_error(size_t count) override
    {

Reported by FlawFinder.

Userland/Applications/Help/main.cpp
3 issues
open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 181 Column: 72 CWE codes: 362 

                      open_page(path);
    };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 182 Column: 53 CWE codes: 362 

                  };

    tree_view.on_toggle = [&](const GUI::ModelIndex& index, const bool open) {
        model->update_section_node_on_toggle(index, open);
    };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,

Reported by FlawFinder.

open - Check when opening files - can an attacker redirect it (via symlinks), force the opening of special file type (e.g., device files), move things around to create a race condition, control its ancestors, or change its contents?
Security

Line: 186 Column: 33 CWE codes: 362 

                  };

    auto open_external = [&](auto& url) {
        if (!Desktop::Launcher::open(url)) {
            GUI::MessageBox::show(window,
                String::formatted("The link to '{}' could not be opened.", url),
                "Failed to open link",
                GUI::MessageBox::Type::Error);
        }

Reported by FlawFinder.