The following issues were found
src/google/protobuf/stubs/strutil.h
13 issues
Line: 706
Column: 29
CWE codes:
120
// be a reference into str.
// ----------------------------------------------------------------------
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
Reported by FlawFinder.
Line: 707
Column: 29
CWE codes:
120
// ----------------------------------------------------------------------
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
Reported by FlawFinder.
Line: 709
Column: 29
CWE codes:
120
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
Reported by FlawFinder.
Line: 711
Column: 29
CWE codes:
120
const AlphaNum& c);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f);
Reported by FlawFinder.
Line: 714
Column: 29
CWE codes:
120
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f,
Reported by FlawFinder.
Line: 717
Column: 29
CWE codes:
120
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f,
const AlphaNum& g);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
Reported by FlawFinder.
Line: 721
Column: 29
CWE codes:
120
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f,
const AlphaNum& g);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f,
const AlphaNum& g, const AlphaNum& h);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
Reported by FlawFinder.
Line: 725
Column: 29
CWE codes:
120
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f,
const AlphaNum& g, const AlphaNum& h);
PROTOBUF_EXPORT std::string StrCat(const AlphaNum& a, const AlphaNum& b,
const AlphaNum& c, const AlphaNum& d,
const AlphaNum& e, const AlphaNum& f,
const AlphaNum& g, const AlphaNum& h,
const AlphaNum& i);
Reported by FlawFinder.
Line: 731
Column: 20
CWE codes:
120
const AlphaNum& g, const AlphaNum& h,
const AlphaNum& i);
inline std::string StrCat(const AlphaNum& a) {
return std::string(a.data(), a.size());
}
// ----------------------------------------------------------------------
// StrAppend()
Reported by FlawFinder.
Line: 621
Column: 3
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
const char *piece_data_; // move these to string_ref eventually
size_t piece_size_; // move these to string_ref eventually
char digits[kFastToBufferSize];
// No bool ctor -- bools convert to an integral type.
// A bool ctor would also convert incoming pointers (bletch).
AlphaNum(int i32)
Reported by FlawFinder.
src/google/protobuf/util/internal/protostream_objectwriter.cc
13 issues
Line: 395
Column: 31
CWE codes:
120
// There are uninterpreted data, but we never got a "@type" field.
if (!invalid_) {
parent_->InvalidValue("Any",
StrCat("Missing @type for any field in ",
parent_->master_type_.name()));
invalid_ = true;
}
return;
}
Reported by FlawFinder.
Line: 790
Column: 25
CWE codes:
120
}
// Report an error.
InvalidValue("Map", StrCat("Cannot have repeated items ('", name,
"') within a map."));
return this;
}
// When name is empty and stack is not empty, we are rendering an item within
Reported by FlawFinder.
Line: 887
Column: 25
CWE codes:
120
Push(name, Item::MESSAGE, false, true);
return this;
}
InvalidValue("Map", StrCat("Cannot bind a list to map for field '",
name, "'."));
IncrementInvalidDepth();
return this;
}
Reported by FlawFinder.
Line: 954
Column: 41
CWE codes:
120
util::StatusOr<int64_t> int_value = data.ToInt64();
if (int_value.ok()) {
ow->ProtoWriter::RenderDataPiece(
"string_value", DataPiece(StrCat(int_value.value()), true));
return Status();
}
}
struct_field_name = "number_value";
break;
Reported by FlawFinder.
Line: 968
Column: 41
CWE codes:
120
util::StatusOr<uint64_t> int_value = data.ToUint64();
if (int_value.ok()) {
ow->ProtoWriter::RenderDataPiece(
"string_value", DataPiece(StrCat(int_value.value()), true));
return Status();
}
}
struct_field_name = "number_value";
break;
Reported by FlawFinder.
Line: 1028
Column: 9
CWE codes:
120
if (data.type() == DataPiece::TYPE_NULL) return Status();
if (data.type() != DataPiece::TYPE_STRING) {
return util::InvalidArgumentError(
StrCat("Invalid data type for timestamp, value is ",
data.ValueAsStringOrDefault("")));
}
StringPiece value(data.str());
Reported by FlawFinder.
Line: 1038
Column: 39
CWE codes:
120
int32 nanos;
if (!::google::protobuf::internal::ParseTime(value.ToString(), &seconds,
&nanos)) {
return util::InvalidArgumentError(StrCat("Invalid time format: ", value));
}
ow->ProtoWriter::RenderDataPiece("seconds", DataPiece(seconds));
ow->ProtoWriter::RenderDataPiece("nanos", DataPiece(nanos));
Reported by FlawFinder.
Line: 1059
Column: 9
CWE codes:
120
if (data.type() == DataPiece::TYPE_NULL) return Status();
if (data.type() != DataPiece::TYPE_STRING) {
return util::InvalidArgumentError(
StrCat("Invalid data type for field mask, value is ",
data.ValueAsStringOrDefault("")));
}
// TODO(tsun): figure out how to do proto descriptor based snake case
// conversions as much as possible. Because ToSnakeCase sometimes returns the
Reported by FlawFinder.
Line: 1075
Column: 9
CWE codes:
120
if (data.type() == DataPiece::TYPE_NULL) return Status();
if (data.type() != DataPiece::TYPE_STRING) {
return util::InvalidArgumentError(
StrCat("Invalid data type for duration, value is ",
data.ValueAsStringOrDefault("")));
}
StringPiece value(data.str());
Reported by FlawFinder.
Line: 1147
Column: 20
CWE codes:
120
status = (*type_renderer)(this, data);
if (!status.ok()) {
InvalidValue(master_type_.name(),
StrCat("Field '", name, "', ", status.message()));
}
ProtoWriter::EndObject();
return this;
}
Reported by FlawFinder.
src/google/protobuf/descriptor.pb.cc
13 issues
Line: 10819
// @@protoc_insertion_point(namespace_scope)
PROTOBUF_NAMESPACE_CLOSE
PROTOBUF_NAMESPACE_OPEN
template<> PROTOBUF_NOINLINE ::PROTOBUF_NAMESPACE_ID::FileDescriptorSet* Arena::CreateMaybeMessage< ::PROTOBUF_NAMESPACE_ID::FileDescriptorSet >(Arena* arena) {
return Arena::CreateMessageInternal< ::PROTOBUF_NAMESPACE_ID::FileDescriptorSet >(arena);
}
template<> PROTOBUF_NOINLINE ::PROTOBUF_NAMESPACE_ID::FileDescriptorProto* Arena::CreateMaybeMessage< ::PROTOBUF_NAMESPACE_ID::FileDescriptorProto >(Arena* arena) {
return Arena::CreateMessageInternal< ::PROTOBUF_NAMESPACE_ID::FileDescriptorProto >(arena);
Reported by Cppcheck.
Line: 2156
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
options_ = nullptr;
}
::memcpy(&start_, &from.start_,
static_cast<size_t>(reinterpret_cast<char*>(&end_) -
reinterpret_cast<char*>(&start_)) + sizeof(end_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.DescriptorProto.ExtensionRange)
}
Reported by FlawFinder.
Line: 2427
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
: ::PROTOBUF_NAMESPACE_ID::Message(),
_has_bits_(from._has_bits_) {
_internal_metadata_.MergeFrom<::PROTOBUF_NAMESPACE_ID::UnknownFieldSet>(from._internal_metadata_);
::memcpy(&start_, &from.start_,
static_cast<size_t>(reinterpret_cast<char*>(&end_) -
reinterpret_cast<char*>(&start_)) + sizeof(end_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.DescriptorProto.ReservedRange)
}
Reported by FlawFinder.
Line: 3478
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
options_ = nullptr;
}
::memcpy(&number_, &from.number_,
static_cast<size_t>(reinterpret_cast<char*>(&type_) -
reinterpret_cast<char*>(&number_)) + sizeof(type_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.FieldDescriptorProto)
}
Reported by FlawFinder.
Line: 4327
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
: ::PROTOBUF_NAMESPACE_ID::Message(),
_has_bits_(from._has_bits_) {
_internal_metadata_.MergeFrom<::PROTOBUF_NAMESPACE_ID::UnknownFieldSet>(from._internal_metadata_);
::memcpy(&start_, &from.start_,
static_cast<size_t>(reinterpret_cast<char*>(&end_) -
reinterpret_cast<char*>(&start_)) + sizeof(end_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.EnumDescriptorProto.EnumReservedRange)
}
Reported by FlawFinder.
Line: 5586
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
} else {
options_ = nullptr;
}
::memcpy(&client_streaming_, &from.client_streaming_,
static_cast<size_t>(reinterpret_cast<char*>(&server_streaming_) -
reinterpret_cast<char*>(&client_streaming_)) + sizeof(server_streaming_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.MethodDescriptorProto)
}
Reported by FlawFinder.
Line: 6093
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
ruby_package_.Set(::PROTOBUF_NAMESPACE_ID::internal::ArenaStringPtr::EmptyDefault{}, from._internal_ruby_package(),
GetArenaForAllocation());
}
::memcpy(&java_multiple_files_, &from.java_multiple_files_,
static_cast<size_t>(reinterpret_cast<char*>(&cc_enable_arenas_) -
reinterpret_cast<char*>(&java_multiple_files_)) + sizeof(cc_enable_arenas_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.FileOptions)
}
Reported by FlawFinder.
Line: 7026
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uninterpreted_option_(from.uninterpreted_option_) {
_internal_metadata_.MergeFrom<::PROTOBUF_NAMESPACE_ID::UnknownFieldSet>(from._internal_metadata_);
_extensions_.MergeFrom(from._extensions_);
::memcpy(&message_set_wire_format_, &from.message_set_wire_format_,
static_cast<size_t>(reinterpret_cast<char*>(&map_entry_) -
reinterpret_cast<char*>(&message_set_wire_format_)) + sizeof(map_entry_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.MessageOptions)
}
Reported by FlawFinder.
Line: 7372
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uninterpreted_option_(from.uninterpreted_option_) {
_internal_metadata_.MergeFrom<::PROTOBUF_NAMESPACE_ID::UnknownFieldSet>(from._internal_metadata_);
_extensions_.MergeFrom(from._extensions_);
::memcpy(&ctype_, &from.ctype_,
static_cast<size_t>(reinterpret_cast<char*>(&jstype_) -
reinterpret_cast<char*>(&ctype_)) + sizeof(jstype_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.FieldOptions)
}
Reported by FlawFinder.
Line: 7973
Column: 5
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
uninterpreted_option_(from.uninterpreted_option_) {
_internal_metadata_.MergeFrom<::PROTOBUF_NAMESPACE_ID::UnknownFieldSet>(from._internal_metadata_);
_extensions_.MergeFrom(from._extensions_);
::memcpy(&allow_alias_, &from.allow_alias_,
static_cast<size_t>(reinterpret_cast<char*>(&deprecated_) -
reinterpret_cast<char*>(&allow_alias_)) + sizeof(deprecated_));
// @@protoc_insertion_point(copy_constructor:google.protobuf.EnumOptions)
}
Reported by FlawFinder.
generate_changelog.py
13 issues
Line: 60
Suggestion:
https://bandit.readthedocs.io/en/latest/plugins/b605_start_process_with_a_shell.html
for language in languages:
print(language.name)
sys.stdout.flush()
os.system(("git log --pretty=oneline --abbrev-commit %s...HEAD %s | " +
"sed -e 's/^/ - /'") % (previous, " ".join(language.pathspec)))
print("")
print("To view a commit on GitHub: " +
"https://github.com/protocolbuffers/protobuf/commit/<commit id>")
Reported by Bandit.
Line: 8
Column: 1
import sys
import os
class Language(object):
def __init__(self, name, pathspec):
self.name = name
self.pathspec = pathspec
languages = [
Reported by Pylint.
Line: 8
Column: 1
import sys
import os
class Language(object):
def __init__(self, name, pathspec):
self.name = name
self.pathspec = pathspec
languages = [
Reported by Pylint.
Line: 8
Column: 1
import sys
import os
class Language(object):
def __init__(self, name, pathspec):
self.name = name
self.pathspec = pathspec
languages = [
Reported by Pylint.
Line: 9
Column: 1
import os
class Language(object):
def __init__(self, name, pathspec):
self.name = name
self.pathspec = pathspec
languages = [
Language("C++", [
Reported by Pylint.
Line: 10
Column: 1
class Language(object):
def __init__(self, name, pathspec):
self.name = name
self.pathspec = pathspec
languages = [
Language("C++", [
"':(glob)src/google/protobuf/*'",
Reported by Pylint.
Line: 11
Column: 1
class Language(object):
def __init__(self, name, pathspec):
self.name = name
self.pathspec = pathspec
languages = [
Language("C++", [
"':(glob)src/google/protobuf/*'",
"src/google/protobuf/compiler/cpp",
Reported by Pylint.
Line: 52
Column: 1
]
if len(sys.argv) < 2:
print("Usage: generate_changelog.py <previous release>")
sys.exit(1)
previous = sys.argv[1]
for language in languages:
Reported by Pylint.
Line: 53
Column: 1
if len(sys.argv) < 2:
print("Usage: generate_changelog.py <previous release>")
sys.exit(1)
previous = sys.argv[1]
for language in languages:
print(language.name)
Reported by Pylint.
Line: 58
Column: 1
previous = sys.argv[1]
for language in languages:
print(language.name)
sys.stdout.flush()
os.system(("git log --pretty=oneline --abbrev-commit %s...HEAD %s | " +
"sed -e 's/^/ - /'") % (previous, " ".join(language.pathspec)))
print("")
Reported by Pylint.
src/google/protobuf/compiler/objectivec/objectivec_helpers.cc
12 issues
Line: 958
Column: 14
CWE codes:
120
if (field->default_value_int32() == INT_MIN) {
return "-0x80000000";
}
return StrCat(field->default_value_int32());
case FieldDescriptor::CPPTYPE_UINT32:
return StrCat(field->default_value_uint32()) + "U";
case FieldDescriptor::CPPTYPE_INT64:
// gcc and llvm reject the decimal form of kint32min and kint64min.
if (field->default_value_int64() == LLONG_MIN) {
Reported by FlawFinder.
Line: 960
Column: 14
CWE codes:
120
}
return StrCat(field->default_value_int32());
case FieldDescriptor::CPPTYPE_UINT32:
return StrCat(field->default_value_uint32()) + "U";
case FieldDescriptor::CPPTYPE_INT64:
// gcc and llvm reject the decimal form of kint32min and kint64min.
if (field->default_value_int64() == LLONG_MIN) {
return "-0x8000000000000000LL";
}
Reported by FlawFinder.
Line: 966
Column: 14
CWE codes:
120
if (field->default_value_int64() == LLONG_MIN) {
return "-0x8000000000000000LL";
}
return StrCat(field->default_value_int64()) + "LL";
case FieldDescriptor::CPPTYPE_UINT64:
return StrCat(field->default_value_uint64()) + "ULL";
case FieldDescriptor::CPPTYPE_DOUBLE:
return HandleExtremeFloatingPoint(
SimpleDtoa(field->default_value_double()), false);
Reported by FlawFinder.
Line: 968
Column: 14
CWE codes:
120
}
return StrCat(field->default_value_int64()) + "LL";
case FieldDescriptor::CPPTYPE_UINT64:
return StrCat(field->default_value_uint64()) + "ULL";
case FieldDescriptor::CPPTYPE_DOUBLE:
return HandleExtremeFloatingPoint(
SimpleDtoa(field->default_value_double()), false);
case FieldDescriptor::CPPTYPE_FLOAT:
return HandleExtremeFloatingPoint(
Reported by FlawFinder.
Line: 1717
Column: 22
CWE codes:
120
if (!parser.ParseChunk(StringPiece(static_cast<const char*>(buf), buf_len))) {
*out_error =
std::string("error: ") + path +
" Line " + StrCat(parser.last_line()) + ", " + parser.error_str();
return false;
}
}
return parser.Finish();
}
Reported by FlawFinder.
Line: 115
Column: 34
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
// Even thought there are generation options, have an env back door since some
// of these helpers could be used in other plugins.
const char* use_package_cstr = getenv("GPB_OBJC_USE_PACKAGE_AS_PREFIX");
use_package_name_ =
(use_package_cstr && (std::string("YES") == ToUpper(use_package_cstr)));
const char* exception_path = getenv("GPB_OBJC_PACKAGE_PREFIX_EXCEPTIONS_PATH");
if (exception_path) {
Reported by FlawFinder.
Line: 119
Column: 32
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
use_package_name_ =
(use_package_cstr && (std::string("YES") == ToUpper(use_package_cstr)));
const char* exception_path = getenv("GPB_OBJC_PACKAGE_PREFIX_EXCEPTIONS_PATH");
if (exception_path) {
exception_path_ = exception_path;
}
}
Reported by FlawFinder.
Line: 172
Column: 27
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
Options::Options() {
// Default is the value of the env for the package prefixes.
const char* file_path = getenv("GPB_OBJC_EXPECTED_PACKAGE_PREFIXES");
if (file_path) {
expected_prefixes_path = file_path;
}
const char* suppressions = getenv("GPB_OBJC_EXPECTED_PACKAGE_PREFIXES_SUPPRESSIONS");
if (suppressions) {
Reported by FlawFinder.
Line: 176
Column: 30
CWE codes:
807
20
Suggestion:
Check environment variables carefully before using them
if (file_path) {
expected_prefixes_path = file_path;
}
const char* suppressions = getenv("GPB_OBJC_EXPECTED_PACKAGE_PREFIXES_SUPPRESSIONS");
if (suppressions) {
expected_prefixes_suppressions =
Split(suppressions, ";", true);
}
}
Reported by FlawFinder.
Line: 68
Column: 38
CWE codes:
362
// in this port namespace to avoid ambiguous definition.
namespace posix {
#ifdef _WIN32
using ::google::protobuf::io::win32::open;
#else
using ::open;
#endif
} // namespace port
Reported by FlawFinder.
src/google/protobuf/compiler/java/java_message.cc
12 issues
Line: 114
Column: 19
CWE codes:
120
std::map<std::string, std::string> vars;
vars["identifier"] = UniqueFileScopeIdentifier(descriptor_);
vars["index"] = StrCat(descriptor_->index());
vars["classname"] = name_resolver_->GetImmutableClassName(descriptor_);
if (descriptor_->containing_type() != NULL) {
vars["parent"] = UniqueFileScopeIdentifier(descriptor_->containing_type());
}
if (MultipleJavaFiles(descriptor_->file(), /* immutable = */ true)) {
Reported by FlawFinder.
Line: 158
Column: 19
CWE codes:
120
int bytecode_estimate = 0;
std::map<std::string, std::string> vars;
vars["identifier"] = UniqueFileScopeIdentifier(descriptor_);
vars["index"] = StrCat(descriptor_->index());
vars["classname"] = name_resolver_->GetImmutableClassName(descriptor_);
if (descriptor_->containing_type() != NULL) {
vars["parent"] = UniqueFileScopeIdentifier(descriptor_->containing_type());
}
Reported by FlawFinder.
Line: 424
Column: 27
CWE codes:
120
vars["oneof_name"] = context_->GetOneofGeneratorInfo(oneof)->name;
vars["oneof_capitalized_name"] =
context_->GetOneofGeneratorInfo(oneof)->capitalized_name;
vars["oneof_index"] = StrCat((oneof)->index());
// oneofCase_ and oneof_
printer->Print(vars,
"private int $oneof_name$Case_ = 0;\n"
"private java.lang.Object $oneof_name$_;\n");
// OneofCase enum
Reported by FlawFinder.
Line: 444
Column: 11
CWE codes:
120
"$deprecation$$field_name$($field_number$),\n", "deprecation",
field->options().deprecated() ? "@java.lang.Deprecated " : "",
"field_name", ToUpper(field->name()), "field_number",
StrCat(field->number()));
}
printer->Print("$cap_oneof_name$_NOT_SET(0);\n", "cap_oneof_name",
ToUpper(vars["oneof_name"]));
printer->Print(vars,
"private final int value;\n"
Reported by FlawFinder.
Line: 470
Column: 38
CWE codes:
120
for (int j = 0; j < (oneof)->field_count(); j++) {
const FieldDescriptor* field = (oneof)->field(j);
printer->Print(" case $field_number$: return $field_name$;\n",
"field_number", StrCat(field->number()),
"field_name", ToUpper(field->name()));
}
printer->Print(
" case 0: return $cap_oneof_name$_NOT_SET;\n"
" default: return null;\n"
Reported by FlawFinder.
Line: 502
Column: 30
CWE codes:
120
for (int i = 0; i < descriptor_->field_count(); i++) {
printer->Print("public static final int $constant_name$ = $number$;\n",
"constant_name", FieldConstantName(descriptor_->field(i)),
"number", StrCat(descriptor_->field(i)->number()));
printer->Annotate("constant_name", descriptor_->field(i));
field_generators_.get(descriptor_->field(i)).GenerateMembers(printer);
printer->Print("\n");
}
Reported by FlawFinder.
Line: 773
Column: 18
CWE codes:
120
void ImmutableMessageGenerator::GenerateSerializeOneExtensionRange(
io::Printer* printer, const Descriptor::ExtensionRange* range) {
printer->Print("extensionWriter.writeUntil($end$, output);\n", "end",
StrCat(range->end));
}
// ===================================================================
void ImmutableMessageGenerator::GenerateBuilder(io::Printer* printer) {
Reported by FlawFinder.
Line: 847
Column: 21
CWE codes:
120
printer->Print(
"case $number$:\n"
" return internalGet$capitalized_name$();\n",
"number", StrCat(field->number()), "capitalized_name",
info->capitalized_name);
}
printer->Print(
"default:\n"
" throw new RuntimeException(\n"
Reported by FlawFinder.
Line: 1051
Column: 22
CWE codes:
120
for (int j = 0; j < (oneof)->field_count(); j++) {
const FieldDescriptor* field = (oneof)->field(j);
printer->Print("case $field_number$:\n", "field_number",
StrCat(field->number()));
printer->Indent();
field_generators_.get(field).GenerateEqualsCode(printer);
printer->Print("break;\n");
printer->Outdent();
}
Reported by FlawFinder.
Line: 1125
Column: 22
CWE codes:
120
for (int j = 0; j < (oneof)->field_count(); j++) {
const FieldDescriptor* field = (oneof)->field(j);
printer->Print("case $field_number$:\n", "field_number",
StrCat(field->number()));
printer->Indent();
field_generators_.get(field).GenerateHashCode(printer);
printer->Print("break;\n");
printer->Outdent();
}
Reported by FlawFinder.
php/ext/google/protobuf/def.c
11 issues
Line: 1080
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
OneofDescriptor_class_entry->ce_flags |= ZEND_ACC_FINAL;
OneofDescriptor_class_entry->create_object = CreateHandler_ReturnNull;
h = &OneofDescriptor_object_handlers;
memcpy(h, &std_object_handlers, sizeof(zend_object_handlers));
h->dtor_obj = &OneofDescriptor_destructor;
INIT_CLASS_ENTRY(tmp_ce, "Google\\Protobuf\\EnumValueDescriptor",
EnumValueDescriptor_methods);
EnumValueDescriptor_class_entry = zend_register_internal_class(&tmp_ce);
Reported by FlawFinder.
Line: 1089
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EnumValueDescriptor_class_entry->ce_flags |= ZEND_ACC_FINAL;
EnumValueDescriptor_class_entry->create_object = CreateHandler_ReturnNull;
h = &EnumValueDescriptor_object_handlers;
memcpy(h, &std_object_handlers, sizeof(zend_object_handlers));
INIT_CLASS_ENTRY(tmp_ce, "Google\\Protobuf\\EnumDescriptor",
EnumDescriptor_methods);
EnumDescriptor_class_entry = zend_register_internal_class(&tmp_ce);
EnumDescriptor_class_entry->ce_flags |= ZEND_ACC_FINAL;
Reported by FlawFinder.
Line: 1097
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
EnumDescriptor_class_entry->ce_flags |= ZEND_ACC_FINAL;
EnumDescriptor_class_entry->create_object = CreateHandler_ReturnNull;
h = &EnumDescriptor_object_handlers;
memcpy(h, &std_object_handlers, sizeof(zend_object_handlers));
h->dtor_obj = &EnumDescriptor_destructor;
INIT_CLASS_ENTRY(tmp_ce, "Google\\Protobuf\\Descriptor",
Descriptor_methods);
Reported by FlawFinder.
Line: 1107
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
Descriptor_class_entry->ce_flags |= ZEND_ACC_FINAL;
Descriptor_class_entry->create_object = CreateHandler_ReturnNull;
h = &Descriptor_object_handlers;
memcpy(h, &std_object_handlers, sizeof(zend_object_handlers));
h->dtor_obj = Descriptor_destructor;
INIT_CLASS_ENTRY(tmp_ce, "Google\\Protobuf\\FieldDescriptor",
FieldDescriptor_methods);
FieldDescriptor_class_entry = zend_register_internal_class(&tmp_ce);
Reported by FlawFinder.
Line: 1116
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
FieldDescriptor_class_entry->ce_flags |= ZEND_ACC_FINAL;
FieldDescriptor_class_entry->create_object = CreateHandler_ReturnNull;
h = &FieldDescriptor_object_handlers;
memcpy(h, &std_object_handlers, sizeof(zend_object_handlers));
h->dtor_obj = &FieldDescriptor_destructor;
INIT_CLASS_ENTRY(tmp_ce, "Google\\Protobuf\\DescriptorPool",
DescriptorPool_methods);
DescriptorPool_class_entry = zend_register_internal_class(&tmp_ce);
Reported by FlawFinder.
Line: 1125
Column: 3
CWE codes:
120
Suggestion:
Make sure destination can always hold the source data
DescriptorPool_class_entry->ce_flags |= ZEND_ACC_FINAL;
DescriptorPool_class_entry->create_object = DescriptorPool_create;
h = &DescriptorPool_object_handlers;
memcpy(h, &std_object_handlers, sizeof(zend_object_handlers));
h->dtor_obj = DescriptorPool_destructor;
INIT_CLASS_ENTRY(tmp_ce, "Google\\Protobuf\\Internal\\DescriptorPool",
InternalDescriptorPool_methods);
InternalDescriptorPool_class_entry = zend_register_internal_class(&tmp_ce);
Reported by FlawFinder.
Line: 166
Column: 52
CWE codes:
126
} else {
char *classname =
GetPhpClassname(upb_enumdef_file(m), upb_enumdef_fullname(m));
zend_string *str = zend_string_init(classname, strlen(classname), 0);
zend_class_entry *ce = zend_lookup_class(str); // May autoload the class.
zend_string_release (str);
if (!ce) {
Reported by FlawFinder.
Line: 517
Column: 50
CWE codes:
126
static zend_class_entry *Descriptor_GetGeneratedClass(const upb_msgdef *m) {
char *classname =
GetPhpClassname(upb_msgdef_file(m), upb_msgdef_fullname(m));
zend_string *str = zend_string_init(classname, strlen(classname), 0);
zend_class_entry *ce = zend_lookup_class(str); // May autoload the class.
zend_string_release (str);
if (!ce) {
Reported by FlawFinder.
Line: 808
Column: 37
CWE codes:
126
return;
}
str = zend_string_init(classname, strlen(classname), 0);
ce = zend_lookup_class(str); // May autoload the class.
zend_string_release (str);
if (!ce) {
RETURN_NULL();
Reported by FlawFinder.
Line: 837
Column: 37
CWE codes:
126
return;
}
str = zend_string_init(classname, strlen(classname), 0);
ce = zend_lookup_class(str); // May autoload the class.
zend_string_release (str);
if (!ce) {
RETURN_NULL();
Reported by FlawFinder.
java/core/src/test/java/com/google/protobuf/BinaryProtocolTest.java
11 issues
Line: 48
public void setup() {
TestSchemas.registerGenericProto2Schemas();
Protobuf.getInstance()
.registerSchemaOverride(Proto3Message.class, TestSchemas.genericProto3Schema);
}
@Test
public void proto3Roundtrip() throws Exception {
Reported by PMD.
Line: 53
}
@Test
public void proto3Roundtrip() throws Exception {
Proto3Message expected = new Proto3MessageFactory(5, 10, 2, 2).newMessage();
byte[] expectedBytes = expected.toByteArray();
// Deserialize with BinaryReader and verify that the message matches the original.
Proto3Message result =
Reported by PMD.
Line: 53
}
@Test
public void proto3Roundtrip() throws Exception {
Proto3Message expected = new Proto3MessageFactory(5, 10, 2, 2).newMessage();
byte[] expectedBytes = expected.toByteArray();
// Deserialize with BinaryReader and verify that the message matches the original.
Proto3Message result =
Reported by PMD.
Line: 60
// Deserialize with BinaryReader and verify that the message matches the original.
Proto3Message result =
ExperimentalSerializationUtil.fromByteArray(expectedBytes, Proto3Message.class);
assertThat(result).isEqualTo(expected);
// Now write it back out using BinaryWriter and verify the output length.
byte[] actualBytes = ExperimentalSerializationUtil.toByteArray(result);
assertThat(actualBytes).hasLength(expectedBytes.length);
Reported by PMD.
Line: 64
// Now write it back out using BinaryWriter and verify the output length.
byte[] actualBytes = ExperimentalSerializationUtil.toByteArray(result);
assertThat(actualBytes).hasLength(expectedBytes.length);
// Read back in the bytes and verify that it matches the original message.
Proto3Message actual = Proto3Message.parseFrom(actualBytes);
assertThat(actual).isEqualTo(expected);
}
Reported by PMD.
Line: 68
// Read back in the bytes and verify that it matches the original message.
Proto3Message actual = Proto3Message.parseFrom(actualBytes);
assertThat(actual).isEqualTo(expected);
}
@Test
public void proto2Roundtrip() throws Exception {
Proto2Message expected = new Proto2MessageFactory(5, 10, 2, 2).newMessage();
Reported by PMD.
Line: 72
}
@Test
public void proto2Roundtrip() throws Exception {
Proto2Message expected = new Proto2MessageFactory(5, 10, 2, 2).newMessage();
byte[] expectedBytes = expected.toByteArray();
// Deserialize with BinaryReader and verify that the message matches the original.
Proto2Message result =
Reported by PMD.
Line: 72
}
@Test
public void proto2Roundtrip() throws Exception {
Proto2Message expected = new Proto2MessageFactory(5, 10, 2, 2).newMessage();
byte[] expectedBytes = expected.toByteArray();
// Deserialize with BinaryReader and verify that the message matches the original.
Proto2Message result =
Reported by PMD.
Line: 79
// Deserialize with BinaryReader and verify that the message matches the original.
Proto2Message result =
ExperimentalSerializationUtil.fromByteArray(expectedBytes, Proto2Message.class);
assertThat(result).isEqualTo(expected);
// Now write it back out using BinaryWriter and verify the output length.
byte[] actualBytes = ExperimentalSerializationUtil.toByteArray(result);
assertThat(actualBytes).hasLength(expectedBytes.length);
Reported by PMD.
Line: 83
// Now write it back out using BinaryWriter and verify the output length.
byte[] actualBytes = ExperimentalSerializationUtil.toByteArray(result);
assertThat(actualBytes).hasLength(expectedBytes.length);
// Read back in the bytes and verify that it matches the original message.
Proto2Message actual = Proto2Message.parseFrom(actualBytes);
assertThat(actual).isEqualTo(expected);
}
Reported by PMD.
src/google/protobuf/compiler/subprocess.cc
11 issues
Line: 280
CWE codes:
908
(LPSTR)&message, // NOT A BUG!
0, NULL);
std::string result = message;
LocalFree(message);
return result;
}
// ===================================================================
Reported by Cppcheck.
Line: 282
CWE codes:
908
std::string result = message;
LocalFree(message);
return result;
}
// ===================================================================
#else // _WIN32
Reported by Cppcheck.
Line: 59
Column: 5
CWE codes:
120
Suggestion:
Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused)
char* portable_strdup(const char* s) {
char* ns = (char*)malloc(strlen(s) + 1);
if (ns != NULL) {
strcpy(ns, s);
}
return ns;
}
} // namespace
Reported by FlawFinder.
Line: 329
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
switch (search_mode) {
case SEARCH_PATH:
execvp(argv[0], argv);
break;
case EXACT_NAME:
execv(argv[0], argv);
break;
}
Reported by FlawFinder.
Line: 332
Column: 9
CWE codes:
78
Suggestion:
try using a library call that implements the same functionality if available
execvp(argv[0], argv);
break;
case EXACT_NAME:
execv(argv[0], argv);
break;
}
// Write directly to STDERR_FILENO to avoid stdio code paths that may do
// stuff that is unsafe here.
Reported by FlawFinder.
Line: 218
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
child_stdin_ = NULL;
}
} else if (signaled_handle == child_stdout_) {
char buffer[4096];
DWORD n;
if (!ReadFile(child_stdout_, buffer, sizeof(buffer), &n, NULL)) {
// We're done reading. Close.
CloseHandleOrDie(child_stdout_);
Reported by FlawFinder.
Line: 417
Column: 7
CWE codes:
119
120
Suggestion:
Perform bounds checking, use functions that limit length, or ensure that the size is larger than the maximum possible length
}
if (child_stdout_ != -1 && FD_ISSET(child_stdout_, &read_fds)) {
char buffer[4096];
int n = read(child_stdout_, buffer, sizeof(buffer));
if (n > 0) {
output_data.append(buffer, n);
} else {
Reported by FlawFinder.
Line: 57
Column: 28
CWE codes:
126
namespace {
char* portable_strdup(const char* s) {
char* ns = (char*)malloc(strlen(s) + 1);
if (ns != NULL) {
strcpy(ns, s);
}
return ns;
}
Reported by FlawFinder.
Line: 339
Column: 45
CWE codes:
126
// Write directly to STDERR_FILENO to avoid stdio code paths that may do
// stuff that is unsafe here.
int ignored;
ignored = write(STDERR_FILENO, argv[0], strlen(argv[0]));
const char* message =
": program not found or is not executable\n"
"Please specify a program using absolute path or make sure "
"the program is available in your PATH system variable\n";
ignored = write(STDERR_FILENO, message, strlen(message));
Reported by FlawFinder.
Line: 344
Column: 45
CWE codes:
126
": program not found or is not executable\n"
"Please specify a program using absolute path or make sure "
"the program is available in your PATH system variable\n";
ignored = write(STDERR_FILENO, message, strlen(message));
(void)ignored;
// Must use _exit() rather than exit() to avoid flushing output buffers
// that will also be flushed by the parent.
_exit(1);
Reported by FlawFinder.
ruby/src/main/java/com/google/protobuf/jruby/RubyBuilder.java
11 issues
Line: 124
@JRubyMethod(name = "add_file")
public IRubyObject addFile(ThreadContext context, IRubyObject name, IRubyObject options, Block block) {
RubyFileBuilderContext ctx = (RubyFileBuilderContext) cFileBuilderContext.newInstance(context, descriptorPool, name, options, Block.NULL_BLOCK);
ctx.instance_eval(context, block);
ctx.build(context);
return context.nil;
}
/*
Reported by PMD.
Line: 125
public IRubyObject addFile(ThreadContext context, IRubyObject name, IRubyObject options, Block block) {
RubyFileBuilderContext ctx = (RubyFileBuilderContext) cFileBuilderContext.newInstance(context, descriptorPool, name, options, Block.NULL_BLOCK);
ctx.instance_eval(context, block);
ctx.build(context);
return context.nil;
}
/*
* Used to trigger the build when using the deprecated syntax
Reported by PMD.
Line: 140
private void ensureDefaultFileBuilder(ThreadContext context) {
if (defaultFileBuilder == null) {
this.defaultFileBuilder = (RubyFileBuilderContext) cFileBuilderContext.newInstance(context, descriptorPool, context.runtime.newString("ruby_default_file.proto"), Block.NULL_BLOCK);
}
}
private RubyClass cFileBuilderContext;
private RubyDescriptorPool descriptorPool;
Reported by PMD.
Line: 144
}
}
private RubyClass cFileBuilderContext;
private RubyDescriptorPool descriptorPool;
private RubyFileBuilderContext defaultFileBuilder;
}
Reported by PMD.
Line: 144
}
}
private RubyClass cFileBuilderContext;
private RubyDescriptorPool descriptorPool;
private RubyFileBuilderContext defaultFileBuilder;
}
Reported by PMD.
Line: 145
}
private RubyClass cFileBuilderContext;
private RubyDescriptorPool descriptorPool;
private RubyFileBuilderContext defaultFileBuilder;
}
Reported by PMD.
Line: 146
private RubyClass cFileBuilderContext;
private RubyDescriptorPool descriptorPool;
private RubyFileBuilderContext defaultFileBuilder;
}
Reported by PMD.
Line: 35
package com.google.protobuf.jruby;
import org.jruby.*;
import org.jruby.anno.JRubyClass;
import org.jruby.anno.JRubyMethod;
import org.jruby.runtime.*;
import org.jruby.runtime.builtin.IRubyObject;
Reported by PMD.
Line: 38
import org.jruby.*;
import org.jruby.anno.JRubyClass;
import org.jruby.anno.JRubyMethod;
import org.jruby.runtime.*;
import org.jruby.runtime.builtin.IRubyObject;
@JRubyClass(name = "Builder")
public class RubyBuilder extends RubyObject {
public static void createRubyBuilder(Ruby runtime) {
Reported by PMD.
Line: 45
public class RubyBuilder extends RubyObject {
public static void createRubyBuilder(Ruby runtime) {
RubyModule internal = runtime.getClassFromPath("Google::Protobuf::Internal");
RubyClass cBuilder = internal.defineClassUnder("Builder", runtime.getObject(), new ObjectAllocator() {
@Override
public IRubyObject allocate(Ruby runtime, RubyClass klazz) {
return new RubyBuilder(runtime, klazz);
}
});
Reported by PMD.