search

jmakhack / myanimelist-cli

Minimalistic command line interface for fetching user anime data from MyAnimeList.
https://aur.archlinux.org/packages/mya-git
MIT License
11 stars 15 forks source link

[TASK] Fix adding checks for buffer overflows when copying to destinations [MS-banned] (CWE-120) #70

Closed jmakhack closed 1 year ago

jmakhack commented 1 year ago

Task Context

The Codacy Static Code Analysis reports the following error in the codebase: Does not check for buffer overflows when copying to destination [MS-banned] (CWE-120). Consider using snprintf, strcpy_s, or strlcpy (warning: strncpy easily misused). Risk is low because the source is a constant character.

More details can be found here: https://app.codacy.com/gh/jmakhack/myanimelist-cli/issues?bid=22863233&filters=W3siaWQiOiJMYW5ndWFnZSIsInZhbHVlcyI6W119LHsiaWQiOiJDYXRlZ29yeSIsInZhbHVlcyI6WyJTZWN1cml0eSJdfSx7ImlkIjoiTGV2ZWwiLCJ2YWx1ZXMiOltdfSx7ImlkIjoiUGF0dGVybiIsInZhbHVlcyI6WyI2NTg1Il19LHsiaWQiOiJBdXRob3IiLCJ2YWx1ZXMiOltdfV0=

Acceptance Criteria

The acceptance criteria for this task is to fix the issues mentioned in the Codacy link. After opening a pull request, the Codacy check will automatically run to see if the issues were fixed.

Additional Context

Please read through the Contributing to the Project document before working on this project.

For any questions or discussions, join the Discord to meet and engage with other contributors!

Discord

The-Debarghya commented 1 year ago

The strcpy functions must be replaced with strncpy with a specified buffer length and strcat to strncat, so if you can mention how much buffer should I keep, then I can fix this.

jmakhack commented 1 year ago

In most cases, we're copying over a static string value so n should just be the length of that string. For the strcpy(uri, json_object_get_string(next)); case, n=150 should be a good amount for the buffer.