AirSim Version/#commit: latest, but it appears in a much earlier version like v1.6.0-linux
UE/Unity version: 4.27
N/A
OS Version: Linux Ubuntu 18.04
What's the issue you encountered?
Dear developers,
When we use CodeQL (GitHub's own static code analysis tool) to analyze the project, it has reported an error from code that may cause breakdown. And we found that this potential error tends to exist in the project for a relatively long time. In this issue we will provide the error form a single file MavLinkCom/src/MavLinkLog.cpp, including its name, location and analysis steps (code data flow). Hopefully it will get your attention, and we are looking forward to further communication.
Settings
We use default settings.
How can the issue be reproduced?
Prepare everything by following the guidance of official docs of Build AirSim on Linux before running './build.sh'
Then use CodeQL create database command to establish database and set '--command = './build.sh'', it looks like: codeql database create new-database --language=<language> --command='./build.sh'
Please note that the process needs a clean build and may take a long time to finish. Using clean command and parallelization techniques based on your hardware environment may help you make it faster
Include full error message in text form
Because of the limit of GitHub, we cannot attach the original file directly. You can contact us by email to obtain it: 2654209843@qq.com
Here is its information that were reported as the most important, they are focused on untrusted-data-to-external-api-ir: Data provided remotely is used in this external API without sanitization, which could be a security risk, which is related to CWE-20. The <number:number> pattern means the specific location of code (e.g. read output argument novatel.c 2001:13, 'fread output argument' is code, '2001:13' is detailed location) in code file and it helps you to detect code data flow in program:
Bug report
What's the issue you encountered?
Dear developers,
When we use CodeQL (GitHub's own static code analysis tool) to analyze the project, it has reported an error from code that may cause breakdown. And we found that this potential error tends to exist in the project for a relatively long time. In this issue we will provide the error form a single file
MavLinkCom/src/MavLinkLog.cpp, including its name, location and analysis steps (code data flow). Hopefully it will get your attention, and we are looking forward to further communication.Settings
We use default settings.
How can the issue be reproduced?
codeql database create new-database --language=<language> --command='./build.sh'Include full error message in text form
untrusted-data-to-external-api-ir: Data provided remotely is used in this external API without sanitization, which could be a security risk, which is related toCWE-20. The<number:number>pattern means the specific location of code(e.g. read output argument novatel.c 2001:13, 'fread output argument' is code, '2001:13' is detailed location)in code file and it helps you to detect code data flow in program:fread output argument MavLinkLog.cpp 173:19 *msg [post update] [len] MavLinkLog.cpp 173:20 *msg [len] MavLinkLog.cpp 193:13 *msg [len] MavLinkLog.cpp 209:38 len MavLinkLog.cpp 209:38What's better than filing an issue? Filing a pull request :).