Skip to content

Fix Codacy findings: bounded read helpers, remove cppcheck suppressions, and harden mk_kelf.sh#79

Merged
NathanNeurotic merged 1 commit into
mainfrom
codex/locate-remaining-codacy-findings
Jan 7, 2026
Merged

Fix Codacy findings: bounded read helpers, remove cppcheck suppressions, and harden mk_kelf.sh#79
NathanNeurotic merged 1 commit into
mainfrom
codex/locate-remaining-codacy-findings

Conversation

@NathanNeurotic

Copy link
Copy Markdown
Owner

Motivation

  • Eliminate unsafe or ambiguous buffer-read loops that triggered Codacy CWE-120/CWE-20 findings by making bounds explicit.
  • Remove ad-hoc analyzer suppression comments and suppression-list usage so static analysis sees real code behavior.
  • Prevent dangerous rm -rf expansion in archive creation by ensuring DATE, SHA8, and TARGET are set and non-empty.
  • Keep behavior unchanged while making the code analyzer-friendly and safer for CI scans.

Description

  • Reworked the bounded-read helper in src/util_safeio.c so safe_read_loop uses size_t-based max_payload, caps each read() by remaining capacity, returns on read errors, stops on EOF, and always NUL-terminates when requested.
  • Removed inline cppcheck suppression comments from src/OSDHistory.c and switched the code to call the bounded helper safe_read_fully_bin.
  • Removed suppression-list flags from scripts/cppcheck.sh and updated README.md guidance to direct Codacy to shim headers rather than using suppression lists.
  • Hardened mk_kelf.sh by adding precondition checks for DATE, SHA8, and TARGET, checking for unsafe TARGET values, and using rm -rf -- "${TARGET:?}/" to avoid empty/root expansion.

Testing

  • Ran a repository search for suppression annotations with rg -n "cppcheck-suppress" and confirmed no occurrences remain; this check passed (no results).
  • Verified scripts/cppcheck.sh no longer passes a suppression list by inspecting the script content (scripts/cppcheck.sh lines 20–28) and updated README.md guidance accordingly; this check passed.
  • Inspected src/util_safeio.c to confirm the read loop caps payload with size_t and NUL-terminates when requested (src/util_safeio.c read loop region); this check passed.
  • Confirmed mk_kelf.sh contains : "${DATE:?DATE is unset or empty}", : "${SHA8:?SHA8 is unset or empty}", and uses rm -rf -- "${TARGET:?}/" to prevent unsafe expansion (mk_kelf.sh guards and rm -rf lines); this check passed.

Codex Task

@codacy-production

Copy link
Copy Markdown

Codacy's Analysis Summary

0 new issue (≤ 0 issue)
0 new security issue
0 complexity
0 duplications

Review Pull Request in Codacy →

AI Reviewer available: add the codacy-review label to get contextual insights without leaving GitHub.

@NathanNeurotic NathanNeurotic merged commit e85e6ee into main Jan 7, 2026
49 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant