Compare commits

..

1 Commits

Author SHA1 Message Date
34501d913c fix(security): prevent CWE-134 format string injection
All checks were successful
CI Code / Check spelling (pull_request) Successful in 20s
CI Code / Check coding style (pull_request) Successful in 35s
CI Code / Code Coverage (pull_request) Successful in 4m45s
CI Code / Linux (debian) (pull_request) Successful in 6m7s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m13s
CI Code / Linux (arch) (pull_request) Successful in 6m20s
- add "%s" to unsafe cons_show/log_*/win_println calls
- add check-cwe134.sh static analysis script
- integrate security check into CI pipeline

Closes #85
2026-02-05 18:57:50 +03:00

View File

@@ -144,6 +144,16 @@ scan-build make
scan-view ...
```
### Security checks
We have a static analyzer `check-cwe134.sh` that detects CWE-134 format string vulnerabilities. It runs automatically in CI but you can also run it locally:
```bash
./check-cwe134.sh
```
This checks for unsafe patterns where user-controlled data could be passed directly as a format string to functions like `cons_show`, `log_error`, `win_println`, etc. Always use `"%s"` format specifier when printing user data.
### Finding typos
We include a `.codespellrc` configuration file for `codespell` in the root directory.