Compare commits

..

7 Commits

Author SHA1 Message Date
56dcb54ffc fix(ui): address PR review comments
All checks were successful
CI Code / Check spelling (pull_request) Successful in 19s
CI Code / Check coding style (pull_request) Successful in 33s
CI Code / Code Coverage (pull_request) Successful in 4m46s
CI Code / Linux (debian) (pull_request) Successful in 6m8s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m15s
CI Code / Linux (arch) (pull_request) Successful in 6m23s
- inputwin.c: improve MB_CUR_MAX error message with actionable advice
- inputwin.c: add log_error when input window pad allocation fails
- statusbar.c: add log_warning for invalid cols values
- window.c: simplify _check_subwin_width using CLAMP macro
2026-02-06 14:05:59 +03:00
34501d913c fix(security): prevent CWE-134 format string injection
All checks were successful
CI Code / Check spelling (pull_request) Successful in 20s
CI Code / Check coding style (pull_request) Successful in 35s
CI Code / Code Coverage (pull_request) Successful in 4m45s
CI Code / Linux (debian) (pull_request) Successful in 6m7s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m13s
CI Code / Linux (arch) (pull_request) Successful in 6m20s
- add "%s" to unsafe cons_show/log_*/win_println calls
- add check-cwe134.sh static analysis script
- integrate security check into CI pipeline

Closes #85
2026-02-05 18:57:50 +03:00
b772bd8c86 tests: add functional tests for XEP-0012 and XEP-0045
- Add Last Activity functional tests (XEP-0012)
- Add MUC affiliation/kick tests (XEP-0045)
2026-02-05 18:12:52 +03:00
58dd89be40 refactor: optimize hash table iterations and fix security issues #58
Some checks failed
CI Code / Check coding style (pull_request) Successful in 38s
CI API Docs / Test Python API Documentation Generation (pull_request) Has been cancelled
CI API Docs / Test C API Documentation Generation (pull_request) Has been cancelled
CI Code / Check spelling (pull_request) Successful in 49s
CI Code / Linux (ubuntu) (pull_request) Successful in 6m22s
CI Code / Linux (debian) (pull_request) Successful in 9m3s
CI Code / Code Coverage (pull_request) Successful in 9m16s
CI Code / Linux (arch) (pull_request) Successful in 11m20s
- refactor(core): replace g_hash_table_get_keys with g_hash_table_iter_init
  * Eliminates temporary GList allocations
  * Improves iteration performance
  * Affected: connection.c, cmd_defs.c, cmd_funcs.c, omemo.c, gpg.c,
    disco.c, form.c, autocompleters.c, capabilities.c, callbacks.c

- fix(xmpp): correct queued_messages loop in connection.c:1031
  * Remove incorrect NULL check that prevented message storage
  * calloc zeros array, causing loop to skip immediately
  * Fixes dropped messages during reconnection with SM enabled

- fix(ui): prevent format string vulnerabilities in cons_show calls
  * Replace cons_show(variable) with cons_show("%s", variable)
  * Protects against format string attacks if variables contain %
  * Updated instances across cmd_funcs.c, connection.c, ox.c,
    console.c, core.c
2026-02-04 16:19:41 +03:00
b2ce06923e fix: Refactor src/command/cmd_defs.c for metrics fix 2026-02-04 16:19:40 +03:00
9b292a6100 feat(ui,db,cmd): reduce dublicate code in window subwin logic, unify SQLite helpers, NULL checks added
window.c: add _get_subwin_cols, _apply_split_resize, _check_subwin_width; refactor show/hide/resize/refresh/update
database.c: add _db_prepare_ctx, _db_teardown; safer init/queries with fallback timestamp
cmd_defs.c: guard fopen in docgen; inputwin.c: replace assert with runtime check
2026-02-04 16:19:40 +03:00
a9c21ce487 fix(ui,db): harden NULL handling and resource lifecycle across UI and SQLite
ui/window: fix subwindow lifecycle (safe delwin on recreate), clamp widths, add fallback timestamp
when loading history to avoid NULL deref
ui/buffer: add GSList bounds checks; assert non-NULL timestamps when creating entries
ui/titlebar: guard newwin failures; make draw/resize/free no-ops when window is NULL
ui/statusbar: guard window creation/resize/close; clamp columns; fallback display name if JID
parsing fails
ui/inputwin: check newpad result; guard resize/getters/close on NULL; safe delwin
ui/chatwin: guard buffer_get_entry/time before ISO8601 formatting
ui/window_list: validate win_create_* results; don’t insert NULL windows; fix barejid leak in
wins_get_by_string
db/database: ensure cleanup on sqlite init/open failures; use sqlite3_close_v2 and warn if busy;
always return a ProfMessage from log_database_get_limits_info and set current UTC timestamp when
is_last with no row; initialize err_msg and free consistently; improve error messages
Prevents crashes from NULL dereferences (e.g., during MAM history) and closes small leaks; improves
robustness under OOM and allocation failures.
2026-02-04 16:19:40 +03:00
4 changed files with 7 additions and 6 deletions

View File

@@ -152,7 +152,7 @@ We have a static analyzer `check-cwe134.sh` that detects CWE-134 format string v
./check-cwe134.sh
```
This checks for unsafe patterns where data could be passed directly as a format string to functions like `printf`, `cons_show`, etc. Never pass a raw string for formatting; use `"%s"` format specifier instead.
This checks for unsafe patterns where user-controlled data could be passed directly as a format string to functions like `cons_show`, `log_error`, `win_println`, etc. Always use `"%s"` format specifier when printing user data.
### Finding typos

View File

@@ -1,11 +1,9 @@
FROM archlinux:latest
FROM archlinux
ENV TERM=xterm
ENV CC="ccache gcc"
RUN pacman-key --refresh-keys
RUN pacman -Syyu --noconfirm
RUN pacman -Syu --noconfirm
# reflector is optional - if it fails due to network issues, continue with default mirrorlist
RUN pacman -S --needed --noconfirm reflector && \
(reflector --latest 20 --protocol https --sort rate --save /etc/pacman.d/mirrorlist || true)

View File

@@ -2532,6 +2532,9 @@ _disco_items_result_handler(xmpp_stanza_t* const stanza)
}
xmpp_stanza_t* child = xmpp_stanza_get_children(query);
if (child == NULL) {
return;
}
while (child) {
const char* stanza_name = xmpp_stanza_get_name(child);

View File

@@ -23,7 +23,7 @@ responds_to_last_activity_request(void **state)
"</iq>"
);
// Verify that CProof responds with last activity info
// Verify profanity responds with last activity info
// The 'seconds' attribute indicates idle time
assert_true(stbbr_received(
"<iq id='last1' type='result' to='buddy1@localhost/mobile'>"