Skip to content

Commit

Permalink
Use open then fdopen to avoid TOCTOU code scanning alert.
Browse files Browse the repository at this point in the history
  • Loading branch information
a-h-abdelsalam authored and timopollmeier committed Sep 23, 2024
1 parent 5c8772f commit 99fe1b3
Showing 1 changed file with 10 additions and 9 deletions.
19 changes: 10 additions & 9 deletions src/manage_sql_secinfo.c
Original file line number Diff line number Diff line change
Expand Up @@ -3371,20 +3371,20 @@ if (failure_condition) { \
static int
update_epss_scores ()
{
GStatBuf state;
gchar *current_json_path;
gchar *error_message = NULL;

Check warning on line 3375 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3375

Added line #L3375 was not covered by tests
FILE *epss_scores_file;
cJSON *epss_entry;
gvm_json_pull_event_t event;
gvm_json_pull_parser_t parser;
gvm_json_path_elem_t *path_tail = NULL;
inserts_t inserts;

current_json_path = g_build_filename (GVM_SCAP_DATA_DIR,
"epss-scores-current.json",
NULL);
if (g_stat (current_json_path, &state))
int fd = open(current_json_path, O_RDONLY);

Check warning on line 3385 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3385

Added line #L3385 was not covered by tests

if (fd < 0)
{
int ret;
if (errno == ENOENT)
Expand All @@ -3395,21 +3395,22 @@ update_epss_scores ()
}
else
{
g_warning ("%s: Failed to stat EPSS scores file: %s",
__func__, strerror (errno));
g_warning ("%s: Failed to open EPSS scores file: %s",

Check warning on line 3398 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3398

Added line #L3398 was not covered by tests
__func__, strerror (errno));
ret = -1;
}
g_free (current_json_path);
g_free (current_json_path);

Check warning on line 3402 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3402

Added line #L3402 was not covered by tests
return ret;
}

epss_scores_file = fopen (current_json_path, "r");
epss_scores_file = fdopen(fd, "r");

Check warning on line 3406 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3406

Added line #L3406 was not covered by tests
if (epss_scores_file == NULL)
{
g_warning ("%s: Failed to open EPSS scores file: %s",
g_warning ("%s: Failed to convert file descriptor to FILE*: %s",

Check warning on line 3409 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3409

Added line #L3409 was not covered by tests
__func__,
strerror (errno));
g_free (current_json_path);
close(fd);
return -1;

Check warning on line 3414 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3412-L3414

Added lines #L3412 - L3414 were not covered by tests
}

Expand All @@ -3427,7 +3428,7 @@ update_epss_scores ()
while (!epss_scores_found)
{
gvm_json_pull_parser_next (&parser, &event);
path_tail = g_queue_peek_tail (event.path);
gvm_json_path_elem_t *path_tail = g_queue_peek_tail (event.path);

Check warning on line 3431 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3430-L3431

Added lines #L3430 - L3431 were not covered by tests
if (event.type == GVM_JSON_PULL_EVENT_ARRAY_START
&& path_tail && strcmp (path_tail->key, "epss_scores") == 0)

Check warning on line 3433 in src/manage_sql_secinfo.c

View check run for this annotation

Codecov / codecov/patch

src/manage_sql_secinfo.c#L3433

Added line #L3433 was not covered by tests
{
Expand Down

0 comments on commit 99fe1b3

Please sign in to comment.