containers
Code issues
Running bubblewrap through the static code analytics tool sonarqube revealed some areas that need a closer look: https://sonarcloud.io/dashboard?id=noppnopp_bubblewrap
If I am not mistaken, the "vulnerabilities" listed regarding strcpy and strcat are not exploitable since the checks are done manually. On the other hand I am not aware of any reason not to use strncpy instead to be save.
There are some other areas that indicate further issues. I hope this can be helpful to impove the quality of the code.
The leak in utils.c is a false-positive.
Personally I think just dumping a link to what is most-likely bogus issues isn't helpful. If you find real issues submit a PR.
Is replacing strcpy with strncpy something you consider helpful? If so I will try to find the time to work on that, even if only to have bubblewrap comply with secure coding guidelines.
if you know any reason why this should not be change please tell me.
strncpy isn't silver bullet that can be applied with simple search & replace. For example:
Although choosing a suitable value for n ensures that strncpy() will never overrun dst, it turns out that strncpy() has problems of its own. Most notably, if there is no null terminator in the first n bytes of src, then strncpy() does not place a null terminator after the bytes copied to dst. If the programmer does not check for this event, and subsequent operations expect a null terminator to be present, then the program is once more vulnerable to attack. The vulnerability may be more difficult to exploit than a buffer overflow, but the security implications can be just as severe.
Usage of strncpy is deprecated in linux kernel.
strscpy is better replacement but it still needs understanding the code first.
More info avalaible at: https://lwn.net/Articles/507319/ https://lwn.net/Articles/659214/
