potentially multiple vulnerabilities (14)

Question

potentially multiple vulnerabilities (14)

Opened this issue 5 months ago · 6 comments

use of Snyk revealed a number of vulnerabilities, can the software be updated with a patched version?
the vulnerabilities were not validated against real-world exploitability

Command Injection : 6
Path Traversal : 5
Missing Release of Memory after Effective Lifetime : 2
Regular Expression Denial of Service (ReDoS) : 1

the 'Missing Release of Memory after Effective Lifetime' appears in tests/ui but the klogg app did quit unexpectedly after being open for a few days with a number of log files loaded

Answer 1 · 2024-09-23T10:37:18.000Z

Hi, do you have some more details? What parts of code did trigger the tool to produce a report?

Answer 2 · 2024-09-24T08:38:42.000Z

Most (11)) are found in Python
3 are found in cpp

for cpp the findings are on tests/ui (2) and for tests/helpers
test/ui/logdata_test.cpp tests/ui/qtests_main.cpp tests/helpers/file_write_helper.cpp

[update] Snyk only allow to create report with the Enterprise license which i don't have
take a 15 minutes to set up snyk with vscode in case such applies to your environment

Answer 3 · 2024-09-25T15:52:13.000Z

I'm looking into how to share the results, one way could be to invite you as a member to the project on Snyk.
Let me know if you want to explore this possibility.

Answer 4 · 2024-10-05T17:13:48.000Z

Path Traversal

Snyk Code   [CWE-23](https://cwe.mitre.org/data/definitions/23.html)

Unsanitized input from a command line argument flows into QFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files.

klogg/tests/helpers/file_write_helper.cpp

44    QFile file{ argv[ 1 ] };

validating the input to only allow permitted and purposeful file types and/or relative paths when applicable seems sensible

Answer 5 · 2024-10-05T17:40:46.000Z

Missing Release of Memory after Effective Lifetime

Snyk Code  [CWE-401](https://cwe.mitre.org/data/definitions/401.html)

Leaking memory. TestRunner is allocated on the heap and never freed

klogg/tests/ui/qtests_main.cpp

98 TestRunner* runner = new TestRunner( argc, argv );

after being open for a few days klogg suddenly crashed in the middle of an analysis, this may be true

Answer 6 · 2024-11-15T11:16:24.000Z

Thanks for more information. Neither python scripts nor tests are part of klogg distribution, they are part of build pipeline. So there is not much to fix for end users.

one way could be to invite you as a member to the project on Snyk

Could you do that?