More CodeQL stuff (#777)

The idea is to move this into the `codeql` sub-branch upon the next
rebase.

Author: dscho

.github/codeql/codeql-config.yml

@@ -3,6 +3,9 @@ name: "CodeQL config"
 queries:
   - uses: security-extended
 
+paths-ignore:
+  - gitweb/**/*.js # GitWeb is not distributed
+
 query-filters:
   - exclude:
     # yes, this extra indentation is intentional

.github/workflows/codeql.yml

@@ -17,7 +17,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ["cpp"]
+        language: ["cpp", "javascript", "go"]
 
     steps:
       - name: Checkout repository
@@ -29,7 +29,10 @@ jobs:
         env:
           jobname: codeql
 
-      # Initializes the CodeQL tools for scanning.
+      - uses: actions/setup-go@v5
+        if: matrix.language == 'go'
+
+        # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v3
         with:
@@ -42,6 +45,14 @@ jobs:
           cat /proc/cpuinfo
           make -j$(nproc)
 
+      - name: Build (Go)
+        if: matrix.language == 'go'
+        run: |
+          cat /proc/cpuinfo
+          cd contrib/persistent-https &&
+          go mod init git-remote-persistent-https &&
+          make -j$(nproc)
+
       - name: Perform CodeQL Analysis
         uses: github/codeql-action/analyze@v3
         with:
@@ -55,10 +66,10 @@ jobs:
       - name: publish sarif for debugging
         uses: actions/upload-artifact@v4
         with:
-          name: sarif-results
+          name: sarif-results-${{ matrix.language }}
           path: sarif-results
 
       - name: Upload SARIF
         uses: github/codeql-action/upload-sarif@v3
         with:
-         sarif_file: sarif-results/cpp.sarif
+         sarif_file: sarif-results/${{ matrix.language }}.sarif

builtin/am.c

@@ -434,33 +434,33 @@ static void am_load(struct am_state *state)
 	}
 
 	read_state_file(&sb, state, "keep", 1);
-	if (!strcmp(sb.buf, "t"))
+	if (!strcmp(sb.buf, "t")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		state->keep = KEEP_TRUE;
-	else if (!strcmp(sb.buf, "b"))
+	else if (!strcmp(sb.buf, "b")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		state->keep = KEEP_NON_PATCH;
 	else
 		state->keep = KEEP_FALSE;
 
 	read_state_file(&sb, state, "messageid", 1);
-	state->message_id = !strcmp(sb.buf, "t");
+	state->message_id = !strcmp(sb.buf, "t"); // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 
 	read_state_file(&sb, state, "scissors", 1);
-	if (!strcmp(sb.buf, "t"))
+	if (!strcmp(sb.buf, "t")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		state->scissors = SCISSORS_TRUE;
-	else if (!strcmp(sb.buf, "f"))
+	else if (!strcmp(sb.buf, "f")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		state->scissors = SCISSORS_FALSE;
 	else
 		state->scissors = SCISSORS_UNSET;
 
 	read_state_file(&sb, state, "quoted-cr", 1);
 	if (!*sb.buf)
 		state->quoted_cr = quoted_cr_unset;
-	else if (mailinfo_parse_quoted_cr_action(sb.buf, &state->quoted_cr) != 0)
+	else if (mailinfo_parse_quoted_cr_action(sb.buf, &state->quoted_cr) != 0) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		die(_("could not parse %s"), am_path(state, "quoted-cr"));
 
 	read_state_file(&sb, state, "apply-opt", 1);
 	strvec_clear(&state->git_apply_opts);
-	if (sq_dequote_to_strvec(sb.buf, &state->git_apply_opts) < 0)
+	if (sq_dequote_to_strvec(sb.buf, &state->git_apply_opts) < 0) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		die(_("could not parse %s"), am_path(state, "apply-opt"));
 
 	state->rebasing = !!file_exists(am_path(state, "rebasing"));

builtin/clone.c

@@ -120,7 +120,7 @@ static const char *get_repo_path_1(struct strbuf *path, int *is_bundle)
 				continue;
 			len = read_in_full(fd, signature, 8);
 			close(fd);
-			if (len != 8 || strncmp(signature, "gitdir: ", 8))
+			if (len != 8 || strncmp(signature, "gitdir: ", 8)) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 				continue;
 			dst = read_gitfile(path->buf);
 			if (dst) {

builtin/commit.c

@@ -2086,7 +2086,7 @@ int cmd_commit(int argc,
 		if (!stat(git_path_merge_mode(the_repository), &statbuf)) {
 			if (strbuf_read_file(&sb, git_path_merge_mode(the_repository), 0) < 0)
 				die_errno(_("could not read MERGE_MODE"));
-			if (!strcmp(sb.buf, "no-ff"))
+			if (!strcmp(sb.buf, "no-ff")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 				allow_fast_forward = 0;
 		}
 		if (allow_fast_forward)

builtin/help.c

@@ -277,7 +277,7 @@ static void exec_woman_emacs(const char *path, const char *page)
 		if (!path)
 			path = "emacsclient";
 		strbuf_addf(&man_page, "(woman \"%s\")", page);
-		execlp(path, "emacsclient", "-e", man_page.buf, (char *)NULL);
+		execlp(path, "emacsclient", "-e", man_page.buf, (char *)NULL); // CodeQL [SM01925] justification: Git's help system safely consumes user-controlled environment variables and paths
 		warning_errno(_("failed to exec '%s'"), path);
 		strbuf_release(&man_page);
 	}
@@ -299,7 +299,7 @@ static void exec_man_konqueror(const char *path, const char *page)
 		} else
 			path = "kfmclient";
 		strbuf_addf(&man_page, "man:%s(1)", page);
-		execlp(path, filename, "newTab", man_page.buf, (char *)NULL);
+		execlp(path, filename, "newTab", man_page.buf, (char *)NULL); // CodeQL [SM01925] justification: Git's help system safely consumes user-controlled environment variables and paths
 		warning_errno(_("failed to exec '%s'"), path);
 		strbuf_release(&man_page);
 	}
@@ -309,7 +309,7 @@ static void exec_man_man(const char *path, const char *page)
 {
 	if (!path)
 		path = "man";
-	execlp(path, "man", page, (char *)NULL);
+	execlp(path, "man", page, (char *)NULL); // CodeQL [SM01925] justification: Git's help system safely consumes user-controlled environment variables and paths
 	warning_errno(_("failed to exec '%s'"), path);
 }
 

builtin/rebase.c

@@ -483,9 +483,9 @@ static int read_basic_state(struct rebase_options *opts)
 		if (!read_oneliner(&buf, state_dir_path("allow_rerere_autoupdate", opts),
 				   READ_ONELINER_WARN_MISSING))
 			return -1;
-		if (!strcmp(buf.buf, "--rerere-autoupdate"))
+		if (!strcmp(buf.buf, "--rerere-autoupdate")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 			opts->allow_rerere_autoupdate = RERERE_AUTOUPDATE;
-		else if (!strcmp(buf.buf, "--no-rerere-autoupdate"))
+		else if (!strcmp(buf.buf, "--no-rerere-autoupdate")) // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 			opts->allow_rerere_autoupdate = RERERE_NOAUTOUPDATE;
 		else
 			warning(_("ignoring invalid allow_rerere_autoupdate: "

bundle.c

@@ -66,7 +66,7 @@ static int parse_bundle_signature(struct bundle_header *header, const char *line
 	int i;
 
 	for (i = 0; i < ARRAY_SIZE(bundle_sigs); i++) {
-		if (!strcmp(line, bundle_sigs[i].signature)) {
+		if (!strcmp(line, bundle_sigs[i].signature)) { // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 			header->version = bundle_sigs[i].version;
 			return 0;
 		}
@@ -82,7 +82,7 @@ int read_bundle_header_fd(int fd, struct bundle_header *header,
 
 	/* The bundle header begins with the signature */
 	if (strbuf_getwholeline_fd(&buf, fd, '\n') ||
-	    parse_bundle_signature(header, buf.buf)) {
+	    parse_bundle_signature(header, buf.buf)) { // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 		if (report_path)
 			error(_("'%s' does not look like a v2 or v3 bundle file"),
 			      report_path);

credential.c

@@ -258,7 +258,7 @@ static char *credential_ask_one(const char *what, struct credential *c,
 
 	strbuf_release(&desc);
 	strbuf_release(&prompt);
-	return xstrdup(r);
+	return xstrdup(r); // CodeQL [SM01932] justification: CodeQL is wrong here because the value is read from a file via strbuf_read() which does NUL-terminate the string, something CodeQL fails to understand
 }
 
 static int credential_getpass(struct repository *r, struct credential *c)

date.c

@@ -524,14 +524,14 @@ static int set_date(int year, int month, int day, struct tm *now_tm, time_t now,
 		if (year == -1) {
 			if (!now_tm)
 				return 1;
-			r->tm_year = now_tm->tm_year;
+			r->tm_year = now_tm->tm_year; // CodeQL [SM03231] justification: Git's custom date parser intentionally handles years without leap year validation
 		}
 		else if (year >= 1970 && year < 2100)
 			r->tm_year = year - 1900;
 		else if (year > 70 && year < 100)
 			r->tm_year = year;
 		else if (year < 38)
-			r->tm_year = year + 100;
+			r->tm_year = year + 100; // CodeQL [SM03231] justification: Git's date parser handles century offsets without leap year validation by design
 		else
 			return -1;
 		if (!now_tm)
@@ -548,7 +548,7 @@ static int set_date(int year, int month, int day, struct tm *now_tm, time_t now,
 		tm->tm_mon = r->tm_mon;
 		tm->tm_mday = r->tm_mday;
 		if (year != -1)
-			tm->tm_year = r->tm_year;
+			tm->tm_year = r->tm_year; // CodeQL [SM03231] justification: Git's date parser copies year values without requiring leap year validation
 		return 0;
 	}
 	return -1;
@@ -780,11 +780,11 @@ static int match_digit(const char *date, struct tm *tm, int *offset, int *tm_gmt
 	/* Two-digit year? */
 	if (n == 2 && tm->tm_year < 0) {
 		if (num < 10 && tm->tm_mday >= 0) {
-			tm->tm_year = num + 100;
+			tm->tm_year = num + 100; // CodeQL [SM03231] justification: Git's digit parser handles century calculation without leap year validation
 			return n;
 		}
 		if (num >= 70) {
-			tm->tm_year = num;
+			tm->tm_year = num; // CodeQL [SM03231] justification: Git's legacy date parser handles two-digit years without leap year validation by design
 			return n;
 		}
 	}
@@ -1083,7 +1083,7 @@ static time_t update_tm(struct tm *tm, struct tm *now, time_t sec)
 	if (tm->tm_year < 0) {
 		tm->tm_year = now->tm_year;
 		if (tm->tm_mon > now->tm_mon)
-			tm->tm_year--;
+			tm->tm_year--; // CodeQL [SM03231] justification: Git's date parser adjusts year to handle month comparisons without leap year validation
 	}
 
 	n = mktime(tm) - sec;
@@ -1110,9 +1110,9 @@ static void pending_number(struct tm *tm, int *num)
 			if (number > 1969 && number < 2100)
 				tm->tm_year = number - 1900;
 			else if (number > 69 && number < 100)
-				tm->tm_year = number;
+				tm->tm_year = number; // CodeQL [SM03231] justification: Git's approxidate parser intentionally assigns years without leap year checks
 			else if (number < 38)
-				tm->tm_year = 100 + number;
+				tm->tm_year = 100 + number; // CodeQL [SM03231] justification: Git's approxidate parser handles century calculation without leap year validation
 			/* We screw up for number = 00 ? */
 		}
 	}
@@ -1304,7 +1304,7 @@ static const char *approxidate_alpha(const char *date, struct tm *tm, struct tm
 		*num = 0;
 		while (n < 0) {
 			n += 12;
-			tm->tm_year--;
+			tm->tm_year--; // CodeQL [SM03231] justification: Git's approxidate parser adjusts years for month calculations without leap year concerns
 		}
 		tm->tm_mon = n;
 		*touched = 1;
@@ -1313,7 +1313,7 @@ static const char *approxidate_alpha(const char *date, struct tm *tm, struct tm
 
 	if (match_string(date, "years") >= 4) {
 		update_tm(tm, now, 0); /* fill in date fields if needed */
-		tm->tm_year -= *num;
+		tm->tm_year -= *num; // CodeQL [SM03231] justification: Git's approxidate parser subtracts years without leap year validation by design
 		*num = 0;
 		*touched = 1;
 		return end;