Skip to content

Commit 6a234e1

Browse files
dpageclaude
andcommitted
Add flawfinder ignore comments for false positive security warnings
All 14 security warnings from Codacy/flawfinder are false positives: - strlen() calls on PostgreSQL text datums (always null-terminated) - strlen() calls on palloc'd strings (explicitly null-terminated) - memcpy() in curl callbacks (buffer pre-allocated to exact size) - strncpy() followed by explicit null-termination Added inline suppression comments explaining why each is safe. Co-Authored-By: Claude Opus 4.5 <[email protected]>
1 parent 8e674e3 commit 6a234e1

File tree

6 files changed

+15
-0
lines changed

6 files changed

+15
-0
lines changed

src/chunking.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -101,6 +101,7 @@ strip_non_ascii(const char *text)
101101
if (text == NULL)
102102
return NULL;
103103

104+
/* flawfinder: ignore - text from PostgreSQL text datum is null-terminated */
104105
len = strlen(text);
105106
result = palloc(len + 1);
106107
j = 0;
@@ -166,6 +167,7 @@ chunk_by_tokens(const char *content, ChunkConfig *config)
166167
processed_content = (char *) content;
167168
}
168169

170+
/* flawfinder: ignore - processed_content is null-terminated (from PG or strip_non_ascii) */
169171
content_len = strlen(processed_content);
170172
if (content_len == 0)
171173
{

src/hybrid_chunking.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -786,6 +786,7 @@ split_oversized_chunks(List *chunks, int max_tokens)
786786
{
787787
/* Split oversized chunk */
788788
const char *content = chunk->content;
789+
/* flawfinder: ignore - chunk->content is palloc'd, null-terminated */
789790
int content_len = strlen(content);
790791
int start_offset = 0;
791792

@@ -1025,6 +1026,7 @@ elements_to_chunks_simple(List *elements, ChunkConfig *config)
10251026

10261027
initStringInfo(&chunk_text);
10271028

1029+
/* flawfinder: ignore - heading_context is palloc'd, null-terminated */
10281030
if (chunk->heading_context != NULL && strlen(chunk->heading_context) > 0)
10291031
{
10301032
appendStringInfoString(&chunk_text, "[Context: ");
@@ -1195,6 +1197,7 @@ chunk_hybrid(const char *content, ChunkConfig *config)
11951197
initStringInfo(&chunk_text);
11961198

11971199
/* Optionally prepend heading context for better retrieval */
1200+
/* flawfinder: ignore - heading_context is palloc'd, null-terminated */
11981201
if (chunk->heading_context != NULL && strlen(chunk->heading_context) > 0)
11991202
{
12001203
appendStringInfoString(&chunk_text, "[Context: ");

src/provider_ollama.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -141,6 +141,7 @@ ollama_generate(const char *text, int *dim, char **error_msg)
141141
curl_easy_setopt(curl, CURLOPT_URL, url);
142142
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
143143
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_request);
144+
/* flawfinder: ignore - json_request from cJSON is null-terminated */
144145
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(json_request));
145146
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
146147
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
@@ -231,6 +232,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
231232
return 0; /* Out of memory */
232233

233234
mem->data = ptr;
235+
/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
234236
memcpy(&(mem->data[mem->size]), contents, realsize);
235237
mem->size += realsize;
236238
mem->data[mem->size] = 0;

src/provider_openai.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -96,6 +96,7 @@ openai_cleanup(void)
9696

9797
if (api_key != NULL)
9898
{
99+
/* flawfinder: ignore - api_key is palloc'd, always null-terminated */
99100
memset(api_key, 0, strlen(api_key)); /* Zero out key */
100101
pfree(api_key);
101102
api_key = NULL;
@@ -191,6 +192,7 @@ openai_generate_batch(const char **texts, int count, int *dim, char **error_msg)
191192
curl_easy_setopt(curl, CURLOPT_URL, url);
192193
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
193194
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_request);
195+
/* flawfinder: ignore - json_request from cJSON is null-terminated */
194196
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(json_request));
195197
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
196198
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
@@ -240,6 +242,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
240242
return 0; /* Out of memory */
241243

242244
mem->data = ptr;
245+
/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
243246
memcpy(&(mem->data[mem->size]), contents, realsize);
244247
mem->size += realsize;
245248
mem->data[mem->size] = 0;

src/provider_voyage.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,7 @@ voyage_cleanup(void)
9595

9696
if (api_key != NULL)
9797
{
98+
/* flawfinder: ignore - api_key is palloc'd, always null-terminated */
9899
memset(api_key, 0, strlen(api_key)); /* Zero out key */
99100
pfree(api_key);
100101
api_key = NULL;
@@ -192,6 +193,7 @@ voyage_generate_batch(const char **texts, int count, int *dim, char **error_msg)
192193
curl_easy_setopt(curl, CURLOPT_URL, url);
193194
curl_easy_setopt(curl, CURLOPT_HTTPHEADER, headers);
194195
curl_easy_setopt(curl, CURLOPT_POSTFIELDS, json_request);
196+
/* flawfinder: ignore - json_request from cJSON is null-terminated */
195197
curl_easy_setopt(curl, CURLOPT_POSTFIELDSIZE, (long)strlen(json_request));
196198
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_callback);
197199
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &response);
@@ -241,6 +243,7 @@ write_callback(void *contents, size_t size, size_t nmemb, void *userp)
241243
return 0; /* Out of memory */
242244

243245
mem->data = ptr;
246+
/* flawfinder: ignore - buffer was realloced to mem->size + realsize + 1 */
244247
memcpy(&(mem->data[mem->size]), contents, realsize);
245248
mem->size += realsize;
246249
mem->data[mem->size] = 0;

src/worker.c

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -211,10 +211,12 @@ pgedge_vectorizer_worker_main(Datum main_arg)
211211
while (*db_name == ' ' || *db_name == '\t')
212212
db_name++;
213213

214+
/* flawfinder: ignore - explicitly null-terminated on next line */
214215
strncpy(dbname, db_name, NAMEDATALEN - 1);
215216
dbname[NAMEDATALEN - 1] = '\0';
216217

217218
/* Remove trailing whitespace */
219+
/* flawfinder: ignore - dbname was just null-terminated above */
218220
for (int i = strlen(dbname) - 1; i >= 0 && (dbname[i] == ' ' || dbname[i] == '\t'); i--)
219221
dbname[i] = '\0';
220222

0 commit comments

Comments
 (0)