diff --git a/.github/workflows/build-rootfs.yml b/.github/workflows/build-rootfs.yml index a48806909..ba504b6ee 100644 --- a/.github/workflows/build-rootfs.yml +++ b/.github/workflows/build-rootfs.yml @@ -3,6 +3,7 @@ name: z-wave-protocol-controller Build in rootfs for arch on: # yamllint disable-line rule:truthy + # pull_request_target: # Avoid to prevent CodeQL CWE-829 push: tags: - '*' @@ -18,6 +19,9 @@ jobs: - arm64 # - armhf # TODO Enable when supported steps: + - name: Security check + if: ${{ github.event.action == 'pull_request_target'}} + run: echo "Prevent running (CodeQL CWE-829)" && exit 1 # yamllint disable-line rule:line-length - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 7326fd085..c77171c9c 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -6,6 +6,8 @@ name: build on: # yamllint disable-line rule:truthy + pull_request: + # pull_request_target: # Avoid to prevent CodeQL CWE-829 push: jobs: @@ -16,6 +18,9 @@ jobs: project-name: z-wave-protocol-controller # Align to docker (lowercase) runs-on: ubuntu-22.04 steps: + - name: Security check + if: ${{ github.event.action == 'pull_request_target'}} + run: echo "Prevent running (CodeQL CWE-829)" && exit 1 # yamllint disable-line rule:line-length - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 78c1f761a..b6cfcc85d 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -9,6 +9,7 @@ name: test run-name: "test: ${{ github.event.workflow_run.head_branch }}#${{ github.event.workflow_run.head_commit.id }}" on: # yamllint disable-line rule:truthy + # pull_request_target: # Avoid to prevent CodeQL CWE-829 workflow_run: workflows: ["build"] types: @@ -17,6 +18,7 @@ on: # yamllint disable-line rule:truthy jobs: test: permissions: + actions: read contents: read statuses: write env: @@ -24,13 +26,15 @@ jobs: runs-on: ubuntu-24.04 if: ${{ github.event.workflow_run.conclusion == 'success' }} steps: + - name: Security check + if: ${{ github.event.action == 'pull_request_target'}} + run: echo "Prevent running (CodeQL CWE-829)" && exit 1 - name: Download image # yamllint disable-line rule:line-length uses: ishworkh/container-image-artifact-download@ccb3671db007622e886a2d7037eb62b119d5ffaf # v2.0.0 with: image: "${{ env.project-name }}:latest" workflow: "build" - token: ${{ secrets.GH_SL_ACCESS_TOKEN }} workflow_run_id: ${{ github.event.workflow_run.id }} # yamllint disable-line rule:line-length diff --git a/applications/zpc/applications/zwave_api_demo/src/zwave_api_demo_callbacks.c b/applications/zpc/applications/zwave_api_demo/src/zwave_api_demo_callbacks.c index 7ca6934c6..eaf3038f4 100644 --- a/applications/zpc/applications/zwave_api_demo/src/zwave_api_demo_callbacks.c +++ b/applications/zpc/applications/zwave_api_demo/src/zwave_api_demo_callbacks.c @@ -305,12 +305,21 @@ void zwapi_demo_zwave_api_started(const uint8_t *buffer, uint8_t buffer_length) char message[MAXIMUM_MESSAGE_SIZE]; uint8_t index = 0; - index += snprintf(message + index, - sizeof(message) - index, - "Z-Wave API started. Current NIF: "); + int n = snprintf(message + index, + sizeof(message) - index, + "Z-Wave API started. Current NIF: "); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + sl_log_error(LOG_TAG, "Buffer overflow prevented while writing message."); + return; + } + index += n; for (uint8_t i = 0; i < buffer_length; i++) { - index - += snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]); + n = snprintf(message + index, sizeof(message) - index, "%02X ", buffer[i]); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + sl_log_error(LOG_TAG, "Buffer overflow prevented while writing message."); + return; + } + index += n; } sl_log_info(LOG_TAG, "%s\n", message); } diff --git a/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_utils.c b/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_utils.c index 9a7a4af93..df33f34a6 100644 --- a/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_utils.c +++ b/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_utils.c @@ -118,22 +118,34 @@ void zwave_sl_log_nif_data(zwave_node_id_t node_id, char message[DEBUG_MESSAGE_BUFFER_LENGTH]; uint16_t index = 0; - index += snprintf(message + index, - sizeof(message) - index, - "NIF from NodeID: %d", - node_id); - - index += snprintf(message + index, - sizeof(message) - index, - " Capability/Security bytes: 0x%02X 0x%02X - ", - node_info->listening_protocol, - node_info->optional_protocol); + int n = snprintf(message + index, + sizeof(message) - index, + "NIF from NodeID: %d", + node_id); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + break; + } + index += n; + + n = snprintf(message + index, + sizeof(message) - index, + " Capability/Security bytes: 0x%02X 0x%02X - ", + node_info->listening_protocol, + node_info->optional_protocol); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + break; + } + index += n; if (node_info->optional_protocol & ZWAVE_NODE_INFO_OPTIONAL_PROTOCOL_CONTROLLER_MASK) { - index += snprintf(message + index, - sizeof(message) - index, - "The node is a controller - "); + n = snprintf(message + index, + sizeof(message) - index, + "The node is a controller - "); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + break; + } + index += n; } else { index += snprintf(message + index, sizeof(message) - index, @@ -142,7 +154,11 @@ void zwave_sl_log_nif_data(zwave_node_id_t node_id, if (node_info->listening_protocol & ZWAVE_NODE_INFO_LISTENING_PROTOCOL_LISTENING_MASK) { - index += snprintf(message + index, sizeof(message) - index, "AL mode - "); + n = snprintf(message + index, sizeof(message) - index, "AL mode - "); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + break; + } + index += n; } else if (node_info->optional_protocol & (ZWAVE_NODE_INFO_OPTIONAL_PROTOCOL_SENSOR_1000MS_MASK | ZWAVE_NODE_INFO_OPTIONAL_PROTOCOL_SENSOR_250MS_MASK)) { @@ -164,10 +180,14 @@ void zwave_sl_log_nif_data(zwave_node_id_t node_id, node_info->specific_device_class); for (uint8_t i = 0; i < node_info->command_class_list_length; i++) { - index += snprintf(message + index, - sizeof(message) - index, - "%02X ", - node_info->command_class_list[i]); + n = snprintf(message + index, + sizeof(message) - index, + "%02X ", + node_info->command_class_list[i]); + if (n < 0 || n >= (int)(sizeof(message) - index)) { + break; + } + index += n; } sl_log_debug(LOG_TAG, "%s", message); diff --git a/applications/zpc/components/zwave/zwave_rx/src/zwave_rx.c b/applications/zpc/components/zwave/zwave_rx/src/zwave_rx.c index b5e11e97a..24e376aea 100644 --- a/applications/zpc/components/zwave/zwave_rx/src/zwave_rx.c +++ b/applications/zpc/components/zwave/zwave_rx/src/zwave_rx.c @@ -11,6 +11,7 @@ * *****************************************************************************/ //Generic includes +#include #include // Includes from other components @@ -89,11 +90,18 @@ static void zwave_rx_print_protocol_version( char git_commit_string[GIT_COMMIT_HASH_SIZE * 2 + 1] = {0}; uint16_t index = 0; for (uint8_t i = 0; i < GIT_COMMIT_HASH_SIZE; i++) { - index += snprintf(git_commit_string + index, - sizeof(git_commit_string) - index, - "%x", - zwapi_version.git_commit[i]); - } + int written = snprintf(git_commit_string + index, + sizeof(git_commit_string) - index, + "%x", + zwapi_version.git_commit[i]); + if (written < 0 || written >= (int)(sizeof(git_commit_string) - index)) { + sl_log_error(LOG_TAG, "Error in zwave_rx_print_protocol_version"); + assert(false); + // Stop processing if snprintf fails or would overflow the buffer + break; + } + index += written; + } sl_log_info(LOG_TAG, "Z-Wave API protocol git commit: %s\n",