potentially multiple vulnerabilities (14) #733
Comments
commandline-be
changed the title
commandline-be
changed the title
|
Hi, do you have some more details? What parts of code did trigger the tool to produce a report? |
|
Most (11)) are found in Python for cpp the findings are on tests/ui (2) and for tests/helpers [update] Snyk only allow to create report with the Enterprise license which i don't have |
|
I'm looking into how to share the results, one way could be to invite you as a member to the project on Snyk. |
|
Path Traversal Unsanitized input from a command line argument flows into QFile, where it is used as a path. This may result in a Path Traversal vulnerability and allow an attacker to read arbitrary files. klogg/tests/helpers/file_write_helper.cpp validating the input to only allow permitted and purposeful file types and/or relative paths when applicable seems sensible |
|
Missing Release of Memory after Effective Lifetime Leaking memory. TestRunner is allocated on the heap and never freed klogg/tests/ui/qtests_main.cpp after being open for a few days klogg suddenly crashed in the middle of an analysis, this may be true |
|
Thanks for more information. Neither python scripts nor tests are part of klogg distribution, they are part of build pipeline. So there is not much to fix for end users.
Could you do that? |
use of Snyk revealed a number of vulnerabilities, can the software be updated with a patched version?
the vulnerabilities were not validated against real-world exploitability
Command Injection : 6
Path Traversal : 5
Missing Release of Memory after Effective Lifetime : 2
Regular Expression Denial of Service (ReDoS) : 1
the 'Missing Release of Memory after Effective Lifetime' appears in tests/ui but the klogg app did quit unexpectedly after being open for a few days with a number of log files loaded
The text was updated successfully, but these errors were encountered: