SPOC-470: [Security] [Codacy] Triage security issues in lolor#35
Merged
mason-sharp merged 2 commits intomainfrom Apr 10, 2026
Merged
SPOC-470: [Security] [Codacy] Triage security issues in lolor#35mason-sharp merged 2 commits intomainfrom
mason-sharp merged 2 commits intomainfrom
Conversation
Pin all third-party actions in the CI workflow to immutable full-length commit SHAs instead of mutable version tags, per GitHub's supply-chain security best practices. Floating tags (e.g. @v4) can be silently redirected to a different commit if a repository is compromised; a full SHA cannot be moved.
📝 WalkthroughWalkthroughWorkflow file pins four third-party action SHAs; Changes
Poem
🚥 Pre-merge checks | ✅ 2 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Duplication | 0 |
TIP This summary will be updated as you push new changes. Give us feedback
Fix or suppress five categories of findings reported by Flawfinder (run via Codacy) against lolor_fsstubs.c and lolor_inv_api.c. Real issues — suppressed with inline annotations: - umask(S_IWGRP | S_IWOTH) in lo_export: intentionally matches PostgreSQL core be-fsstubs.c; diverging would create unnecessary divergence from upstream. - umask(oumask) restore call: false positive — the tool flags every umask() call regardless of intent; this one simply restores the previous mask. - read() in loop in lo_import: false positive — the count argument is exactly sizeof(buf), so no overrun is possible. False positives — resolved with Assert(): - memcpy in lolor_inv_read: n is clamped to min(len-off, nbytes-nread) before the copy; assertions make both bounds explicit. - memcpy in lolor_inv_write (three sites): destinations are workbuf pages of LOBLKSIZE bytes; len/pagelen are validated by getdatafield() to be <= LOBLKSIZE; n is clamped to LOBLKSIZE-off and nbytes-nwritten.
mason-sharp
approved these changes
Apr 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Address Codacy security warnings in lolor (spoc-470)
Two categories of findings reported by Codacy's Flawfinder analyser are resolved across
.github/workflows/workflow.yml,src/lolor_fsstubs.c, andsrc/lolor_inv_api.c.GitHub Actions: unpinned third-party actions (commit 0647af4)
All four actions in the CI workflow were referenced by mutable version tags (
@v2,@v4, etc.). A compromised upstream repository could silently redirect a tag to malicious code. Each action is now pinned to the full 40-character commit SHA that the tag currently resolves to, with the original tag retained as an inline comment for readability:actions/checkout34e114876b0b11c390a56381ad16ebd13914f8d5docker/setup-buildx-action885d1462b80bc1c1c7f0b00334ad271f09369c55docker/setup-compose-action2fe291b7677a45ee1269ec56a42604c143505e7eactions/upload-artifactea165f8d65b6e75b540449e92b4886f43607fa02Flawfinder warnings in C sources (commit 3872cb9)
Codacy runs Flawfinder as one of its four C/C++ analysers. The findings fall into two groups:
False positives — suppressed with
Flawfinder: ignore:read(fd, buf, BUFSIZE)inlo_import_internal: the count argument is exactlysizeof(buf);nbytesis always ≤BUFSIZE. No overrun is possible (CWE-120, CWE-20).umask(S_IWGRP | S_IWOTH)inlo_export: value0022is kept intentionally in sync with PostgreSQL corebe-fsstubs.c. Changing it unilaterally without a policy decision would create an unexplained behavioural divergence from native large objects (CWE-732).umask(oumask)restore call inPG_FINALLY: the tool flags everyumask()call regardless of argument; this one simply restores the prior mask (CWE-732).Bounds not visible to the analyser — resolved with
Assert():Assert()is preferred over suppression here: it documents the invariant at the call site, catches future regressions in debug builds, and costs nothing in release builds.lolor_inv_read:nis clamped tomin(len - off, nbytes - nread)before thememcpy; assertion makes both source and destination bounds explicit.lolor_inv_write(two sites, existing-page and new-page paths):lenis validated bygetdatafield()to be in[0, LOBLKSIZE];nis clamped tomin(LOBLKSIZE - off, nbytes - nwritten). Assertions cover destination-page capacity and source-buffer capacity at each site.lolor_inv_truncate: samegetdatafield()guarantee applies topagelen.