May 2019 Summaries
2 posts from Sonar
Filter
Month:
Year:
Post Summaries
Back to Blog
The extraction of untrusted archives can lead to remote code execution due to vulnerabilities in handling ZIP file entries, which can result in arbitrary files being overwritten with the permissions of the web server or corresponding user. These issues are already known and have been disclosed by Snyk and RIPS Code Analysis, but they still pose a significant security risk if not addressed properly. To mitigate this issue, developers must validate or sanitize user input from untrusted archives to prevent malicious file traversal and execution.
May 29, 2019
616 words in the original blog post.
The C++ static code analysis engine has introduced a new rule to follow the C++ Core Guideline F.16: For "in" parameters, pass cheaply-copied types by value and others by reference to const. The rule aims to prevent unnecessary copies of expensive data types. However, implementing this rule proved challenging due to corner cases such as templates, user-defined copy constructors, and polymorphic hierarchies. To address these issues, the engine excluded certain special cases, ignored function declarations, and removed the requirement for non-trivial copy constructors to be passed by reference to const. The rule now only detects passing by value that should be replaced by passing by reference to const, rather than the other way around. Future improvements include detecting when a parameter is modified inside the function and handling templates with dependent arguments.
May 15, 2019
3,012 words in the original blog post.