Bug #6274
Some random bugs, request for repair.
0%
Description
This is findings from Semgrep software.
Some can be ignorable some can be relayed to existing bugs
But they exist...
Let's hackathon start 
insecure-use-memset¶
When handling sensitive information in a buffer, it's important to ensure that the data is securely erased before the buffer is deleted or reused. While memset() is commonly used for this purpose, it can leave sensitive information behind due to compiler optimizations or other factors. To avoid this potential vulnerability, it's recommended to use the memset_s() function instead. memset_s() is a standardized function that securely overwrites the memory with a specified value, making it more difficult for an attacker to recover any sensitive data that was stored in the buffer. By using memset_s() instead of memset() , you can help to ensure that your application is more secure and less vulnerable to exploits that rely on residual data in memory.
C
src/api/api_epg.c:340
src/config.c:1703
src/descrambler/capmt.c:550
src/descrambler/capmt.c:881
src/descrambler/capmt.c:1088
src/descrambler/capmt.c:1842
src/descrambler/capmt.c:1878
src/descrambler/capmt.c:2328
src/descrambler/capmt.c:2545
src/descrambler/cccam.c:340
src/descrambler/cccam.c:643
src/descrambler/cccam.c:684
src/descrambler/cclient.c:183
src/descrambler/cwc.c:474
src/descrambler/cwc.c:890
src/descrambler/cwc.c:944
src/descrambler/descrambler.c:301
src/descrambler/emm_reass.c:612
src/descrambler/emm_reass.c:648
src/descrambler/tvhcsa.c:306
src/download.c:303
src/dvr/dvr_autorec.c:254
src/dvr/dvr_db.c:983
src/dvr/dvr_db.c:2588
src/epg.c:382
src/epg.c:1508
src/epgdb.c:146
src/epgdb.c:192
src/epgdb.c:360
src/epggrab/module/eit.c:663
src/epggrab/module/eit.c:787
src/epggrab/module/opentv.c:256
src/epggrab/module/opentv.c:428
src/epggrab/module/opentv.c:480
src/epggrab/module/xmltv.c:61
src/epggrab/module/xmltv.c:689
src/epggrab/module.c:383
src/epggrab/module.c:669
src/extra/capmt_ca.c:124
src/htsmsg_xml.c:822
src/htsp_server.c:1758
src/htsp_server.c:2699
src/htsp_server.c:2768
src/htsp_server.c:3442
src/http.c:1043
src/http.c:2067
src/httpc.c:1784
src/imagecache.c:322
src/input/mpegts/dvb_psi_lib.c:222
src/input/mpegts/dvb_psi_lib.c:440
src/input/mpegts/dvb_psi_lib.c:544
src/input/mpegts/dvb_support.c:1074
src/input/mpegts/iptv/iptv_http.c:384
src/input/mpegts/linuxdvb/linuxdvb_adapter.c:454
src/input/mpegts/linuxdvb/linuxdvb_adapter.c:532
src/input/mpegts/linuxdvb/linuxdvb_ca.c:120
src/input/mpegts/linuxdvb/linuxdvb_ca.c:892
src/input/mpegts/linuxdvb/linuxdvb_frontend.c:1021
src/input/mpegts/linuxdvb/linuxdvb_frontend.c:1196
src/input/mpegts/linuxdvb/linuxdvb_frontend.c:1239
function-use-after-free¶
Variable $VAR was passed to a function after being freed. This can lead to undefined behavior.
C
src/descrambler/emm_reass.c:278
src/http.c:1029
src/input/mpegts/mpegts_input.c:587
src/input/mpegts/scanfile.c:1054
src/input/mpegts/tvhdhomerun/tvhdhomerun.c:139
src/packet.c:46
src/packet.c:216
src/packet.c:264
src/packet.c:296
src/service.c:827
insecure-document-method¶
User controlled data in methods like innerHTML , outerHTML or document.write is an anti-pattern that can lead to XSS vulnerabilities
Javascript
src/webui/static/app/extensions.js:159
src/webui/static/app/tvheadend.js:1333
src/webui/static/app/tvheadend.js:1334
src/webui/static/app/tvheadend.js:1355
src/webui/static/app/tvheadend.js:1364
src/webui/static/livegrid/livegrid-all.js:1
src/webui/static/livegrid/livegrid-all.js:1
detect-non-literal-regexp¶
RegExp() called with a $ARG function argument, this might al an attacker to cause a Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the main thread. For this reason, it is recommended to use hardcoded regexes instead. If your regex is run on user-controlled input, consider performing input validation or use a regex checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that the regex does not appear vulnerable to ReDoS.
Javascript
src/webui/static/app/extensions.js:649
src/webui/static/app/marked.js:312
src/webui/static/app/marked.js:1113
src/webui/static/app/marked.js:1113
src/webui/static/app/tvheadend.js:1413
src/webui/static/multiselect/multiselect.js:143
double-free¶
Variable $VAR was freed twice. This can lead to undefined behavior.
C
src/avahi.c:214
src/http.c:1030
src/input/mpegts/scanfile.c:1060
src/satip/rtsp.c:1895
src/satip/rtsp.c:1898
open-never-closed¶
file object opened without corresponding close
Python
support/mkbundle:39
support/mkbundle:42
lib/py/tvh/tsreader.py:193
support/epgdump:36
support/pid-count.py:15
insecure-hash-algorithm-sha1¶
Detected SHA1 hash algorithm which is considered insecure. SHA1 is not collision resistant and is therefore not suitable as a cryptographic signature. Use SHA256 or SHA3 instead.
Python
lib/py/tvh/htsp.py:39
support/pcloud.py:138
support/pcloud.py:140
support/pcloud.py:141
dangerous-globals-use¶
Found non static data as an index to globals(). This is extremely dangerous because it als an attacker to execute arbitrary code on the system. Refactor your code not to use globals().
Python
lib/api/python/tvh-json.py:182
support/bintray.py:368
support/dbus_test.py:101
support/pcloud.py:419
default-mutable-dict¶
Function $F mutates default dict $D. Python only instantiates default function arguments once and shares the instance across the function calls. If the default function argument is mutated, that will modify the instance used by all future function calls. This can cause unexpected results, or lead to security vulnerabilities whereby one function consumer can view or modify the data of another function consumer. Instead, use a default argument (like None) to indicate that no argument was provided and instantiate a new dictionary at that time. For example: if $D is None: $D = {}.
Python
lib/py/tvh/htsp.py:57
lib/py/tvh/htsp.py:58
lib/py/tvh/htsp.py:59
insecure-use-strtok-fn¶
Avoid using strtok(). This function directly modifies the first argument buffer, permanently erasing the delimiter character. Use strtok_r() instead.
C
src/main.c:581
src/main.c:589
use-after-free¶
Variable $VAR was used after being freed. This can lead to undefined behavior.
C
src/input/mpegts/mpegts_input.c:588
src/tvhlog.c:650
insecure-use-printf-fn¶
Avoid using user-controlled format strings passed into sprintf, printf and vsprintf. These functions put you at risk of buffer overf vulnerabilities through the use of format string exploits. Instead, use snprintf and vsnprintf.
C
src/cron.c:395
javascript-alert¶
found alert() call; should this be in production code?
Javascript
src/webui/static/multiselect/ddview.js:379
useless-assignment¶
$X is assigned twice; the first assignment is useless
Javascript
src/webui/static/lovcombo/lovcombo-all.js:157
arbitrary-sleep¶
time.sleep() call; did you mean to leave this in?
Python
support/mkbundle:102
file-object-redefined-before-close¶
Detected a file object that is redefined and never closed. This could leak file descriptors and unnecessarily consume system resources.
Python
support/iptv_gen.py:70
no-strings-as-booleans¶
Using strings as booleans in Python has unexpected results. "one" and "two" will return "two". "one" or "two" will return "one". In Python, strings are truthy, and strings with a non-zero length evaluate to True.
Python
support/doc/md_to_c.py:97
code-after-unconditional-return¶
code after return statement will not be executed
Python
support/bintray.py:194
use-defused-xml¶
The Python documentation recommends using defusedxml instead of xml because the native Python xml library is vulnerable to XML External Entity (XXE) attacks. These attacks can leak confidential data and "XML bombs" can cause denial of service.
Python
support/sat_xml_scan.py:8
eval-detected¶
Detected the use of eval(). eval() can be dangerous if used to evaluate dynamic content. If this content can be input from outside the program, this may be a code injection vulnerability. Ensure evaluated content is not definable by external sources.
Python
support/dbus_test.py:22
use-timeout¶
Detected a requests call without a timeout set. By default, requests calls wait until the connection is closed. This means a requests call without a timeout will hang the program if a response is never received. Consider setting a timeout for all requests.
Python
lib/py/tvh/tv_meta_tmdb.py:72
History
Updated by Flole Systems over 1 year ago
Updated by - Status changed from New to Invalid
Don't just dump some output of software you don't understand into the bug tracker. This is for actual bugs only.
Updated by saen acro over 1 year ago
Updated by Flole Systems
If you cant solve/help for some of this 233 "things" some other will.
Leave BUG open.
You just commenting not collaborating.
This is not helpful for anyone.
Rethink your personal vs community logic!
Updated by Flole Systems over 1 year ago
If you don't like how I run this project feel free to create a fork. As long as I make decisions here bug reports are only accepted for actual bugs and not some "there's an issue somewhere... Maybe..."
You've made ZERO contributions to this projects code, you're only demanding that others do something. You have absolutely no business in telling others what they should do or how they should spend their time. Multiple people have told you this already but you keep doing it again and again. Stop it! I've taken a break from this project once already because of your constant nagging and complaining. I don't need to spend time on this project at all. It's as simple as that.