codeql: taint setmntent() and getmntent()

author Mike Yuan <me@yhndnzj.com>

Tue, 16 Sep 2025 17:38:09 +0000 (19:38 +0200)

committer Mike Yuan <me@yhndnzj.com>

Thu, 18 Sep 2025 18:25:15 +0000 (20:25 +0200)
author Mike Yuan <me@yhndnzj.com>
Tue, 16 Sep 2025 17:38:09 +0000 (19:38 +0200)
committer Mike Yuan <me@yhndnzj.com>
Thu, 18 Sep 2025 18:25:15 +0000 (20:25 +0200)
diff --git a/.github/codeql-queries/PotentiallyDangerousFunction.ql b/.github/codeql-queries/PotentiallyDangerousFunction.ql

index 40e2bbb6f9eff03ef30c83d4f4609d284d7d2cf6..abd3f87a3425b5ddc899622bab0fff0c7b8ae3d2 100644 (file)
--- a/.github/codeql-queries/PotentiallyDangerousFunction.ql
+++ b/.github/codeql-queries/PotentiallyDangerousFunction.ql
@@ -52,6 +52,12 @@ predicate potentiallyDangerousFunction(Function f, string message) {
    ) or (
      f.getQualifiedName() = "basename" and
      message = "Call basename() is icky. Use path_extract_filename() instead."
+  ) or (
+    f.getQualifiedName() = "setmntent" and
+    message = "Libmount parser is used instead, specifically libmount_parse_fstab()."
+  ) or (
+    f.getQualifiedName() = "getmntent" and
+    message = "Libmount parser is used instead, specifically mnt_table_next_fs()."
    )
  }
author	Mike Yuan <me@yhndnzj.com>
	Tue, 16 Sep 2025 17:38:09 +0000 (19:38 +0200)
committer	Mike Yuan <me@yhndnzj.com>
	Thu, 18 Sep 2025 18:25:15 +0000 (20:25 +0200)