Version 2.4.1: CSV Parser Bulletproofing#287
Conversation
Thread safety issue wasn't in library, but rather a test was was not constructed properly.
Allows for using long long for better overflow safety without breaking int usages
Fixed with low cost copies of simple data structures to avoid possible concurrency related issues
std::deque actually does have invalidation issues (of iterators) when expanding just like std::vector
Use more lockless sync. Fix some thread safety issues.
Concurrent R/W to std::map is UB
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| runs-on: ubuntu-latest | ||
|
|
||
| strategy: | ||
| fail-fast: false | ||
| matrix: | ||
| sanitizer: [address, thread, undefined] | ||
| cxx_standard: [17, 20] | ||
| include: | ||
| - sanitizer: address | ||
| flag: "-fsanitize=address -fno-omit-frame-pointer" | ||
| name: "AddressSanitizer" | ||
| - sanitizer: thread | ||
| flag: "-fsanitize=thread" | ||
| name: "ThreadSanitizer" | ||
| - sanitizer: undefined | ||
| flag: "-fsanitize=undefined -fno-omit-frame-pointer" | ||
| name: "UndefinedBehaviorSanitizer" | ||
|
|
||
| env: | ||
| ASAN_OPTIONS: "detect_leaks=1:halt_on_error=0" | ||
| TSAN_OPTIONS: "halt_on_error=1" | ||
| UBSAN_OPTIONS: "halt_on_error=1" | ||
|
|
||
| steps: | ||
| - name: Checkout repository and submodules | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y build-essential cmake | ||
|
|
||
| - name: Configure CMake with ${{ matrix.name }} | ||
| run: | | ||
| mkdir -p build | ||
| cd build | ||
| cmake .. \ | ||
| -DCMAKE_BUILD_TYPE=Debug \ | ||
| -DCSV_CXX_STANDARD=${{ matrix.cxx_standard }} \ | ||
| -DCMAKE_CXX_COMPILER=g++ \ | ||
| -DCMAKE_C_COMPILER=gcc \ | ||
| -DCMAKE_CXX_FLAGS="${{ matrix.flag }} -g" \ | ||
| -DCMAKE_C_FLAGS="${{ matrix.flag }} -g" | ||
|
|
||
| - name: Build with ${{ matrix.name }} | ||
| run: cmake --build build --config Debug | ||
|
|
||
| - name: Test with ${{ matrix.name }} | ||
| working-directory: build | ||
| run: ctest --output-on-failure -V | ||
| timeout-minutes: 20 | ||
|
|
||
| - name: Upload sanitizer logs | ||
| if: failure() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: sanitizer-logs-${{ matrix.sanitizer }}-std${{ matrix.cxx_standard }} | ||
| path: build/Testing/ | ||
|
|
||
| valgrind: |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, the fix is to explicitly set a restrictive permissions block in the workflow, ideally at the top level so it applies to all jobs, and only broaden it if/when a specific job needs more. For this workflow, the jobs only need to read repository contents and interact with artifacts; they do not need to write to code, PRs, or issues. A suitable minimal configuration is permissions: contents: read, which still allows actions/checkout to function, and does not interfere with actions/upload-artifact (which does not use GITHUB_TOKEN).
The single best fix without changing functionality is to add a top-level permissions section right under the name: (and before on:) that sets contents: read. This will apply to both sanitizers and valgrind jobs, satisfying CodeQL and enforcing least privilege. No other code, steps, or jobs need modifications, and no imports or external libraries are involved since this is a YAML configuration change only.
Specifically, in .github/workflows/sanitizers.yml, insert:
permissions:
contents: readbetween line 1 (name: Memory and Thread Sanitizers) and line 3 (on:). No other file changes are required.
| @@ -1,4 +1,6 @@ | ||
| name: Memory and Thread Sanitizers | ||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: |
| runs-on: ubuntu-latest | ||
|
|
||
| steps: | ||
| - name: Checkout repository and submodules | ||
| uses: actions/checkout@v4 | ||
| with: | ||
| submodules: recursive | ||
|
|
||
| - name: Install dependencies | ||
| run: | | ||
| sudo apt-get update | ||
| sudo apt-get install -y build-essential cmake valgrind | ||
|
|
||
| - name: Configure CMake | ||
| run: | | ||
| mkdir -p build | ||
| cd build | ||
| cmake .. \ | ||
| -DCMAKE_BUILD_TYPE=Debug \ | ||
| -DCSV_CXX_STANDARD=17 \ | ||
| -DCMAKE_CXX_COMPILER=g++ \ | ||
| -DCMAKE_C_COMPILER=gcc \ | ||
| -DCMAKE_CXX_FLAGS="-g -O1" \ | ||
| -DCMAKE_C_FLAGS="-g -O1" | ||
|
|
||
| - name: Build | ||
| run: cmake --build build --config Debug | ||
|
|
||
| - name: Test with Valgrind | ||
| working-directory: build | ||
| run: ctest --output-on-failure | ||
| timeout-minutes: 60 | ||
|
|
||
| - name: Upload Valgrind results | ||
| if: failure() | ||
| uses: actions/upload-artifact@v4 | ||
| with: | ||
| name: valgrind-results | ||
| path: build/Testing/ |
Check warning
Code scanning / CodeQL
Workflow does not contain permissions Medium
Show autofix suggestion
Hide autofix suggestion
Copilot Autofix
AI 2 months ago
In general, to fix this issue you should explicitly declare permissions for the GITHUB_TOKEN either at the workflow root (applying to all jobs) or for each job individually, granting only the minimal scopes needed. For a build-and-test workflow that only checks out the repo and uploads artifacts, contents: read is typically sufficient.
The best, least-invasive fix here is to add a single root-level permissions block right under the name: (or under on:) in .github/workflows/sanitizers.yml. This will apply to both sanitizers and valgrind jobs and ensures that the GITHUB_TOKEN has read-only access to repository contents and no write scopes. No existing steps need modification, and no new dependencies or imports are required, because GitHub Actions interprets the permissions key natively.
Concretely:
- Edit
.github/workflows/sanitizers.yml. - Insert:
permissions:
contents: readafter the name: Memory and Thread Sanitizers line (or equivalently between on: and jobs:), ensuring indentation matches YAML rules (root-level, no extra spaces). This documents and enforces least-privilege access for the workflow.
| @@ -1,5 +1,8 @@ | ||
| name: Memory and Thread Sanitizers | ||
|
|
||
| permissions: | ||
| contents: read | ||
|
|
||
| on: | ||
| push: | ||
| branches: [ "master", "feb-15-2026" ] |
2 participants
gcovby defaultempty(),is_waitable()) now lock-free with atomic flagsintusageslong longfor increased overflow safety