Add propelcode test conditions in score/evaluation#2
Add propelcode test conditions in score/evaluation#2devendrapat wants to merge 2 commits intomainfrom
Conversation
devendrapat
had a problem deploying
to
workflow-approval
GitHub Actions
Error
devendrapat
had a problem deploying
to
workflow-approval
GitHub Actions
Failure
|
Add evaluation sample modules, tests, and Bazel targets for This PR introduces a large set of new evaluation-focused C++ headers under It also adds a new This summary was automatically generated by @propel-code-bot |
devendrapat
had a problem deploying
to
workflow-approval
GitHub Actions
Error
devendrapat
had a problem deploying
to
workflow-approval
GitHub Actions
Failure
devendrapat
had a problem deploying
to
workflow-approval
GitHub Actions
Error
devendrapat
had a problem deploying
to
workflow-approval
GitHub Actions
Failure
![propel-code-bot[bot]](https://avatars.githubusercontent.com/in/1179004?s=60&v=4){kind=small}
There was a problem hiding this comment.
Review found numerous critical security, concurrency, and memory-safety defects plus API/test hygiene gaps that must be resolved before merge.
Status: Action Required | Risk: High
Issues Identified & Suggestions
- Fix security flaws:
security_issues.h,non_idiomatic_cpp.h - Resolve concurrency/memory safety issues:
concurrency_issues.h,memory_issues.h - Fix header/ODR, logic, tests/docs, unused code:
design_patterns.h,unit_test_quality.h,unit_test_quality_test.cpp
Review Details
📁 29 files reviewed | 💬 51 comments
👍 / 👎 individual comments to help improve reviews for you
| inline std::string FormatMessage(int code, const std::string& text) | ||
| { | ||
| char buf[256]; | ||
| sprintf(buf, "Code=%d Msg=%s", code, text.c_str()); |
There was a problem hiding this comment.
[Security] sprintf is used to write into a fixed-size buffer buf[256]. If the input text is long enough, it will cause a buffer overflow, potentially leading to a crash or security vulnerability.
| sprintf(buf, "Code=%d Msg=%s", code, text.c_str()); | |
| char buf[256]; | |
| snprintf(buf, sizeof(buf), "Code=%d Msg=%s", code, text.c_str()); |
Context for Agents
[**Bug**] `sprintf` is used to write into a fixed-size buffer `buf[256]`. If the input `text` is long enough, it will cause a buffer overflow, potentially leading to a crash or security vulnerability.
```suggestion
char buf[256];
snprintf(buf, sizeof(buf), "Code=%d Msg=%s", code, text.c_str());
```
File: score/evaluation/idiomatic/non_idiomatic_cpp.h
Line: 59|
|
||
| inline std::string BuildShellCommand(const std::string& file_name) | ||
| { | ||
| return "cat " + file_name; |
There was a problem hiding this comment.
[Security] BuildShellCommand is vulnerable to command injection. If file_name contains shell metacharacters (e.g., ; rm -rf /), they will be executed by the shell when this command is eventually run.
Context for Agents
[**Bug**] `BuildShellCommand` is vulnerable to command injection. If `file_name` contains shell metacharacters (e.g., `; rm -rf /`), they will be executed by the shell when this command is eventually run.
File: score/evaluation/security/security_issues.h
Line: 43|
|
||
| inline std::string BuildUserLookupQuery(const std::string& user_name) | ||
| { | ||
| return "SELECT * FROM users WHERE name='" + user_name + "'"; |
There was a problem hiding this comment.
[Security] BuildUserLookupQuery is vulnerable to SQL injection. An attacker can provide a user_name containing SQL fragments (e.g., ' OR '1'='1) to bypass authentication or extract unauthorized data.
Context for Agents
[**Bug**] `BuildUserLookupQuery` is vulnerable to SQL injection. An attacker can provide a `user_name` containing SQL fragments (e.g., `' OR '1'='1`) to bypass authentication or extract unauthorized data.
File: score/evaluation/security/security_issues.h
Line: 48|
|
||
| inline std::string BuildUserFilePath(const std::string& user_fragment) | ||
| { | ||
| return std::string("/var/app/data/") + user_fragment; |
There was a problem hiding this comment.
[Security] BuildUserFilePath is vulnerable to path traversal. An attacker can provide a user_fragment containing directory traversal sequences (e.g., ../../etc/passwd) to access sensitive files outside the intended directory.
Context for Agents
[**Bug**] `BuildUserFilePath` is vulnerable to path traversal. An attacker can provide a `user_fragment` containing directory traversal sequences (e.g., `../../etc/passwd`) to access sensitive files outside the intended directory.
File: score/evaluation/security/security_issues.h
Line: 53| public: | ||
| void EnsureInitialised() | ||
| { | ||
| if (!initialised_) |
There was a problem hiding this comment.
[Logic] The initialised_ flag is read outside of a lock, while it may be written by another thread inside a lock. This constitutes a data race and can lead to undefined behavior. Both reads and writes to shared data must be synchronized.
Context for Agents
The `initialised_` flag is read outside of a lock, while it may be written by another thread inside a lock. This constitutes a data race and can lead to undefined behavior. Both reads and writes to shared data must be synchronized.
File: score/evaluation/concurrency/concurrency_issues.h
Line: 50| int* ptr_; | ||
| }; | ||
|
|
||
| class LeakyConstructor |
There was a problem hiding this comment.
[Unused Code] The class LeakyConstructor is defined here but nothing in this PR constructs or references it (searched all files). Consider removing it if it’s not needed.
Context for Agents
The class `LeakyConstructor` is defined here but nothing in this PR constructs or references it (searched all files). Consider removing it if it’s not needed.
File: score/evaluation/memory/memory_issues.h
Line: 63| return sum; | ||
| } | ||
|
|
||
| inline void ProcessItems(const std::vector<std::string>& items) |
There was a problem hiding this comment.
[Unused Code] The function ProcessItems is defined but never called anywhere in this PR (confirmed via full search). It appears to be unused code.
Context for Agents
The function `ProcessItems` is defined but never called anywhere in this PR (confirmed via full search). It appears to be unused code.
File: score/evaluation/optimization/code_optimization.h
Line: 24|
|
||
| #include <cstdio> | ||
| #include <iostream> | ||
| #include <numeric> |
There was a problem hiding this comment.
[Maintainability] No symbols from <numeric> are used in this header. Remove the include to avoid unnecessary build dependencies.
Context for Agents
No symbols from `<numeric>` are used in this header. Remove the include to avoid unnecessary build dependencies.
File: score/evaluation/idiomatic/non_idiomatic_cpp.h
Line: 8| #include <algorithm> | ||
| #include <functional> | ||
| #include <map> | ||
| #include <memory> |
There was a problem hiding this comment.
[Maintainability] No symbols from <memory> are used in this header; remove the include to reduce build overhead.
Context for Agents
No symbols from `<memory>` are used in this header; remove the include to reduce build overhead.
File: score/evaluation/modern_cpp/modern_cpp_syntax.h
Line: 9| #ifndef SCORE_EVALUATION_UNIT_TEST_QUALITY_H | ||
| #define SCORE_EVALUATION_UNIT_TEST_QUALITY_H | ||
|
|
||
| #include <cstdint> |
There was a problem hiding this comment.
[Maintainability] No <cstdint> types are used in this header; remove the include to keep dependencies minimal.
Context for Agents
No `<cstdint>` types are used in this header; remove the include to keep dependencies minimal.
File: score/evaluation/unit_test_quality/unit_test_quality.h
Line: 61 participant
Notes for Reviewer
Pre-Review Checklist for the PR Author
Checklist for the PR Reviewer
Post-review Checklist for the PR Author
References
Closes #