From dc6b871b419159097c272fe21cdef6acece40a99 Mon Sep 17 00:00:00 2001
From: Joseph Hunkeler <jhunkeler@gmail.com>
Date: Thu, 16 Apr 2026 11:52:11 -0400
Subject: Convert more strcat and strcpy to strn variants

---
 src/cli/stasis/args.c                        | 12 ++++-----
 src/cli/stasis/stasis_main.c                 |  8 +++---
 src/cli/stasis_indexer/helpers.c             | 38 ++++++++++++++--------------
 src/cli/stasis_indexer/stasis_indexer_main.c | 18 ++++++-------
 src/cli/stasis_indexer/website.c             |  2 +-
 5 files changed, 39 insertions(+), 39 deletions(-)

(limited to 'src/cli')

diff --git a/src/cli/stasis/args.c b/src/cli/stasis/args.c
index 696f3a6..98b4479 100644
--- a/src/cli/stasis/args.c
+++ b/src/cli/stasis/args.c
@@ -89,20 +89,20 @@ void usage(char *progname) {
         char opt_long[50] = {0};        // --? [ARG]?
         char opt_short[50] = {0};        // -? [ARG]?
 
-        strcat(opt_long, "--");
-        strcat(opt_long, long_options[x].name);
+        strncat(opt_long, "--", sizeof(opt_long) - strlen(opt_long) - 1);
+        strncat(opt_long, long_options[x].name, sizeof(opt_long) - strlen(opt_long) - 1);
         if (long_options[x].has_arg) {
-            strcat(opt_long, " ARG");
+            strncat(opt_long, " ARG", sizeof(opt_long) - strlen(opt_long) - 1);
         }
 
         if (long_options[x].val <= 'z') {
-            strcat(opt_short, "-");
+            strncat(opt_short, "-", sizeof(opt_short) - strlen(opt_short) - 1);
             opt_short[1] = (char) long_options[x].val;
             if (long_options[x].has_arg) {
-                strcat(opt_short, " ARG");
+                strncat(opt_short, " ARG", sizeof(opt_short) - strlen(opt_short) - 1);
             }
         } else {
-            strcat(opt_short, "  ");
+            strncat(opt_short, "  ", sizeof(opt_short) - strlen(opt_short) - 1);
         }
 
         const char *opt_fmt = "  %%-%ds\t%%s\t\t%%s";
diff --git a/src/cli/stasis/stasis_main.c b/src/cli/stasis/stasis_main.c
index 9b3c6ba..328d825 100644
--- a/src/cli/stasis/stasis_main.c
+++ b/src/cli/stasis/stasis_main.c
@@ -532,7 +532,7 @@ int main(int argc, char *argv[]) {
                 globals.continue_on_error = true;
                 break;
             case 'p':
-                strcpy(python_override_version, optarg);
+                strncpy(python_override_version, optarg, sizeof(python_override_version) - 1);
                 break;
             case 'l':
                 globals.cpu_limit = strtol(optarg, NULL, 10);
@@ -652,9 +652,9 @@ int main(int argc, char *argv[]) {
     configure_jfrog_cli(&ctx);
 
     runtime_apply(ctx.runtime.environ);
-    strcpy(env_name, ctx.info.release_name);
-    strcpy(env_name_testing, env_name);
-    strcat(env_name_testing, "-test");
+    strncpy(env_name, ctx.info.release_name, sizeof(env_name) - 1);
+    strncpy(env_name_testing, env_name, sizeof(env_name_testing) - 1);
+    strncat(env_name_testing, "-test", sizeof(env_name_testing) - strlen(env_name_testing) - 1);
     char *envs[] = {
         "release", env_name,
         "testing", env_name_testing,
diff --git a/src/cli/stasis_indexer/helpers.c b/src/cli/stasis_indexer/helpers.c
index 6dc653d..27608d3 100644
--- a/src/cli/stasis_indexer/helpers.c
+++ b/src/cli/stasis_indexer/helpers.c
@@ -96,44 +96,44 @@ int pandoc_exec(const char *in_file, const char *out_file, const char *css_file,
     if (!get_pandoc_version(&pandoc_version)) {
         // < 2.19
         if (pandoc_version < 0x02130000) {
-            strcat(pandoc_versioned_args, "--self-contained ");
+            strncat(pandoc_versioned_args, "--self-contained ", sizeof(pandoc_versioned_args) - strlen(pandoc_versioned_args) - 1);
         } else {
             // >= 2.19
-            strcat(pandoc_versioned_args, "--embed-resources ");
+            strncat(pandoc_versioned_args, "--embed-resources ", sizeof(pandoc_versioned_args) - strlen(pandoc_versioned_args) - 1);
         }
 
         // >= 1.15.0.4
         if (pandoc_version >= 0x010f0004) {
-            strcat(pandoc_versioned_args, "--standalone ");
+            strncat(pandoc_versioned_args, "--standalone ", sizeof(pandoc_versioned_args) - strlen(pandoc_versioned_args) - 1);
         }
 
         // >= 1.10.0.1
         if (pandoc_version >= 0x010a0001) {
-            strcat(pandoc_versioned_args, "-f gfm+autolink_bare_uris ");
+            strncat(pandoc_versioned_args, "-f gfm+autolink_bare_uris ", sizeof(pandoc_versioned_args) - strlen(pandoc_versioned_args) - 1);
         }
 
         // > 3.1.9
         if (pandoc_version > 0x03010900) {
-            strcat(pandoc_versioned_args, "-f gfm+alerts ");
+            strncat(pandoc_versioned_args, "-f gfm+alerts ", sizeof(pandoc_versioned_args) - strlen(pandoc_versioned_args) - 1);
         }
     }
 
     // Converts a markdown file to html
     char cmd[STASIS_BUFSIZ] = {0};
-    strcpy(cmd, "pandoc ");
-    strcat(cmd, pandoc_versioned_args);
+    strncpy(cmd, "pandoc ", sizeof(cmd));
+    strncat(cmd, pandoc_versioned_args, sizeof(cmd) - strlen(cmd) - 1);
     if (css_file && strlen(css_file)) {
-        strcat(cmd, "--css ");
-        strcat(cmd, css_file);
+        strncat(cmd, "--css ", sizeof(cmd) - strlen(cmd) - 1);
+        strncat(cmd, css_file, sizeof(cmd) - strlen(cmd) - 1);
     }
-    strcat(cmd, " ");
-    strcat(cmd, "--metadata title=\"");
-    strcat(cmd, title);
-    strcat(cmd, "\" ");
-    strcat(cmd, "-o ");
-    strcat(cmd, out_file);
-    strcat(cmd, " ");
-    strcat(cmd, in_file);
+    strncat(cmd, " ", sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, "--metadata title=\"", sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, title, sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, "\" ", sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, "-o ", sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, out_file, sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, " ", sizeof(cmd) - strlen(cmd) - 1);
+    strncat(cmd, in_file, sizeof(cmd) - strlen(cmd) - 1);
 
     if (globals.verbose) {
         puts(cmd);
@@ -377,8 +377,8 @@ int write_manifest(const char *path, char **exclude_path, FILE *fp) {
         }
         char filepath[PATH_MAX] = {0};
         strncpy(filepath, path, PATH_MAX - 1);
-        strcat(filepath, "/");
-        strcat(filepath, rec->d_name);
+        strncat(filepath, "/", sizeof(filepath) - strlen(filepath) - 1);
+        strncat(filepath, rec->d_name, sizeof(filepath) - strlen(filepath) - 1);
         if (rec->d_type == DT_DIR) {
             write_manifest(filepath, exclude_path, fp);
             continue;
diff --git a/src/cli/stasis_indexer/stasis_indexer_main.c b/src/cli/stasis_indexer/stasis_indexer_main.c
index 5f7ded4..63fb45c 100644
--- a/src/cli/stasis_indexer/stasis_indexer_main.c
+++ b/src/cli/stasis_indexer/stasis_indexer_main.c
@@ -13,9 +13,9 @@ int indexer_combine_rootdirs(const char *dest, char **rootdirs, const size_t roo
     char destdir_with_output[PATH_MAX] = {0};
     char *destdir = destdir_bare;
 
-    strcpy(destdir_bare, dest);
-    strcpy(destdir_with_output, dest);
-    strcat(destdir_with_output, "/output");
+    strncpy(destdir_bare, dest, sizeof(destdir_bare) - 1);
+    strncpy(destdir_with_output, dest, sizeof(destdir_with_output) - 1);
+    strncat(destdir_with_output, "/output", sizeof(destdir_with_output) - strlen(destdir_with_output) - 1);
 
     if (!access(destdir_with_output, F_OK)) {
         destdir = destdir_with_output;
@@ -26,9 +26,9 @@ int indexer_combine_rootdirs(const char *dest, char **rootdirs, const size_t roo
         char srcdir_bare[PATH_MAX] = {0};
         char srcdir_with_output[PATH_MAX] = {0};
         char *srcdir = srcdir_bare;
-        strcpy(srcdir_bare, rootdirs[i]);
-        strcpy(srcdir_with_output, rootdirs[i]);
-        strcat(srcdir_with_output, "/output");
+        strncpy(srcdir_bare, rootdirs[i], sizeof(srcdir_bare) - 1);
+        strncpy(srcdir_with_output, rootdirs[i], sizeof(srcdir_with_output) - 1);
+        strncat(srcdir_with_output, "/output", sizeof(srcdir_with_output) - strlen(srcdir_with_output) - 1);
 
         if (access(srcdir_bare, F_OK)) {
             fprintf(stderr, "%s does not exist\n", srcdir_bare);
@@ -261,11 +261,11 @@ int main(const int argc, char *argv[]) {
     char workdir_template[PATH_MAX] = {0};
     const char *system_tmp = getenv("TMPDIR");
     if (system_tmp) {
-        strcat(workdir_template, system_tmp);
+        strncat(workdir_template, system_tmp, sizeof(workdir_template) - strlen(workdir_template) - 1);
     } else {
-        strcat(workdir_template, "/tmp");
+        strncat(workdir_template, "/tmp", sizeof(workdir_template) - strlen(workdir_template) - 1);
     }
-    strcat(workdir_template, "/stasis-combine.XXXXXX");
+    strncat(workdir_template, "/stasis-combine.XXXXXX", sizeof(workdir_template) - strlen(workdir_template) - 1);
     char *workdir = mkdtemp(workdir_template);
     if (!workdir) {
         SYSERROR("Unable to create temporary directory: %s", workdir_template);
diff --git a/src/cli/stasis_indexer/website.c b/src/cli/stasis_indexer/website.c
index e758d47..8a5126d 100644
--- a/src/cli/stasis_indexer/website.c
+++ b/src/cli/stasis_indexer/website.c
@@ -36,7 +36,7 @@ int indexer_make_website(struct Delivery **ctx) {
 
             // Replace *.md extension with *.html.
             strncpy(fullpath_dest, fullpath_src, sizeof(fullpath_dest) - 1);
-            gen_file_extension_str(fullpath_dest, ".html");
+            gen_file_extension_str(fullpath_dest, sizeof(fullpath_dest), ".html");
 
             // Convert markdown to html
             if (pandoc_exec(fullpath_src, fullpath_dest, have_css ? css_filename : NULL, "STASIS")) {
-- 
cgit