Skip to content

create fopen_modsec#3582

Open
kanseiishikawa wants to merge 2 commits into
owasp-modsecurity:v3/masterfrom
kanseiishikawa:create/fopen_s
Open

create fopen_modsec#3582
kanseiishikawa wants to merge 2 commits into
owasp-modsecurity:v3/masterfrom
kanseiishikawa:create/fopen_s

Conversation

@kanseiishikawa

@kanseiishikawa kanseiishikawa commented Jun 22, 2026

Copy link
Copy Markdown

what

Since fopen_s, which is used in win32, is more secure, we defined and implemented it internally so that it can be used in other operating systems as well.
Since fopen_s can have name conflicts, we're creating it as fopen_modsec.

why

SonarCloud Code Analysis has started causing errors with fopen.

'fopen' is deprecated: This function or variable may be unsafe. Consider using fopen_s instead. To disable deprecation, use _CRT_SECURE_NO_WARNINGS. See online help for details.

references

The goal is to resolve this error.
https://github.com/owasp-modsecurity/ModSecurity/pull/3521/changes#diff-2f0c197bfdbe90b112359e18d7980ca2c8535fe1cbd47ce1029c27130812de2aR113

@kanseiishikawa

Copy link
Copy Markdown
Author

"The SonarCloud duplication (66.7%) is a false positive caused by the very small diff size (only 6 lines). Since I don't have permission to modify the SonarCloud config, could a maintainer please check and approve this manually?"

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
7.4% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud

@airween airween requested a review from Copilot June 28, 2026 09:18
@airween airween added the 3.x Related to ModSecurity version 3.x label Jun 28, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request introduces a fopen_modsec() helper intended to replace direct fopen() usage (primarily to address Windows/MSVC deprecation warnings flagged by static analysis) and updates several call sites to use the new helper.

Changes:

  • Added modsecurity::utils::fopen_modsec(FILE**, const char*, const char*) declaration/definition and migrated isFile() to use it.
  • Updated file-opening in SharedFiles and SecLang include-handling in the scanner to call fopen_modsec() instead of fopen().
  • Added new includes where needed to access the helper.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 6 comments.

Show a summary per file
File Description
src/utils/system.h Declares the new fopen_modsec() helper in the utils API.
src/utils/system.cc Implements fopen_modsec() and switches isFile() to use it.
src/utils/shared_files.cc Switches audit/debug shared file handler creation to use fopen_modsec().
src/parser/seclang-scanner.ll Updates scanner include-handling to use fopen_modsec().
src/parser/seclang-scanner.cc Updates the generated scanner output to use fopen_modsec() in include-handling paths.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/system.cc
Comment on lines +16 to 17
#include <bits/types/FILE.h>
#include <stdio.h>
Comment thread src/utils/system.h
std::list<std::string> expandEnv(const std::string& var, int flags);
bool createDir(const std::string& dir, int mode, std::string *error);
bool isFile(const std::string& f);
bool fopen_modsec(FILE **v_fp, const char *filename, const char *mode);
Comment thread src/utils/system.cc
Comment on lines +227 to +236
bool fopen_modsec(FILE **v_fp, const char *filename, const char *mode) {
if (v_fp == nullptr || filename == nullptr || mode == nullptr) {
return false;
}
*v_fp = fopen(filename, mode);
if (*v_fp == nullptr) {
return false;
}
return true;
}

yyin = fopen(f.c_str(), "r" );
if (!yyin) {
if (!modsecurity::utils::fopen_modsec(&yyin, f.c_str(), "r") != 0) {
driver.loc.back()->begin.filename = driver.loc.back()->end.filename = &(driver.m_filenames.back());
yyin = fopen(f.c_str(), "r" );
if (!yyin) {
if (!modsecurity::utils::fopen_modsec(&yyin, f.c_str(), "r") != 0) { // NOSONAR

yyin = fopen(f.c_str(), "r" );
if (!yyin) {
if (!modsecurity::utils::fopen_modsec(&yyin, f.c_str(), "r") != 0) { // NOSONAR
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants