Fix CodeQL security alerts

montge · claude · montge · commit 69ce108b9a4e · 2025-11-30T17:05:54.000-05:00
- sched.c: Fix scanf return value check (check != 1 instead of == 0) to properly handle EOF condition - ci.yml: Add explicit permissions block to restrict workflow to read-only contents access (security best practice) Fixes CodeQL alerts nimble-code#27 (incorrectly-checked-scanf) and nimble-code#30-35 (missing-workflow-permissions) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
   pull_request:
     branches: [master, main]
 
+# Restrict permissions to minimum required
+permissions:
+  contents: read
+
 jobs:
   build-linux:
     runs-on: ubuntu-latest
diff --git a/Src/sched.c b/Src/sched.c
@@ -569,7 +569,7 @@ try_more:	for (X_lst = run_lst, k = 1; X_lst; X_lst = X_lst->nxt)
 		} else
 		{	char buf[256];
 			fflush(stdout);
-			if (scanf("%64s", buf) == 0)
+			if (scanf("%64s", buf) != 1)
 			{	printf("\tno input\n");
 				goto try_again;
 			}

Original file line number	Diff line number	Diff line change
`@@ -569,7 +569,7 @@ try_more: for (X_lst = run_lst, k = 1; X_lst; X_lst = X_lst->nxt)`
`569`	`569`	`} else`
`570`	`570`	`{ char buf[256];`
`571`	`571`	`fflush(stdout);`
`572`		`- if (scanf("%64s", buf) == 0)`
	`572`	`+ if (scanf("%64s", buf) != 1)`
`573`	`573`	`{ printf("\tno input\n");`
`574`	`574`	`goto try_again;`
`575`	`575`	`}`