[ci] Block sprintf/vsprintf usage, suggest snprintf alternatives

2026-01-17 07:24:53 -07:00 · 2026-01-16 14:18:11 -10:00
5 changed files with 30 additions and 12 deletions
--- a/esphome/components/dfrobot_sen0395/commands.h
+++ b/esphome/components/dfrobot_sen0395/commands.h
@@ -75,8 +75,8 @@ class SetLatencyCommand : public Command {
 class SensorCfgStartCommand : public Command {
 public:
  SensorCfgStartCommand(bool startup_mode) : startup_mode_(startup_mode) {
-    char tmp_cmd[20];  // "sensorCfgStart " (15) + "0/1" (1) + null = 17
-    buf_append_printf(tmp_cmd, sizeof(tmp_cmd), 0, "sensorCfgStart %d", startup_mode);
+    char tmp_cmd[20] = {0};
+    sprintf(tmp_cmd, "sensorCfgStart %d", startup_mode);
    cmd_ = std::string(tmp_cmd);
  }
  uint8_t on_message(std::string &message) override;
@@ -142,8 +142,8 @@ class SensitivityCommand : public Command {
  SensitivityCommand(uint8_t sensitivity) : sensitivity_(sensitivity) {
    if (sensitivity > 9)
      sensitivity_ = sensitivity = 9;
-    char tmp_cmd[20];  // "setSensitivity " (15) + "0-9" (1) + null = 17
-    buf_append_printf(tmp_cmd, sizeof(tmp_cmd), 0, "setSensitivity %d", sensitivity);
+    char tmp_cmd[20] = {0};
+    sprintf(tmp_cmd, "setSensitivity %d", sensitivity);
    cmd_ = std::string(tmp_cmd);
  };
  uint8_t on_message(std::string &message) override;
--- a/esphome/components/pipsolar/output/pipsolar_output.cpp
+++ b/esphome/components/pipsolar/output/pipsolar_output.cpp
@@ -8,8 +8,8 @@ namespace pipsolar {
 static const char *const TAG = "pipsolar.output";

 void PipsolarOutput::write_state(float state) {
-  char tmp[16];
-  snprintf(tmp, sizeof(tmp), this->set_command_.c_str(), state);
+  char tmp[10];
+  sprintf(tmp, this->set_command_.c_str(), state);

  if (std::find(this->possible_values_.begin(), this->possible_values_.end(), state) != this->possible_values_.end()) {
    ESP_LOGD(TAG, "Will write: %s out of value %f / %02.0f", tmp, state, state);
--- a/esphome/components/sim800l/sim800l.cpp
+++ b/esphome/components/sim800l/sim800l.cpp
@@ -1,5 +1,4 @@
 #include "sim800l.h"
-#include "esphome/core/helpers.h"
 #include "esphome/core/log.h"
 #include <cstring>

@@ -51,8 +50,8 @@ void Sim800LComponent::update() {
  } else if (state_ == STATE_RECEIVED_SMS) {
    // Serial Buffer should have flushed.
    // Send cmd to delete received sms
-    char delete_cmd[20];  // "AT+CMGD=" (8) + uint8_t (max 3) + null = 12 <= 20
-    buf_append_printf(delete_cmd, sizeof(delete_cmd), 0, "AT+CMGD=%d", this->parse_index_);
+    char delete_cmd[20];
+    sprintf(delete_cmd, "AT+CMGD=%d", this->parse_index_);
    this->send_cmd_(delete_cmd);
    this->state_ = STATE_CHECK_SMS;
    this->expect_ack_ = true;
--- a/esphome/components/wl_134/wl_134.cpp
+++ b/esphome/components/wl_134/wl_134.cpp
@@ -1,5 +1,4 @@
 #include "wl_134.h"
-#include "esphome/core/helpers.h"
 #include "esphome/core/log.h"

 #include <cinttypes>
@@ -79,8 +78,8 @@ Wl134Component::Rfid134Error Wl134Component::read_packet_() {
           reading.id, reading.country, reading.isData ? "true" : "false", reading.isAnimal ? "true" : "false",
           reading.reserved0, reading.reserved1);

-  char buf[20];  // "%03d" (3) + "%012" PRId64 (12) + null = 16 max
-  buf_append_printf(buf, sizeof(buf), 0, "%03d%012" PRId64, reading.country, reading.id);
+  char buf[20];
+  sprintf(buf, "%03d%012lld", reading.country, reading.id);
  this->publish_state(buf);
  if (this->do_reset_) {
    this->set_timeout(1000, [this]() { this->publish_state(""); });
--- a/script/ci-custom.py
+++ b/script/ci-custom.py
@@ -728,6 +728,26 @@ def lint_no_heap_allocating_helpers(fname, match):
    )


+@lint_re_check(
+    # Match sprintf/vsprintf but not snprintf/vsnprintf
+    # [^\w] ensures we don't match the safe variants
+    r"[^\w](v?sprintf)\s*\(" + CPP_RE_EOL,
+    include=cpp_include,
+)
+def lint_no_sprintf(fname, match):
+    func = match.group(1)
+    safe_func = func.replace("sprintf", "snprintf")
+    return (
+        f"{highlight(func + '()')} is not allowed in ESPHome. It has no buffer size limit "
+        f"and can cause buffer overflows.\n"
+        f"Please use one of these alternatives:\n"
+        f"  - {highlight(safe_func + '(buf, sizeof(buf), fmt, ...)')} for general formatting\n"
+        f"  - {highlight('buf_append_printf(buf, sizeof(buf), pos, fmt, ...)')} for "
+        f"offset-based formatting (also stores format strings in flash on ESP8266)\n"
+        f"(If strictly necessary, add `// NOLINT` to the end of the line)"
+    )
+
+
@lint_content_find_check(
    "ESP_LOG",
    include=["*.h", "*.tcc"],