From 596ef2fd7ac55eb05a3928df4ed209c07045d0e4 Mon Sep 17 00:00:00 2001
From: Debarshi Ray <debarshir@gnome.org>
Date: Wed, 11 Mar 2026 20:54:50 +0100
Subject: [PATCH] appdata: Fix a -Wanalyzer-null-argument warning
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenScanHub [1] triggered this and flagged it as CWE-688 [2]:
  common/flatpak-appdata.c:298:7: warning[-Wanalyzer-null-argument]: use
      of NULL ‘parent’ where non-null expected
  common/flatpak-appdata.c:282:6: branch_false: following ‘false’
      branch...
  common/flatpak-appdata.c:285:3: branch_false: ...to here
  common/flatpak-appdata.c:285:3: branch_true: following ‘true’
      branch...
  common/flatpak-appdata.c:287:15: branch_true: ...to here
  common/flatpak-appdata.c:289:6: branch_false: following ‘false’
      branch...
  common/flatpak-appdata.c:297:7: branch_false: ...to here
  common/flatpak-appdata.c:297:6: branch_true: following ‘true’ branch
      (when the strings are equal)...
  common/flatpak-appdata.c:298:7: branch_true: ...to here
  common/flatpak-appdata.c:298:7: danger: argument 1 (‘parent’) NULL
      where non-null expected
  #  296|     /* avoid picking up <id> elements from e.g. <provides> */
  #  297|     if (g_str_equal (element_name, "id") &&
  #  298|->       g_str_equal (parent, "component"))
  #  299|       {
  #  300|         component->id = g_steal_pointer (&text);

The parsing code doesn't throw any errors from G_MARKUP_ERROR.  It
expects the input to be valid, and relies on assertions to express that.
eg., it asserts that a <component> element or tag is encountered before
any other, and particularly <content_attribute>, <content_rating> and
<release>.

In the same vein, an assertion was added to express that an <id> element
or tag always has a parent.

Spotted by Siteshwar Vashisht.

[1] https://openscanhub.dev/

[2] https://cwe.mitre.org/data/definitions/688.html
---
 common/flatpak-appdata.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/common/flatpak-appdata.c b/common/flatpak-appdata.c
index 968e6812..428f968f 100644
--- a/common/flatpak-appdata.c
+++ b/common/flatpak-appdata.c
@@ -294,10 +294,11 @@ end_element (GMarkupParseContext *context,
     }
 
   /* avoid picking up <id> elements from e.g. <provides> */
-  if (g_str_equal (element_name, "id") &&
-      g_str_equal (parent, "component"))
+  if (g_str_equal (element_name, "id"))
     {
-      component->id = g_steal_pointer (&text);
+      g_assert (parent != NULL);
+      if (g_str_equal (parent, "component"))
+        component->id = g_steal_pointer (&text);
     }
   else if (!data->in_developer && g_str_equal (element_name, "name"))
     {