Push this scan report to ghc/ghc

Embedded score card image

This image will render at the top of the issue body. Hosted on Repobility, refreshes automatically after re-scans.

Issue title

Hi @ghc, an automated scan of this repository surfaced **9 code-quality findings** that may be worth a look. 
Full details, severity filters, and per-file context are at the link below — feel free to close this issue if it isn't useful to you.

## Full interactive report

**https://repobility.com/scan/2375b6d0-a6b1-42a0-92ae-4a23b5c8f9ee/**

![Live scan page](https://repobility.com/scan/2375b6d0-a6b1-42a0-92ae-4a23b5c8f9ee/report.png?v=1778938232)

## At a glance

- **Score**: `74/100`  •  **Grade**: `C-`
- **Scanned**: `2026-05-16 13:30 UTC`
- **Lines of code**: 72,479
- **Total findings**: 9
- **Security-tagged**: 1
- **Credential / secret patterns**: 0

## Top issues, with file & line

_These are deterministic rule-based findings — the file paths and line numbers below are real and can be verified in your tree._

1. **[high]** [SEC029] Server-Side Request Forgery (SSRF) — outbound HTTP from user input: Outbound HTTP request to a user-controlled URL without allowlist validation. Attackers can probe internal services (169.254.169.254 metadata, internal Kubernetes endpoints, file:// URIs), exfiltrate data, or pivot through your network. SSRF is OWASP A10:2021 and a frequent foothold in cloud breaches. — `mk/get-win32-tarballs.py:29`
   _Validate the URL against an allowlist BEFORE fetching:   ALLOWED = {'images.example.com', 'cdn.example.com'}   host = urlparse(url).hostname   if host not in ALLOWED: abort(400)…_
2. **[high]** [SEC035] Unbounded Resource Allocation — DoS risk: Allocating resources (buffers, recursion stack, large ranges) based on user input without an upper bound. Attackers send `size=10000000` to exhaust memory, or trigger expensive computation. CWE-770/400. Examples: CVE-2023-44487 (HTTP/2 Rapid Reset), countless YAML/XML billion-laughs variants. — `docs/users_guide/conf.py:312`
   _Cap user-controlled sizes BEFORE allocation:   size = min(int(request.args.get('n', 100)), MAX_SIZE) Set framework-level limits:   Flask:    app.config['MAX_CONTENT_LENGTH'] = 1…_
3. **[low]** Duplicated implementation block across source files — `hadrian/bindist/cwrappers/cwrapper.c:1`
   _Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used._
4. **[low]** Duplicated implementation block across source files — `hadrian/bindist/cwrappers/getLocation.c:1`
   _Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used._
5. **[low]** Duplicated implementation block across source files — `rts/adjustor/NativeAmd64Mingw.c:20`
   _Extract the shared behavior into one function/module or delete the inactive duplicate after proving which path is used._

See all 9 findings, with severity filters and AI fix prompts: **https://repobility.com/scan/2375b6d0-a6b1-42a0-92ae-4a23b5c8f9ee/**

---

**What is this?** [Repobility](https://repobility.com) is a research project that scans public repositories with a multi-layer static analyzer (rule-based, no AI hallucinations) and learns code-quality patterns across a broad cross-repo corpus. This is **not a sales pitch** — there's no paywall, no signup required to view the report, and no payment ask. If the findings aren't useful, please close this issue and we won't post again.

**To re-run after fixes land:** paste your repo URL at [repobility.com](https://repobility.com) — fresh scan, free.

_Issue filed via the public Repobility report at https://repobility.com/scan/2375b6d0-a6b1-42a0-92ae-4a23b5c8f9ee/._