AI-generated audit finding — this issue was opened from an automated security/correctness audit. It has not been triaged by a human yet; verify the reasoning, reproducibility, and severity before acting on it.
Medium: CodeBlock.Write silently drops whitespace-only strings
Affected code:
Description:
Any string composed entirely of whitespace — spaces, tabs, newlines, or any combination — is silently discarded by Write. Two concrete consequences:
-
WriteLine("") is a no-op. A caller that intends to emit a blank line (between attribute declarations, between comment blocks, etc.) gets nothing. The only way to force a blank line is to call Write("\n\n") which itself is whitespace and also gets dropped.
-
AddBlock of an empty CodeBlock emits nothing. $"\n{block}\n" where block renders as "" is just "\n\n", which is whitespace and therefore discarded. That is probably intentional ("don't add a block-shaped gap for an empty contribution"), but it is invisibly entangled with the more surprising behavior of blank-line emission being impossible.
The guard seems designed to suppress no-op calls, but it is too aggressive: it equates "whitespace-only input" with "no input at all". Formatting intent that involves whitespace can't be expressed.
Combined with the normalization in ToString (see finding #3), the library's contract around blank lines is opaque: callers can't reliably predict how many blank lines will appear between two blocks.
Impact:
- Generators that want to control vertical whitespace have no reliable mechanism.
- A one-line change to add a blank line (
sb.WriteLine("")) silently does nothing, which is a confusing debugging experience.
Recommendation:
- Change the guard to
value is not null, or drop the guard entirely. The StringBuilder itself handles empty-string appends efficiently.
- If the guard is kept for empty-string efficiency, require
value.Length == 0 rather than IsNullOrWhiteSpace.
- Document the
AddBlock(emptyBlock) behavior explicitly.
Severity: Medium.
Source report: src-ZeroC.CodeBuilder-audit-2026-04-14.md (finding ``CodeBlock.Write silently drops whitespace-only strings)
Severity (auditor-assigned): Medium
Medium:
CodeBlock.Writesilently drops whitespace-only stringsAffected code:
Writeguards with!string.IsNullOrWhiteSpace(value)and skips the append otherwiseAddBlockrelies onWrite($"\n{block}\n")WriteLinerelies onWrite($"{value}\n")Description:
Any string composed entirely of whitespace — spaces, tabs, newlines, or any combination — is silently discarded by
Write. Two concrete consequences:WriteLine("")is a no-op. A caller that intends to emit a blank line (between attribute declarations, between comment blocks, etc.) gets nothing. The only way to force a blank line is to callWrite("\n\n")which itself is whitespace and also gets dropped.AddBlockof an emptyCodeBlockemits nothing.$"\n{block}\n"whereblockrenders as""is just"\n\n", which is whitespace and therefore discarded. That is probably intentional ("don't add a block-shaped gap for an empty contribution"), but it is invisibly entangled with the more surprising behavior of blank-line emission being impossible.The guard seems designed to suppress no-op calls, but it is too aggressive: it equates "whitespace-only input" with "no input at all". Formatting intent that involves whitespace can't be expressed.
Combined with the normalization in
ToString(see finding #3), the library's contract around blank lines is opaque: callers can't reliably predict how many blank lines will appear between two blocks.Impact:
sb.WriteLine("")) silently does nothing, which is a confusing debugging experience.Recommendation:
value is not null, or drop the guard entirely. TheStringBuilderitself handles empty-string appends efficiently.value.Length == 0rather thanIsNullOrWhiteSpace.AddBlock(emptyBlock)behavior explicitly.Severity: Medium.
Source report: src-ZeroC.CodeBuilder-audit-2026-04-14.md (finding ``CodeBlock.Write
silently drops whitespace-only strings)Severity (auditor-assigned): Medium