]>
Commit | Line | Data |
---|---|---|
1 | #include "git-compat-util.h" | |
2 | #include "date.h" | |
3 | #include "dir.h" | |
4 | #include "hex.h" | |
5 | #include "object-store-ll.h" | |
6 | #include "path.h" | |
7 | #include "repository.h" | |
8 | #include "object.h" | |
9 | #include "attr.h" | |
10 | #include "blob.h" | |
11 | #include "tree.h" | |
12 | #include "tree-walk.h" | |
13 | #include "commit.h" | |
14 | #include "tag.h" | |
15 | #include "fsck.h" | |
16 | #include "refs.h" | |
17 | #include "url.h" | |
18 | #include "utf8.h" | |
19 | #include "decorate.h" | |
20 | #include "oidset.h" | |
21 | #include "packfile.h" | |
22 | #include "submodule-config.h" | |
23 | #include "config.h" | |
24 | #include "credential.h" | |
25 | #include "help.h" | |
26 | ||
27 | static ssize_t max_tree_entry_len = 4096; | |
28 | ||
29 | #define STR(x) #x | |
30 | #define MSG_ID(id, msg_type) { STR(id), NULL, NULL, FSCK_##msg_type }, | |
31 | static struct { | |
32 | const char *id_string; | |
33 | const char *downcased; | |
34 | const char *camelcased; | |
35 | enum fsck_msg_type msg_type; | |
36 | } msg_id_info[FSCK_MSG_MAX + 1] = { | |
37 | FOREACH_FSCK_MSG_ID(MSG_ID) | |
38 | { NULL, NULL, NULL, -1 } | |
39 | }; | |
40 | #undef MSG_ID | |
41 | #undef STR | |
42 | ||
43 | static void prepare_msg_ids(void) | |
44 | { | |
45 | int i; | |
46 | ||
47 | if (msg_id_info[0].downcased) | |
48 | return; | |
49 | ||
50 | /* convert id_string to lower case, without underscores. */ | |
51 | for (i = 0; i < FSCK_MSG_MAX; i++) { | |
52 | const char *p = msg_id_info[i].id_string; | |
53 | int len = strlen(p); | |
54 | char *q = xmalloc(len); | |
55 | ||
56 | msg_id_info[i].downcased = q; | |
57 | while (*p) | |
58 | if (*p == '_') | |
59 | p++; | |
60 | else | |
61 | *(q)++ = tolower(*(p)++); | |
62 | *q = '\0'; | |
63 | ||
64 | p = msg_id_info[i].id_string; | |
65 | q = xmalloc(len); | |
66 | msg_id_info[i].camelcased = q; | |
67 | while (*p) { | |
68 | if (*p == '_') { | |
69 | p++; | |
70 | if (*p) | |
71 | *q++ = *p++; | |
72 | } else { | |
73 | *q++ = tolower(*p++); | |
74 | } | |
75 | } | |
76 | *q = '\0'; | |
77 | } | |
78 | } | |
79 | ||
80 | static int parse_msg_id(const char *text) | |
81 | { | |
82 | int i; | |
83 | ||
84 | prepare_msg_ids(); | |
85 | ||
86 | for (i = 0; i < FSCK_MSG_MAX; i++) | |
87 | if (!strcmp(text, msg_id_info[i].downcased)) | |
88 | return i; | |
89 | ||
90 | return -1; | |
91 | } | |
92 | ||
93 | void list_config_fsck_msg_ids(struct string_list *list, const char *prefix) | |
94 | { | |
95 | int i; | |
96 | ||
97 | prepare_msg_ids(); | |
98 | ||
99 | for (i = 0; i < FSCK_MSG_MAX; i++) | |
100 | list_config_item(list, prefix, msg_id_info[i].camelcased); | |
101 | } | |
102 | ||
103 | static enum fsck_msg_type fsck_msg_type(enum fsck_msg_id msg_id, | |
104 | struct fsck_options *options) | |
105 | { | |
106 | assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX); | |
107 | ||
108 | if (!options->msg_type) { | |
109 | enum fsck_msg_type msg_type = msg_id_info[msg_id].msg_type; | |
110 | ||
111 | if (options->strict && msg_type == FSCK_WARN) | |
112 | msg_type = FSCK_ERROR; | |
113 | return msg_type; | |
114 | } | |
115 | ||
116 | return options->msg_type[msg_id]; | |
117 | } | |
118 | ||
119 | static enum fsck_msg_type parse_msg_type(const char *str) | |
120 | { | |
121 | if (!strcmp(str, "error")) | |
122 | return FSCK_ERROR; | |
123 | else if (!strcmp(str, "warn")) | |
124 | return FSCK_WARN; | |
125 | else if (!strcmp(str, "ignore")) | |
126 | return FSCK_IGNORE; | |
127 | else | |
128 | die("Unknown fsck message type: '%s'", str); | |
129 | } | |
130 | ||
131 | int is_valid_msg_type(const char *msg_id, const char *msg_type) | |
132 | { | |
133 | if (parse_msg_id(msg_id) < 0) | |
134 | return 0; | |
135 | parse_msg_type(msg_type); | |
136 | return 1; | |
137 | } | |
138 | ||
139 | void fsck_set_msg_type_from_ids(struct fsck_options *options, | |
140 | enum fsck_msg_id msg_id, | |
141 | enum fsck_msg_type msg_type) | |
142 | { | |
143 | if (!options->msg_type) { | |
144 | int i; | |
145 | enum fsck_msg_type *severity; | |
146 | ALLOC_ARRAY(severity, FSCK_MSG_MAX); | |
147 | for (i = 0; i < FSCK_MSG_MAX; i++) | |
148 | severity[i] = fsck_msg_type(i, options); | |
149 | options->msg_type = severity; | |
150 | } | |
151 | ||
152 | options->msg_type[msg_id] = msg_type; | |
153 | } | |
154 | ||
155 | void fsck_set_msg_type(struct fsck_options *options, | |
156 | const char *msg_id_str, const char *msg_type_str) | |
157 | { | |
158 | int msg_id = parse_msg_id(msg_id_str); | |
159 | char *to_free = NULL; | |
160 | enum fsck_msg_type msg_type; | |
161 | ||
162 | if (msg_id < 0) | |
163 | die("Unhandled message id: %s", msg_id_str); | |
164 | ||
165 | if (msg_id == FSCK_MSG_LARGE_PATHNAME) { | |
166 | const char *colon = strchr(msg_type_str, ':'); | |
167 | if (colon) { | |
168 | msg_type_str = to_free = | |
169 | xmemdupz(msg_type_str, colon - msg_type_str); | |
170 | colon++; | |
171 | if (!git_parse_ssize_t(colon, &max_tree_entry_len)) | |
172 | die("unable to parse max tree entry len: %s", colon); | |
173 | } | |
174 | } | |
175 | msg_type = parse_msg_type(msg_type_str); | |
176 | ||
177 | if (msg_type != FSCK_ERROR && msg_id_info[msg_id].msg_type == FSCK_FATAL) | |
178 | die("Cannot demote %s to %s", msg_id_str, msg_type_str); | |
179 | ||
180 | fsck_set_msg_type_from_ids(options, msg_id, msg_type); | |
181 | free(to_free); | |
182 | } | |
183 | ||
184 | void fsck_set_msg_types(struct fsck_options *options, const char *values) | |
185 | { | |
186 | char *buf = xstrdup(values), *to_free = buf; | |
187 | int done = 0; | |
188 | ||
189 | while (!done) { | |
190 | int len = strcspn(buf, " ,|"), equal; | |
191 | ||
192 | done = !buf[len]; | |
193 | if (!len) { | |
194 | buf++; | |
195 | continue; | |
196 | } | |
197 | buf[len] = '\0'; | |
198 | ||
199 | for (equal = 0; | |
200 | equal < len && buf[equal] != '=' && buf[equal] != ':'; | |
201 | equal++) | |
202 | buf[equal] = tolower(buf[equal]); | |
203 | buf[equal] = '\0'; | |
204 | ||
205 | if (!strcmp(buf, "skiplist")) { | |
206 | if (equal == len) | |
207 | die("skiplist requires a path"); | |
208 | oidset_parse_file(&options->skiplist, buf + equal + 1); | |
209 | buf += len + 1; | |
210 | continue; | |
211 | } | |
212 | ||
213 | if (equal == len) | |
214 | die("Missing '=': '%s'", buf); | |
215 | ||
216 | fsck_set_msg_type(options, buf, buf + equal + 1); | |
217 | buf += len + 1; | |
218 | } | |
219 | free(to_free); | |
220 | } | |
221 | ||
222 | static int object_on_skiplist(struct fsck_options *opts, | |
223 | const struct object_id *oid) | |
224 | { | |
225 | return opts && oid && oidset_contains(&opts->skiplist, oid); | |
226 | } | |
227 | ||
228 | __attribute__((format (printf, 5, 6))) | |
229 | static int report(struct fsck_options *options, | |
230 | const struct object_id *oid, enum object_type object_type, | |
231 | enum fsck_msg_id msg_id, const char *fmt, ...) | |
232 | { | |
233 | va_list ap; | |
234 | struct strbuf sb = STRBUF_INIT; | |
235 | enum fsck_msg_type msg_type = fsck_msg_type(msg_id, options); | |
236 | int result; | |
237 | ||
238 | if (msg_type == FSCK_IGNORE) | |
239 | return 0; | |
240 | ||
241 | if (object_on_skiplist(options, oid)) | |
242 | return 0; | |
243 | ||
244 | if (msg_type == FSCK_FATAL) | |
245 | msg_type = FSCK_ERROR; | |
246 | else if (msg_type == FSCK_INFO) | |
247 | msg_type = FSCK_WARN; | |
248 | ||
249 | prepare_msg_ids(); | |
250 | strbuf_addf(&sb, "%s: ", msg_id_info[msg_id].camelcased); | |
251 | ||
252 | va_start(ap, fmt); | |
253 | strbuf_vaddf(&sb, fmt, ap); | |
254 | result = options->error_func(options, oid, object_type, | |
255 | msg_type, msg_id, sb.buf); | |
256 | strbuf_release(&sb); | |
257 | va_end(ap); | |
258 | ||
259 | return result; | |
260 | } | |
261 | ||
262 | void fsck_enable_object_names(struct fsck_options *options) | |
263 | { | |
264 | if (!options->object_names) | |
265 | options->object_names = kh_init_oid_map(); | |
266 | } | |
267 | ||
268 | const char *fsck_get_object_name(struct fsck_options *options, | |
269 | const struct object_id *oid) | |
270 | { | |
271 | khiter_t pos; | |
272 | if (!options->object_names) | |
273 | return NULL; | |
274 | pos = kh_get_oid_map(options->object_names, *oid); | |
275 | if (pos >= kh_end(options->object_names)) | |
276 | return NULL; | |
277 | return kh_value(options->object_names, pos); | |
278 | } | |
279 | ||
280 | void fsck_put_object_name(struct fsck_options *options, | |
281 | const struct object_id *oid, | |
282 | const char *fmt, ...) | |
283 | { | |
284 | va_list ap; | |
285 | struct strbuf buf = STRBUF_INIT; | |
286 | khiter_t pos; | |
287 | int hashret; | |
288 | ||
289 | if (!options->object_names) | |
290 | return; | |
291 | ||
292 | pos = kh_put_oid_map(options->object_names, *oid, &hashret); | |
293 | if (!hashret) | |
294 | return; | |
295 | va_start(ap, fmt); | |
296 | strbuf_vaddf(&buf, fmt, ap); | |
297 | kh_value(options->object_names, pos) = strbuf_detach(&buf, NULL); | |
298 | va_end(ap); | |
299 | } | |
300 | ||
301 | const char *fsck_describe_object(struct fsck_options *options, | |
302 | const struct object_id *oid) | |
303 | { | |
304 | static struct strbuf bufs[] = { | |
305 | STRBUF_INIT, STRBUF_INIT, STRBUF_INIT, STRBUF_INIT | |
306 | }; | |
307 | static int b = 0; | |
308 | struct strbuf *buf; | |
309 | const char *name = fsck_get_object_name(options, oid); | |
310 | ||
311 | buf = bufs + b; | |
312 | b = (b + 1) % ARRAY_SIZE(bufs); | |
313 | strbuf_reset(buf); | |
314 | strbuf_addstr(buf, oid_to_hex(oid)); | |
315 | if (name) | |
316 | strbuf_addf(buf, " (%s)", name); | |
317 | ||
318 | return buf->buf; | |
319 | } | |
320 | ||
321 | static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options) | |
322 | { | |
323 | struct tree_desc desc; | |
324 | struct name_entry entry; | |
325 | int res = 0; | |
326 | const char *name; | |
327 | ||
328 | if (parse_tree(tree)) | |
329 | return -1; | |
330 | ||
331 | name = fsck_get_object_name(options, &tree->object.oid); | |
332 | if (init_tree_desc_gently(&desc, tree->buffer, tree->size, 0)) | |
333 | return -1; | |
334 | while (tree_entry_gently(&desc, &entry)) { | |
335 | struct object *obj; | |
336 | int result; | |
337 | ||
338 | if (S_ISGITLINK(entry.mode)) | |
339 | continue; | |
340 | ||
341 | if (S_ISDIR(entry.mode)) { | |
342 | obj = (struct object *)lookup_tree(the_repository, &entry.oid); | |
343 | if (name && obj) | |
344 | fsck_put_object_name(options, &entry.oid, "%s%s/", | |
345 | name, entry.path); | |
346 | result = options->walk(obj, OBJ_TREE, data, options); | |
347 | } | |
348 | else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) { | |
349 | obj = (struct object *)lookup_blob(the_repository, &entry.oid); | |
350 | if (name && obj) | |
351 | fsck_put_object_name(options, &entry.oid, "%s%s", | |
352 | name, entry.path); | |
353 | result = options->walk(obj, OBJ_BLOB, data, options); | |
354 | } | |
355 | else { | |
356 | result = error("in tree %s: entry %s has bad mode %.6o", | |
357 | fsck_describe_object(options, &tree->object.oid), | |
358 | entry.path, entry.mode); | |
359 | } | |
360 | if (result < 0) | |
361 | return result; | |
362 | if (!res) | |
363 | res = result; | |
364 | } | |
365 | return res; | |
366 | } | |
367 | ||
368 | static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options) | |
369 | { | |
370 | int counter = 0, generation = 0, name_prefix_len = 0; | |
371 | struct commit_list *parents; | |
372 | int res; | |
373 | int result; | |
374 | const char *name; | |
375 | ||
376 | if (repo_parse_commit(the_repository, commit)) | |
377 | return -1; | |
378 | ||
379 | name = fsck_get_object_name(options, &commit->object.oid); | |
380 | if (name) | |
381 | fsck_put_object_name(options, get_commit_tree_oid(commit), | |
382 | "%s:", name); | |
383 | ||
384 | result = options->walk((struct object *) repo_get_commit_tree(the_repository, commit), | |
385 | OBJ_TREE, data, options); | |
386 | if (result < 0) | |
387 | return result; | |
388 | res = result; | |
389 | ||
390 | parents = commit->parents; | |
391 | if (name && parents) { | |
392 | int len = strlen(name), power; | |
393 | ||
394 | if (len && name[len - 1] == '^') { | |
395 | generation = 1; | |
396 | name_prefix_len = len - 1; | |
397 | } | |
398 | else { /* parse ~<generation> suffix */ | |
399 | for (generation = 0, power = 1; | |
400 | len && isdigit(name[len - 1]); | |
401 | power *= 10) | |
402 | generation += power * (name[--len] - '0'); | |
403 | if (power > 1 && len && name[len - 1] == '~') | |
404 | name_prefix_len = len - 1; | |
405 | else { | |
406 | /* Maybe a non-first parent, e.g. HEAD^2 */ | |
407 | generation = 0; | |
408 | name_prefix_len = len; | |
409 | } | |
410 | } | |
411 | } | |
412 | ||
413 | while (parents) { | |
414 | if (name) { | |
415 | struct object_id *oid = &parents->item->object.oid; | |
416 | ||
417 | if (counter++) | |
418 | fsck_put_object_name(options, oid, "%s^%d", | |
419 | name, counter); | |
420 | else if (generation > 0) | |
421 | fsck_put_object_name(options, oid, "%.*s~%d", | |
422 | name_prefix_len, name, | |
423 | generation + 1); | |
424 | else | |
425 | fsck_put_object_name(options, oid, "%s^", name); | |
426 | } | |
427 | result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options); | |
428 | if (result < 0) | |
429 | return result; | |
430 | if (!res) | |
431 | res = result; | |
432 | parents = parents->next; | |
433 | } | |
434 | return res; | |
435 | } | |
436 | ||
437 | static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options) | |
438 | { | |
439 | const char *name = fsck_get_object_name(options, &tag->object.oid); | |
440 | ||
441 | if (parse_tag(tag)) | |
442 | return -1; | |
443 | if (name) | |
444 | fsck_put_object_name(options, &tag->tagged->oid, "%s", name); | |
445 | return options->walk(tag->tagged, OBJ_ANY, data, options); | |
446 | } | |
447 | ||
448 | int fsck_walk(struct object *obj, void *data, struct fsck_options *options) | |
449 | { | |
450 | if (!obj) | |
451 | return -1; | |
452 | ||
453 | if (obj->type == OBJ_NONE) | |
454 | parse_object(the_repository, &obj->oid); | |
455 | ||
456 | switch (obj->type) { | |
457 | case OBJ_BLOB: | |
458 | return 0; | |
459 | case OBJ_TREE: | |
460 | return fsck_walk_tree((struct tree *)obj, data, options); | |
461 | case OBJ_COMMIT: | |
462 | return fsck_walk_commit((struct commit *)obj, data, options); | |
463 | case OBJ_TAG: | |
464 | return fsck_walk_tag((struct tag *)obj, data, options); | |
465 | default: | |
466 | error("Unknown object type for %s", | |
467 | fsck_describe_object(options, &obj->oid)); | |
468 | return -1; | |
469 | } | |
470 | } | |
471 | ||
472 | struct name_stack { | |
473 | const char **names; | |
474 | size_t nr, alloc; | |
475 | }; | |
476 | ||
477 | static void name_stack_push(struct name_stack *stack, const char *name) | |
478 | { | |
479 | ALLOC_GROW(stack->names, stack->nr + 1, stack->alloc); | |
480 | stack->names[stack->nr++] = name; | |
481 | } | |
482 | ||
483 | static const char *name_stack_pop(struct name_stack *stack) | |
484 | { | |
485 | return stack->nr ? stack->names[--stack->nr] : NULL; | |
486 | } | |
487 | ||
488 | static void name_stack_clear(struct name_stack *stack) | |
489 | { | |
490 | FREE_AND_NULL(stack->names); | |
491 | stack->nr = stack->alloc = 0; | |
492 | } | |
493 | ||
494 | /* | |
495 | * The entries in a tree are ordered in the _path_ order, | |
496 | * which means that a directory entry is ordered by adding | |
497 | * a slash to the end of it. | |
498 | * | |
499 | * So a directory called "a" is ordered _after_ a file | |
500 | * called "a.c", because "a/" sorts after "a.c". | |
501 | */ | |
502 | #define TREE_UNORDERED (-1) | |
503 | #define TREE_HAS_DUPS (-2) | |
504 | ||
505 | static int is_less_than_slash(unsigned char c) | |
506 | { | |
507 | return '\0' < c && c < '/'; | |
508 | } | |
509 | ||
510 | static int verify_ordered(unsigned mode1, const char *name1, | |
511 | unsigned mode2, const char *name2, | |
512 | struct name_stack *candidates) | |
513 | { | |
514 | int len1 = strlen(name1); | |
515 | int len2 = strlen(name2); | |
516 | int len = len1 < len2 ? len1 : len2; | |
517 | unsigned char c1, c2; | |
518 | int cmp; | |
519 | ||
520 | cmp = memcmp(name1, name2, len); | |
521 | if (cmp < 0) | |
522 | return 0; | |
523 | if (cmp > 0) | |
524 | return TREE_UNORDERED; | |
525 | ||
526 | /* | |
527 | * Ok, the first <len> characters are the same. | |
528 | * Now we need to order the next one, but turn | |
529 | * a '\0' into a '/' for a directory entry. | |
530 | */ | |
531 | c1 = name1[len]; | |
532 | c2 = name2[len]; | |
533 | if (!c1 && !c2) | |
534 | /* | |
535 | * git-write-tree used to write out a nonsense tree that has | |
536 | * entries with the same name, one blob and one tree. Make | |
537 | * sure we do not have duplicate entries. | |
538 | */ | |
539 | return TREE_HAS_DUPS; | |
540 | if (!c1 && S_ISDIR(mode1)) | |
541 | c1 = '/'; | |
542 | if (!c2 && S_ISDIR(mode2)) | |
543 | c2 = '/'; | |
544 | ||
545 | /* | |
546 | * There can be non-consecutive duplicates due to the implicitly | |
547 | * added slash, e.g.: | |
548 | * | |
549 | * foo | |
550 | * foo.bar | |
551 | * foo.bar.baz | |
552 | * foo.bar/ | |
553 | * foo/ | |
554 | * | |
555 | * Record non-directory candidates (like "foo" and "foo.bar" in | |
556 | * the example) on a stack and check directory candidates (like | |
557 | * foo/" and "foo.bar/") against that stack. | |
558 | */ | |
559 | if (!c1 && is_less_than_slash(c2)) { | |
560 | name_stack_push(candidates, name1); | |
561 | } else if (c2 == '/' && is_less_than_slash(c1)) { | |
562 | for (;;) { | |
563 | const char *p; | |
564 | const char *f_name = name_stack_pop(candidates); | |
565 | ||
566 | if (!f_name) | |
567 | break; | |
568 | if (!skip_prefix(name2, f_name, &p)) | |
569 | continue; | |
570 | if (!*p) | |
571 | return TREE_HAS_DUPS; | |
572 | if (is_less_than_slash(*p)) { | |
573 | name_stack_push(candidates, f_name); | |
574 | break; | |
575 | } | |
576 | } | |
577 | } | |
578 | ||
579 | return c1 < c2 ? 0 : TREE_UNORDERED; | |
580 | } | |
581 | ||
582 | static int fsck_tree(const struct object_id *tree_oid, | |
583 | const char *buffer, unsigned long size, | |
584 | struct fsck_options *options) | |
585 | { | |
586 | int retval = 0; | |
587 | int has_null_sha1 = 0; | |
588 | int has_full_path = 0; | |
589 | int has_empty_name = 0; | |
590 | int has_dot = 0; | |
591 | int has_dotdot = 0; | |
592 | int has_dotgit = 0; | |
593 | int has_zero_pad = 0; | |
594 | int has_bad_modes = 0; | |
595 | int has_dup_entries = 0; | |
596 | int not_properly_sorted = 0; | |
597 | int has_large_name = 0; | |
598 | struct tree_desc desc; | |
599 | unsigned o_mode; | |
600 | const char *o_name; | |
601 | struct name_stack df_dup_candidates = { NULL }; | |
602 | ||
603 | if (init_tree_desc_gently(&desc, buffer, size, TREE_DESC_RAW_MODES)) { | |
604 | retval += report(options, tree_oid, OBJ_TREE, | |
605 | FSCK_MSG_BAD_TREE, | |
606 | "cannot be parsed as a tree"); | |
607 | return retval; | |
608 | } | |
609 | ||
610 | o_mode = 0; | |
611 | o_name = NULL; | |
612 | ||
613 | while (desc.size) { | |
614 | unsigned short mode; | |
615 | const char *name, *backslash; | |
616 | const struct object_id *entry_oid; | |
617 | ||
618 | entry_oid = tree_entry_extract(&desc, &name, &mode); | |
619 | ||
620 | has_null_sha1 |= is_null_oid(entry_oid); | |
621 | has_full_path |= !!strchr(name, '/'); | |
622 | has_empty_name |= !*name; | |
623 | has_dot |= !strcmp(name, "."); | |
624 | has_dotdot |= !strcmp(name, ".."); | |
625 | has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name); | |
626 | has_zero_pad |= *(char *)desc.buffer == '0'; | |
627 | has_large_name |= tree_entry_len(&desc.entry) > max_tree_entry_len; | |
628 | ||
629 | if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) { | |
630 | if (!S_ISLNK(mode)) | |
631 | oidset_insert(&options->gitmodules_found, | |
632 | entry_oid); | |
633 | else | |
634 | retval += report(options, | |
635 | tree_oid, OBJ_TREE, | |
636 | FSCK_MSG_GITMODULES_SYMLINK, | |
637 | ".gitmodules is a symbolic link"); | |
638 | } | |
639 | ||
640 | if (is_hfs_dotgitattributes(name) || is_ntfs_dotgitattributes(name)) { | |
641 | if (!S_ISLNK(mode)) | |
642 | oidset_insert(&options->gitattributes_found, | |
643 | entry_oid); | |
644 | else | |
645 | retval += report(options, tree_oid, OBJ_TREE, | |
646 | FSCK_MSG_GITATTRIBUTES_SYMLINK, | |
647 | ".gitattributes is a symlink"); | |
648 | } | |
649 | ||
650 | if (S_ISLNK(mode)) { | |
651 | if (is_hfs_dotgitignore(name) || | |
652 | is_ntfs_dotgitignore(name)) | |
653 | retval += report(options, tree_oid, OBJ_TREE, | |
654 | FSCK_MSG_GITIGNORE_SYMLINK, | |
655 | ".gitignore is a symlink"); | |
656 | if (is_hfs_dotmailmap(name) || | |
657 | is_ntfs_dotmailmap(name)) | |
658 | retval += report(options, tree_oid, OBJ_TREE, | |
659 | FSCK_MSG_MAILMAP_SYMLINK, | |
660 | ".mailmap is a symlink"); | |
661 | } | |
662 | ||
663 | if ((backslash = strchr(name, '\\'))) { | |
664 | while (backslash) { | |
665 | backslash++; | |
666 | has_dotgit |= is_ntfs_dotgit(backslash); | |
667 | if (is_ntfs_dotgitmodules(backslash)) { | |
668 | if (!S_ISLNK(mode)) | |
669 | oidset_insert(&options->gitmodules_found, | |
670 | entry_oid); | |
671 | else | |
672 | retval += report(options, tree_oid, OBJ_TREE, | |
673 | FSCK_MSG_GITMODULES_SYMLINK, | |
674 | ".gitmodules is a symbolic link"); | |
675 | } | |
676 | backslash = strchr(backslash, '\\'); | |
677 | } | |
678 | } | |
679 | ||
680 | if (update_tree_entry_gently(&desc)) { | |
681 | retval += report(options, tree_oid, OBJ_TREE, | |
682 | FSCK_MSG_BAD_TREE, | |
683 | "cannot be parsed as a tree"); | |
684 | break; | |
685 | } | |
686 | ||
687 | switch (mode) { | |
688 | /* | |
689 | * Standard modes.. | |
690 | */ | |
691 | case S_IFREG | 0755: | |
692 | case S_IFREG | 0644: | |
693 | case S_IFLNK: | |
694 | case S_IFDIR: | |
695 | case S_IFGITLINK: | |
696 | break; | |
697 | /* | |
698 | * This is nonstandard, but we had a few of these | |
699 | * early on when we honored the full set of mode | |
700 | * bits.. | |
701 | */ | |
702 | case S_IFREG | 0664: | |
703 | if (!options->strict) | |
704 | break; | |
705 | /* fallthrough */ | |
706 | default: | |
707 | has_bad_modes = 1; | |
708 | } | |
709 | ||
710 | if (o_name) { | |
711 | switch (verify_ordered(o_mode, o_name, mode, name, | |
712 | &df_dup_candidates)) { | |
713 | case TREE_UNORDERED: | |
714 | not_properly_sorted = 1; | |
715 | break; | |
716 | case TREE_HAS_DUPS: | |
717 | has_dup_entries = 1; | |
718 | break; | |
719 | default: | |
720 | break; | |
721 | } | |
722 | } | |
723 | ||
724 | o_mode = mode; | |
725 | o_name = name; | |
726 | } | |
727 | ||
728 | name_stack_clear(&df_dup_candidates); | |
729 | ||
730 | if (has_null_sha1) | |
731 | retval += report(options, tree_oid, OBJ_TREE, | |
732 | FSCK_MSG_NULL_SHA1, | |
733 | "contains entries pointing to null sha1"); | |
734 | if (has_full_path) | |
735 | retval += report(options, tree_oid, OBJ_TREE, | |
736 | FSCK_MSG_FULL_PATHNAME, | |
737 | "contains full pathnames"); | |
738 | if (has_empty_name) | |
739 | retval += report(options, tree_oid, OBJ_TREE, | |
740 | FSCK_MSG_EMPTY_NAME, | |
741 | "contains empty pathname"); | |
742 | if (has_dot) | |
743 | retval += report(options, tree_oid, OBJ_TREE, | |
744 | FSCK_MSG_HAS_DOT, | |
745 | "contains '.'"); | |
746 | if (has_dotdot) | |
747 | retval += report(options, tree_oid, OBJ_TREE, | |
748 | FSCK_MSG_HAS_DOTDOT, | |
749 | "contains '..'"); | |
750 | if (has_dotgit) | |
751 | retval += report(options, tree_oid, OBJ_TREE, | |
752 | FSCK_MSG_HAS_DOTGIT, | |
753 | "contains '.git'"); | |
754 | if (has_zero_pad) | |
755 | retval += report(options, tree_oid, OBJ_TREE, | |
756 | FSCK_MSG_ZERO_PADDED_FILEMODE, | |
757 | "contains zero-padded file modes"); | |
758 | if (has_bad_modes) | |
759 | retval += report(options, tree_oid, OBJ_TREE, | |
760 | FSCK_MSG_BAD_FILEMODE, | |
761 | "contains bad file modes"); | |
762 | if (has_dup_entries) | |
763 | retval += report(options, tree_oid, OBJ_TREE, | |
764 | FSCK_MSG_DUPLICATE_ENTRIES, | |
765 | "contains duplicate file entries"); | |
766 | if (not_properly_sorted) | |
767 | retval += report(options, tree_oid, OBJ_TREE, | |
768 | FSCK_MSG_TREE_NOT_SORTED, | |
769 | "not properly sorted"); | |
770 | if (has_large_name) | |
771 | retval += report(options, tree_oid, OBJ_TREE, | |
772 | FSCK_MSG_LARGE_PATHNAME, | |
773 | "contains excessively large pathname"); | |
774 | return retval; | |
775 | } | |
776 | ||
777 | /* | |
778 | * Confirm that the headers of a commit or tag object end in a reasonable way, | |
779 | * either with the usual "\n\n" separator, or at least with a trailing newline | |
780 | * on the final header line. | |
781 | * | |
782 | * This property is important for the memory safety of our callers. It allows | |
783 | * them to scan the buffer linewise without constantly checking the remaining | |
784 | * size as long as: | |
785 | * | |
786 | * - they check that there are bytes left in the buffer at the start of any | |
787 | * line (i.e., that the last newline they saw was not the final one we | |
788 | * found here) | |
789 | * | |
790 | * - any intra-line scanning they do will stop at a newline, which will worst | |
791 | * case hit the newline we found here as the end-of-header. This makes it | |
792 | * OK for them to use helpers like parse_oid_hex(), or even skip_prefix(). | |
793 | */ | |
794 | static int verify_headers(const void *data, unsigned long size, | |
795 | const struct object_id *oid, enum object_type type, | |
796 | struct fsck_options *options) | |
797 | { | |
798 | const char *buffer = (const char *)data; | |
799 | unsigned long i; | |
800 | ||
801 | for (i = 0; i < size; i++) { | |
802 | switch (buffer[i]) { | |
803 | case '\0': | |
804 | return report(options, oid, type, | |
805 | FSCK_MSG_NUL_IN_HEADER, | |
806 | "unterminated header: NUL at offset %ld", i); | |
807 | case '\n': | |
808 | if (i + 1 < size && buffer[i + 1] == '\n') | |
809 | return 0; | |
810 | } | |
811 | } | |
812 | ||
813 | /* | |
814 | * We did not find double-LF that separates the header | |
815 | * and the body. Not having a body is not a crime but | |
816 | * we do want to see the terminating LF for the last header | |
817 | * line. | |
818 | */ | |
819 | if (size && buffer[size - 1] == '\n') | |
820 | return 0; | |
821 | ||
822 | return report(options, oid, type, | |
823 | FSCK_MSG_UNTERMINATED_HEADER, "unterminated header"); | |
824 | } | |
825 | ||
826 | static int fsck_ident(const char **ident, | |
827 | const struct object_id *oid, enum object_type type, | |
828 | struct fsck_options *options) | |
829 | { | |
830 | const char *p = *ident; | |
831 | char *end; | |
832 | ||
833 | *ident = strchrnul(*ident, '\n'); | |
834 | if (**ident == '\n') | |
835 | (*ident)++; | |
836 | ||
837 | if (*p == '<') | |
838 | return report(options, oid, type, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email"); | |
839 | p += strcspn(p, "<>\n"); | |
840 | if (*p == '>') | |
841 | return report(options, oid, type, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name"); | |
842 | if (*p != '<') | |
843 | return report(options, oid, type, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email"); | |
844 | if (p[-1] != ' ') | |
845 | return report(options, oid, type, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email"); | |
846 | p++; | |
847 | p += strcspn(p, "<>\n"); | |
848 | if (*p != '>') | |
849 | return report(options, oid, type, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email"); | |
850 | p++; | |
851 | if (*p != ' ') | |
852 | return report(options, oid, type, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date"); | |
853 | p++; | |
854 | /* | |
855 | * Our timestamp parser is based on the C strto*() functions, which | |
856 | * will happily eat whitespace, including the newline that is supposed | |
857 | * to prevent us walking past the end of the buffer. So do our own | |
858 | * scan, skipping linear whitespace but not newlines, and then | |
859 | * confirming we found a digit. We _could_ be even more strict here, | |
860 | * as we really expect only a single space, but since we have | |
861 | * traditionally allowed extra whitespace, we'll continue to do so. | |
862 | */ | |
863 | while (*p == ' ' || *p == '\t') | |
864 | p++; | |
865 | if (!isdigit(*p)) | |
866 | return report(options, oid, type, FSCK_MSG_BAD_DATE, | |
867 | "invalid author/committer line - bad date"); | |
868 | if (*p == '0' && p[1] != ' ') | |
869 | return report(options, oid, type, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date"); | |
870 | if (date_overflows(parse_timestamp(p, &end, 10))) | |
871 | return report(options, oid, type, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow"); | |
872 | if ((end == p || *end != ' ')) | |
873 | return report(options, oid, type, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date"); | |
874 | p = end + 1; | |
875 | if ((*p != '+' && *p != '-') || | |
876 | !isdigit(p[1]) || | |
877 | !isdigit(p[2]) || | |
878 | !isdigit(p[3]) || | |
879 | !isdigit(p[4]) || | |
880 | (p[5] != '\n')) | |
881 | return report(options, oid, type, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone"); | |
882 | p += 6; | |
883 | return 0; | |
884 | } | |
885 | ||
886 | static int fsck_commit(const struct object_id *oid, | |
887 | const char *buffer, unsigned long size, | |
888 | struct fsck_options *options) | |
889 | { | |
890 | struct object_id tree_oid, parent_oid; | |
891 | unsigned author_count; | |
892 | int err; | |
893 | const char *buffer_begin = buffer; | |
894 | const char *buffer_end = buffer + size; | |
895 | const char *p; | |
896 | ||
897 | /* | |
898 | * We _must_ stop parsing immediately if this reports failure, as the | |
899 | * memory safety of the rest of the function depends on it. See the | |
900 | * comment above the definition of verify_headers() for more details. | |
901 | */ | |
902 | if (verify_headers(buffer, size, oid, OBJ_COMMIT, options)) | |
903 | return -1; | |
904 | ||
905 | if (buffer >= buffer_end || !skip_prefix(buffer, "tree ", &buffer)) | |
906 | return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line"); | |
907 | if (parse_oid_hex(buffer, &tree_oid, &p) || *p != '\n') { | |
908 | err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1"); | |
909 | if (err) | |
910 | return err; | |
911 | } | |
912 | buffer = p + 1; | |
913 | while (buffer < buffer_end && skip_prefix(buffer, "parent ", &buffer)) { | |
914 | if (parse_oid_hex(buffer, &parent_oid, &p) || *p != '\n') { | |
915 | err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1"); | |
916 | if (err) | |
917 | return err; | |
918 | } | |
919 | buffer = p + 1; | |
920 | } | |
921 | author_count = 0; | |
922 | while (buffer < buffer_end && skip_prefix(buffer, "author ", &buffer)) { | |
923 | author_count++; | |
924 | err = fsck_ident(&buffer, oid, OBJ_COMMIT, options); | |
925 | if (err) | |
926 | return err; | |
927 | } | |
928 | if (author_count < 1) | |
929 | err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line"); | |
930 | else if (author_count > 1) | |
931 | err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines"); | |
932 | if (err) | |
933 | return err; | |
934 | if (buffer >= buffer_end || !skip_prefix(buffer, "committer ", &buffer)) | |
935 | return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line"); | |
936 | err = fsck_ident(&buffer, oid, OBJ_COMMIT, options); | |
937 | if (err) | |
938 | return err; | |
939 | if (memchr(buffer_begin, '\0', size)) { | |
940 | err = report(options, oid, OBJ_COMMIT, FSCK_MSG_NUL_IN_COMMIT, | |
941 | "NUL byte in the commit object body"); | |
942 | if (err) | |
943 | return err; | |
944 | } | |
945 | return 0; | |
946 | } | |
947 | ||
948 | static int fsck_tag(const struct object_id *oid, const char *buffer, | |
949 | unsigned long size, struct fsck_options *options) | |
950 | { | |
951 | struct object_id tagged_oid; | |
952 | int tagged_type; | |
953 | return fsck_tag_standalone(oid, buffer, size, options, &tagged_oid, | |
954 | &tagged_type); | |
955 | } | |
956 | ||
957 | int fsck_tag_standalone(const struct object_id *oid, const char *buffer, | |
958 | unsigned long size, struct fsck_options *options, | |
959 | struct object_id *tagged_oid, | |
960 | int *tagged_type) | |
961 | { | |
962 | int ret = 0; | |
963 | char *eol; | |
964 | struct strbuf sb = STRBUF_INIT; | |
965 | const char *buffer_end = buffer + size; | |
966 | const char *p; | |
967 | ||
968 | /* | |
969 | * We _must_ stop parsing immediately if this reports failure, as the | |
970 | * memory safety of the rest of the function depends on it. See the | |
971 | * comment above the definition of verify_headers() for more details. | |
972 | */ | |
973 | ret = verify_headers(buffer, size, oid, OBJ_TAG, options); | |
974 | if (ret) | |
975 | goto done; | |
976 | ||
977 | if (buffer >= buffer_end || !skip_prefix(buffer, "object ", &buffer)) { | |
978 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line"); | |
979 | goto done; | |
980 | } | |
981 | if (parse_oid_hex(buffer, tagged_oid, &p) || *p != '\n') { | |
982 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1"); | |
983 | if (ret) | |
984 | goto done; | |
985 | } | |
986 | buffer = p + 1; | |
987 | ||
988 | if (buffer >= buffer_end || !skip_prefix(buffer, "type ", &buffer)) { | |
989 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line"); | |
990 | goto done; | |
991 | } | |
992 | eol = memchr(buffer, '\n', buffer_end - buffer); | |
993 | if (!eol) { | |
994 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line"); | |
995 | goto done; | |
996 | } | |
997 | *tagged_type = type_from_string_gently(buffer, eol - buffer, 1); | |
998 | if (*tagged_type < 0) | |
999 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_BAD_TYPE, "invalid 'type' value"); | |
1000 | if (ret) | |
1001 | goto done; | |
1002 | buffer = eol + 1; | |
1003 | ||
1004 | if (buffer >= buffer_end || !skip_prefix(buffer, "tag ", &buffer)) { | |
1005 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line"); | |
1006 | goto done; | |
1007 | } | |
1008 | eol = memchr(buffer, '\n', buffer_end - buffer); | |
1009 | if (!eol) { | |
1010 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line"); | |
1011 | goto done; | |
1012 | } | |
1013 | strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer); | |
1014 | if (check_refname_format(sb.buf, 0)) { | |
1015 | ret = report(options, oid, OBJ_TAG, | |
1016 | FSCK_MSG_BAD_TAG_NAME, | |
1017 | "invalid 'tag' name: %.*s", | |
1018 | (int)(eol - buffer), buffer); | |
1019 | if (ret) | |
1020 | goto done; | |
1021 | } | |
1022 | buffer = eol + 1; | |
1023 | ||
1024 | if (buffer >= buffer_end || !skip_prefix(buffer, "tagger ", &buffer)) { | |
1025 | /* early tags do not contain 'tagger' lines; warn only */ | |
1026 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line"); | |
1027 | if (ret) | |
1028 | goto done; | |
1029 | } | |
1030 | else | |
1031 | ret = fsck_ident(&buffer, oid, OBJ_TAG, options); | |
1032 | ||
1033 | if (buffer < buffer_end && !starts_with(buffer, "\n")) { | |
1034 | /* | |
1035 | * The verify_headers() check will allow | |
1036 | * e.g. "[...]tagger <tagger>\nsome | |
1037 | * garbage\n\nmessage" to pass, thinking "some | |
1038 | * garbage" could be a custom header. E.g. "mktag" | |
1039 | * doesn't want any unknown headers. | |
1040 | */ | |
1041 | ret = report(options, oid, OBJ_TAG, FSCK_MSG_EXTRA_HEADER_ENTRY, "invalid format - extra header(s) after 'tagger'"); | |
1042 | if (ret) | |
1043 | goto done; | |
1044 | } | |
1045 | ||
1046 | done: | |
1047 | strbuf_release(&sb); | |
1048 | return ret; | |
1049 | } | |
1050 | ||
1051 | static int starts_with_dot_slash(const char *const path) | |
1052 | { | |
1053 | return path_match_flags(path, PATH_MATCH_STARTS_WITH_DOT_SLASH | | |
1054 | PATH_MATCH_XPLATFORM); | |
1055 | } | |
1056 | ||
1057 | static int starts_with_dot_dot_slash(const char *const path) | |
1058 | { | |
1059 | return path_match_flags(path, PATH_MATCH_STARTS_WITH_DOT_DOT_SLASH | | |
1060 | PATH_MATCH_XPLATFORM); | |
1061 | } | |
1062 | ||
1063 | static int submodule_url_is_relative(const char *url) | |
1064 | { | |
1065 | return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url); | |
1066 | } | |
1067 | ||
1068 | /* | |
1069 | * Count directory components that a relative submodule URL should chop | |
1070 | * from the remote_url it is to be resolved against. | |
1071 | * | |
1072 | * In other words, this counts "../" components at the start of a | |
1073 | * submodule URL. | |
1074 | * | |
1075 | * Returns the number of directory components to chop and writes a | |
1076 | * pointer to the next character of url after all leading "./" and | |
1077 | * "../" components to out. | |
1078 | */ | |
1079 | static int count_leading_dotdots(const char *url, const char **out) | |
1080 | { | |
1081 | int result = 0; | |
1082 | while (1) { | |
1083 | if (starts_with_dot_dot_slash(url)) { | |
1084 | result++; | |
1085 | url += strlen("../"); | |
1086 | continue; | |
1087 | } | |
1088 | if (starts_with_dot_slash(url)) { | |
1089 | url += strlen("./"); | |
1090 | continue; | |
1091 | } | |
1092 | *out = url; | |
1093 | return result; | |
1094 | } | |
1095 | } | |
1096 | /* | |
1097 | * Check whether a transport is implemented by git-remote-curl. | |
1098 | * | |
1099 | * If it is, returns 1 and writes the URL that would be passed to | |
1100 | * git-remote-curl to the "out" parameter. | |
1101 | * | |
1102 | * Otherwise, returns 0 and leaves "out" untouched. | |
1103 | * | |
1104 | * Examples: | |
1105 | * http::https://example.com/repo.git -> 1, https://example.com/repo.git | |
1106 | * https://example.com/repo.git -> 1, https://example.com/repo.git | |
1107 | * git://example.com/repo.git -> 0 | |
1108 | * | |
1109 | * This is for use in checking for previously exploitable bugs that | |
1110 | * required a submodule URL to be passed to git-remote-curl. | |
1111 | */ | |
1112 | static int url_to_curl_url(const char *url, const char **out) | |
1113 | { | |
1114 | /* | |
1115 | * We don't need to check for case-aliases, "http.exe", and so | |
1116 | * on because in the default configuration, is_transport_allowed | |
1117 | * prevents URLs with those schemes from being cloned | |
1118 | * automatically. | |
1119 | */ | |
1120 | if (skip_prefix(url, "http::", out) || | |
1121 | skip_prefix(url, "https::", out) || | |
1122 | skip_prefix(url, "ftp::", out) || | |
1123 | skip_prefix(url, "ftps::", out)) | |
1124 | return 1; | |
1125 | if (starts_with(url, "http://") || | |
1126 | starts_with(url, "https://") || | |
1127 | starts_with(url, "ftp://") || | |
1128 | starts_with(url, "ftps://")) { | |
1129 | *out = url; | |
1130 | return 1; | |
1131 | } | |
1132 | return 0; | |
1133 | } | |
1134 | ||
1135 | static int check_submodule_url(const char *url) | |
1136 | { | |
1137 | const char *curl_url; | |
1138 | ||
1139 | if (looks_like_command_line_option(url)) | |
1140 | return -1; | |
1141 | ||
1142 | if (submodule_url_is_relative(url) || starts_with(url, "git://")) { | |
1143 | char *decoded; | |
1144 | const char *next; | |
1145 | int has_nl; | |
1146 | ||
1147 | /* | |
1148 | * This could be appended to an http URL and url-decoded; | |
1149 | * check for malicious characters. | |
1150 | */ | |
1151 | decoded = url_decode(url); | |
1152 | has_nl = !!strchr(decoded, '\n'); | |
1153 | ||
1154 | free(decoded); | |
1155 | if (has_nl) | |
1156 | return -1; | |
1157 | ||
1158 | /* | |
1159 | * URLs which escape their root via "../" can overwrite | |
1160 | * the host field and previous components, resolving to | |
1161 | * URLs like https::example.com/submodule.git and | |
1162 | * https:///example.com/submodule.git that were | |
1163 | * susceptible to CVE-2020-11008. | |
1164 | */ | |
1165 | if (count_leading_dotdots(url, &next) > 0 && | |
1166 | (*next == ':' || *next == '/')) | |
1167 | return -1; | |
1168 | } | |
1169 | ||
1170 | else if (url_to_curl_url(url, &curl_url)) { | |
1171 | struct credential c = CREDENTIAL_INIT; | |
1172 | int ret = 0; | |
1173 | if (credential_from_url_gently(&c, curl_url, 1) || | |
1174 | !*c.host) | |
1175 | ret = -1; | |
1176 | credential_clear(&c); | |
1177 | return ret; | |
1178 | } | |
1179 | ||
1180 | return 0; | |
1181 | } | |
1182 | ||
1183 | struct fsck_gitmodules_data { | |
1184 | const struct object_id *oid; | |
1185 | struct fsck_options *options; | |
1186 | int ret; | |
1187 | }; | |
1188 | ||
1189 | static int fsck_gitmodules_fn(const char *var, const char *value, | |
1190 | const struct config_context *ctx UNUSED, | |
1191 | void *vdata) | |
1192 | { | |
1193 | struct fsck_gitmodules_data *data = vdata; | |
1194 | const char *subsection, *key; | |
1195 | size_t subsection_len; | |
1196 | char *name; | |
1197 | ||
1198 | if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 || | |
1199 | !subsection) | |
1200 | return 0; | |
1201 | ||
1202 | name = xmemdupz(subsection, subsection_len); | |
1203 | if (check_submodule_name(name) < 0) | |
1204 | data->ret |= report(data->options, | |
1205 | data->oid, OBJ_BLOB, | |
1206 | FSCK_MSG_GITMODULES_NAME, | |
1207 | "disallowed submodule name: %s", | |
1208 | name); | |
1209 | if (!strcmp(key, "url") && value && | |
1210 | check_submodule_url(value) < 0) | |
1211 | data->ret |= report(data->options, | |
1212 | data->oid, OBJ_BLOB, | |
1213 | FSCK_MSG_GITMODULES_URL, | |
1214 | "disallowed submodule url: %s", | |
1215 | value); | |
1216 | if (!strcmp(key, "path") && value && | |
1217 | looks_like_command_line_option(value)) | |
1218 | data->ret |= report(data->options, | |
1219 | data->oid, OBJ_BLOB, | |
1220 | FSCK_MSG_GITMODULES_PATH, | |
1221 | "disallowed submodule path: %s", | |
1222 | value); | |
1223 | if (!strcmp(key, "update") && value && | |
1224 | parse_submodule_update_type(value) == SM_UPDATE_COMMAND) | |
1225 | data->ret |= report(data->options, data->oid, OBJ_BLOB, | |
1226 | FSCK_MSG_GITMODULES_UPDATE, | |
1227 | "disallowed submodule update setting: %s", | |
1228 | value); | |
1229 | free(name); | |
1230 | ||
1231 | return 0; | |
1232 | } | |
1233 | ||
1234 | static int fsck_blob(const struct object_id *oid, const char *buf, | |
1235 | unsigned long size, struct fsck_options *options) | |
1236 | { | |
1237 | int ret = 0; | |
1238 | ||
1239 | if (object_on_skiplist(options, oid)) | |
1240 | return 0; | |
1241 | ||
1242 | if (oidset_contains(&options->gitmodules_found, oid)) { | |
1243 | struct config_options config_opts = { 0 }; | |
1244 | struct fsck_gitmodules_data data; | |
1245 | ||
1246 | oidset_insert(&options->gitmodules_done, oid); | |
1247 | ||
1248 | if (!buf) { | |
1249 | /* | |
1250 | * A missing buffer here is a sign that the caller found the | |
1251 | * blob too gigantic to load into memory. Let's just consider | |
1252 | * that an error. | |
1253 | */ | |
1254 | return report(options, oid, OBJ_BLOB, | |
1255 | FSCK_MSG_GITMODULES_LARGE, | |
1256 | ".gitmodules too large to parse"); | |
1257 | } | |
1258 | ||
1259 | data.oid = oid; | |
1260 | data.options = options; | |
1261 | data.ret = 0; | |
1262 | config_opts.error_action = CONFIG_ERROR_SILENT; | |
1263 | if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB, | |
1264 | ".gitmodules", buf, size, &data, | |
1265 | CONFIG_SCOPE_UNKNOWN, &config_opts)) | |
1266 | data.ret |= report(options, oid, OBJ_BLOB, | |
1267 | FSCK_MSG_GITMODULES_PARSE, | |
1268 | "could not parse gitmodules blob"); | |
1269 | ret |= data.ret; | |
1270 | } | |
1271 | ||
1272 | if (oidset_contains(&options->gitattributes_found, oid)) { | |
1273 | const char *ptr; | |
1274 | ||
1275 | oidset_insert(&options->gitattributes_done, oid); | |
1276 | ||
1277 | if (!buf || size > ATTR_MAX_FILE_SIZE) { | |
1278 | /* | |
1279 | * A missing buffer here is a sign that the caller found the | |
1280 | * blob too gigantic to load into memory. Let's just consider | |
1281 | * that an error. | |
1282 | */ | |
1283 | return report(options, oid, OBJ_BLOB, | |
1284 | FSCK_MSG_GITATTRIBUTES_LARGE, | |
1285 | ".gitattributes too large to parse"); | |
1286 | } | |
1287 | ||
1288 | for (ptr = buf; *ptr; ) { | |
1289 | const char *eol = strchrnul(ptr, '\n'); | |
1290 | if (eol - ptr >= ATTR_MAX_LINE_LENGTH) { | |
1291 | ret |= report(options, oid, OBJ_BLOB, | |
1292 | FSCK_MSG_GITATTRIBUTES_LINE_LENGTH, | |
1293 | ".gitattributes has too long lines to parse"); | |
1294 | break; | |
1295 | } | |
1296 | ||
1297 | ptr = *eol ? eol + 1 : eol; | |
1298 | } | |
1299 | } | |
1300 | ||
1301 | return ret; | |
1302 | } | |
1303 | ||
1304 | int fsck_object(struct object *obj, void *data, unsigned long size, | |
1305 | struct fsck_options *options) | |
1306 | { | |
1307 | if (!obj) | |
1308 | return report(options, NULL, OBJ_NONE, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck"); | |
1309 | ||
1310 | return fsck_buffer(&obj->oid, obj->type, data, size, options); | |
1311 | } | |
1312 | ||
1313 | int fsck_buffer(const struct object_id *oid, enum object_type type, | |
1314 | void *data, unsigned long size, | |
1315 | struct fsck_options *options) | |
1316 | { | |
1317 | if (type == OBJ_BLOB) | |
1318 | return fsck_blob(oid, data, size, options); | |
1319 | if (type == OBJ_TREE) | |
1320 | return fsck_tree(oid, data, size, options); | |
1321 | if (type == OBJ_COMMIT) | |
1322 | return fsck_commit(oid, data, size, options); | |
1323 | if (type == OBJ_TAG) | |
1324 | return fsck_tag(oid, data, size, options); | |
1325 | ||
1326 | return report(options, oid, type, | |
1327 | FSCK_MSG_UNKNOWN_TYPE, | |
1328 | "unknown type '%d' (internal fsck error)", | |
1329 | type); | |
1330 | } | |
1331 | ||
1332 | int fsck_error_function(struct fsck_options *o, | |
1333 | const struct object_id *oid, | |
1334 | enum object_type object_type UNUSED, | |
1335 | enum fsck_msg_type msg_type, | |
1336 | enum fsck_msg_id msg_id UNUSED, | |
1337 | const char *message) | |
1338 | { | |
1339 | if (msg_type == FSCK_WARN) { | |
1340 | warning("object %s: %s", fsck_describe_object(o, oid), message); | |
1341 | return 0; | |
1342 | } | |
1343 | error("object %s: %s", fsck_describe_object(o, oid), message); | |
1344 | return 1; | |
1345 | } | |
1346 | ||
1347 | static int fsck_blobs(struct oidset *blobs_found, struct oidset *blobs_done, | |
1348 | enum fsck_msg_id msg_missing, enum fsck_msg_id msg_type, | |
1349 | struct fsck_options *options, const char *blob_type) | |
1350 | { | |
1351 | int ret = 0; | |
1352 | struct oidset_iter iter; | |
1353 | const struct object_id *oid; | |
1354 | ||
1355 | oidset_iter_init(blobs_found, &iter); | |
1356 | while ((oid = oidset_iter_next(&iter))) { | |
1357 | enum object_type type; | |
1358 | unsigned long size; | |
1359 | char *buf; | |
1360 | ||
1361 | if (oidset_contains(blobs_done, oid)) | |
1362 | continue; | |
1363 | ||
1364 | buf = repo_read_object_file(the_repository, oid, &type, &size); | |
1365 | if (!buf) { | |
1366 | if (is_promisor_object(oid)) | |
1367 | continue; | |
1368 | ret |= report(options, | |
1369 | oid, OBJ_BLOB, msg_missing, | |
1370 | "unable to read %s blob", blob_type); | |
1371 | continue; | |
1372 | } | |
1373 | ||
1374 | if (type == OBJ_BLOB) | |
1375 | ret |= fsck_blob(oid, buf, size, options); | |
1376 | else | |
1377 | ret |= report(options, oid, type, msg_type, | |
1378 | "non-blob found at %s", blob_type); | |
1379 | free(buf); | |
1380 | } | |
1381 | ||
1382 | oidset_clear(blobs_found); | |
1383 | oidset_clear(blobs_done); | |
1384 | ||
1385 | return ret; | |
1386 | } | |
1387 | ||
1388 | int fsck_finish(struct fsck_options *options) | |
1389 | { | |
1390 | int ret = 0; | |
1391 | ||
1392 | ret |= fsck_blobs(&options->gitmodules_found, &options->gitmodules_done, | |
1393 | FSCK_MSG_GITMODULES_MISSING, FSCK_MSG_GITMODULES_BLOB, | |
1394 | options, ".gitmodules"); | |
1395 | ret |= fsck_blobs(&options->gitattributes_found, &options->gitattributes_done, | |
1396 | FSCK_MSG_GITATTRIBUTES_MISSING, FSCK_MSG_GITATTRIBUTES_BLOB, | |
1397 | options, ".gitattributes"); | |
1398 | ||
1399 | return ret; | |
1400 | } | |
1401 | ||
1402 | int git_fsck_config(const char *var, const char *value, | |
1403 | const struct config_context *ctx, void *cb) | |
1404 | { | |
1405 | struct fsck_options *options = cb; | |
1406 | if (strcmp(var, "fsck.skiplist") == 0) { | |
1407 | const char *path; | |
1408 | struct strbuf sb = STRBUF_INIT; | |
1409 | ||
1410 | if (git_config_pathname(&path, var, value)) | |
1411 | return 1; | |
1412 | strbuf_addf(&sb, "skiplist=%s", path); | |
1413 | free((char *)path); | |
1414 | fsck_set_msg_types(options, sb.buf); | |
1415 | strbuf_release(&sb); | |
1416 | return 0; | |
1417 | } | |
1418 | ||
1419 | if (skip_prefix(var, "fsck.", &var)) { | |
1420 | fsck_set_msg_type(options, var, value); | |
1421 | return 0; | |
1422 | } | |
1423 | ||
1424 | return git_default_config(var, value, ctx, cb); | |
1425 | } | |
1426 | ||
1427 | /* | |
1428 | * Custom error callbacks that are used in more than one place. | |
1429 | */ | |
1430 | ||
1431 | int fsck_error_cb_print_missing_gitmodules(struct fsck_options *o, | |
1432 | const struct object_id *oid, | |
1433 | enum object_type object_type, | |
1434 | enum fsck_msg_type msg_type, | |
1435 | enum fsck_msg_id msg_id, | |
1436 | const char *message) | |
1437 | { | |
1438 | if (msg_id == FSCK_MSG_GITMODULES_MISSING) { | |
1439 | puts(oid_to_hex(oid)); | |
1440 | return 0; | |
1441 | } | |
1442 | return fsck_error_function(o, oid, object_type, msg_type, msg_id, message); | |
1443 | } |