path: reject .gitmodules as a symlink

carlosmn · carlosmn · commit a7168b47ee49 · 2018-05-23T08:47:08.000+02:00
Any part of the library which asks the question can pass in the mode to have it
checked against `.gitmodules` being a symlink.

This is particularly relevant for adding entries to the index from the worktree
and for checking out files.
diff --git a/src/checkout.c b/src/checkout.c
@@ -1276,14 +1276,14 @@ static int checkout_verify_paths(
 	unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS;
 
 	if (action & CHECKOUT_ACTION__REMOVE) {
-		if (!git_path_isvalid(repo, delta->old_file.path, flags)) {
+		if (!git_path_isvalid(repo, delta->old_file.path, delta->old_file.mode, flags)) {
 			giterr_set(GITERR_CHECKOUT, "cannot remove invalid path '%s'", delta->old_file.path);
 			return -1;
 		}
 	}
 
 	if (action & ~CHECKOUT_ACTION__REMOVE) {
-		if (!git_path_isvalid(repo, delta->new_file.path, flags)) {
+		if (!git_path_isvalid(repo, delta->new_file.path, delta->new_file.mode, flags)) {
 			giterr_set(GITERR_CHECKOUT, "cannot checkout to invalid path '%s'", delta->new_file.path);
 			return -1;
 		}
diff --git a/src/index.c b/src/index.c
@@ -890,17 +890,18 @@ static int index_entry_create(
 	size_t pathlen = strlen(path), alloclen;
 	struct entry_internal *entry;
 	unsigned int path_valid_flags = GIT_PATH_REJECT_INDEX_DEFAULTS;
-
-	GIT_UNUSED(st);
+	uint16_t mode = 0;
 
 	/* always reject placing `.git` in the index and directory traversal.
 	 * when requested, disallow platform-specific filenames and upgrade to
 	 * the platform-specific `.git` tests (eg, `git~1`, etc).
 	 */
 	if (from_workdir)
 		path_valid_flags |= GIT_PATH_REJECT_WORKDIR_DEFAULTS;
+	if (st)
+		mode = st->st_mode;
 
-	if (!git_path_isvalid(repo, path, path_valid_flags)) {
+	if (!git_path_isvalid(repo, path, mode, path_valid_flags)) {
 		giterr_set(GITERR_INDEX, "invalid path: '%s'", path);
 		return -1;
 	}
@@ -925,7 +926,7 @@ static int index_entry_init(
 {
 	int error = 0;
 	git_index_entry *entry = NULL;
-	git_buf path;
+	git_buf path = GIT_BUF_INIT;
 	struct stat st;
 	git_oid oid;
 	git_repository *repo;
diff --git a/src/path.c b/src/path.c
@@ -1712,6 +1712,7 @@ static bool verify_component(
 	git_repository *repo,
 	const char *component,
 	size_t len,
+	uint16_t mode,
 	unsigned int flags)
 {
 	if (len == 0)
@@ -1744,13 +1745,19 @@ static bool verify_component(
 			return false;
 	}
 
-	if (flags & GIT_PATH_REJECT_DOT_GIT_HFS &&
-		!verify_dotgit_hfs(component, len))
-		return false;
+	if (flags & GIT_PATH_REJECT_DOT_GIT_HFS) {
+		if (!verify_dotgit_hfs(component, len))
+			return false;
+		if (S_ISLNK(mode) && git_path_is_hfs_dotgit_modules(component, len))
+			return false;
+	}
 
-	if (flags & GIT_PATH_REJECT_DOT_GIT_NTFS &&
-		!verify_dotgit_ntfs(repo, component, len))
-		return false;
+	if (flags & GIT_PATH_REJECT_DOT_GIT_NTFS) {
+		if (!verify_dotgit_ntfs(repo, component, len))
+			return false;
+		if (S_ISLNK(mode) && git_path_is_ntfs_dotgit_modules(component, len))
+			return false;
+	}
 
 	/* don't bother rerunning the `.git` test if we ran the HFS or NTFS
 	 * specific tests, they would have already rejected `.git`.
@@ -1801,6 +1808,7 @@ GIT_INLINE(unsigned int) dotgit_flags(
 bool git_path_isvalid(
 	git_repository *repo,
 	const char *path,
+	uint16_t mode,
 	unsigned int flags)
 {
 	const char *start, *c;
@@ -1814,14 +1822,14 @@ bool git_path_isvalid(
 			return false;
 
 		if (*c == '/') {
-			if (!verify_component(repo, start, (c - start), flags))
+			if (!verify_component(repo, start, (c - start), mode, flags))
 				return false;
 
 			start = c+1;
 		}
 	}
 
-	return verify_component(repo, start, (c - start), flags);
+	return verify_component(repo, start, (c - start), mode, flags);
 }
 
 int git_path_normalize_slashes(git_buf *out, const char *path)
diff --git a/src/path.h b/src/path.h
@@ -637,6 +637,7 @@ extern int git_path_from_url_or_path(git_buf *local_path_out, const char *url_or
 extern bool git_path_isvalid(
 	git_repository *repo,
 	const char *path,
+	uint16_t mode,
 	unsigned int flags);
 
 /**
diff --git a/src/refdb_fs.c b/src/refdb_fs.c
@@ -744,7 +744,7 @@ static int loose_lock(git_filebuf *file, refdb_fs_backend *backend, const char *
 
 	assert(file && backend && name);
 
-	if (!git_path_isvalid(backend->repo, name, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {
+	if (!git_path_isvalid(backend->repo, name, 0, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {
 		giterr_set(GITERR_INVALID, "invalid reference name '%s'", name);
 		return GIT_EINVALIDSPEC;
 	}
@@ -1742,7 +1742,7 @@ static int lock_reflog(git_filebuf *file, refdb_fs_backend *backend, const char
 
 	repo = backend->repo;
 
-	if (!git_path_isvalid(backend->repo, refname, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {
+	if (!git_path_isvalid(backend->repo, refname, 0, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {
 		giterr_set(GITERR_INVALID, "invalid reference name '%s'", refname);
 		return GIT_EINVALIDSPEC;
 	}
diff --git a/src/submodule.c b/src/submodule.c
@@ -382,7 +382,7 @@ int git_submodule_name_is_valid(const git_repository *repo, const char *name, in
 	}
 
 	/* FIXME: Un-consting it to reduce the amount of diff */
-	isvalid =  git_path_isvalid((git_repository *)repo, buf.ptr, flags);
+	isvalid =  git_path_isvalid((git_repository *)repo, buf.ptr, 0, flags);
 	git_buf_free(&buf);
 
 	return isvalid;
diff --git a/src/tree.c b/src/tree.c
@@ -54,7 +54,7 @@ GIT_INLINE(git_filemode_t) normalize_filemode(git_filemode_t filemode)
 static int valid_entry_name(git_repository *repo, const char *filename)
 {
 	return *filename != '\0' &&
-		git_path_isvalid(repo, filename,
+		git_path_isvalid(repo, filename, 0,
 		GIT_PATH_REJECT_TRAVERSAL | GIT_PATH_REJECT_DOT_GIT | GIT_PATH_REJECT_SLASH);
 }
 
diff --git a/tests/path/core.c b/tests/path/core.c
diff --git a/tests/path/dotgit.c b/tests/path/dotgit.c

Original file line number	Diff line number	Diff line change
`@@ -1276,14 +1276,14 @@ static int checkout_verify_paths(`
`1276`	`1276`	`unsigned int flags = GIT_PATH_REJECT_WORKDIR_DEFAULTS;`
`1277`	`1277`
`1278`	`1278`	`if (action & CHECKOUT_ACTION__REMOVE) {`
`1279`		`- if (!git_path_isvalid(repo, delta->old_file.path, flags)) {`
	`1279`	`+ if (!git_path_isvalid(repo, delta->old_file.path, delta->old_file.mode, flags)) {`
`1280`	`1280`	`giterr_set(GITERR_CHECKOUT, "cannot remove invalid path '%s'", delta->old_file.path);`
`1281`	`1281`	`return -1;`
`1282`	`1282`	`}`
`1283`	`1283`	`}`
`1284`	`1284`
`1285`	`1285`	`if (action & ~CHECKOUT_ACTION__REMOVE) {`
`1286`		`- if (!git_path_isvalid(repo, delta->new_file.path, flags)) {`
	`1286`	`+ if (!git_path_isvalid(repo, delta->new_file.path, delta->new_file.mode, flags)) {`
`1287`	`1287`	`giterr_set(GITERR_CHECKOUT, "cannot checkout to invalid path '%s'", delta->new_file.path);`
`1288`	`1288`	`return -1;`
`1289`	`1289`	`}`
Original file line number	Diff line number	Diff line change
`@@ -744,7 +744,7 @@ static int loose_lock(git_filebuf file, refdb_fs_backend backend, const char *`
`744`	`744`
`745`	`745`	`assert(file && backend && name);`
`746`	`746`
`747`		`- if (!git_path_isvalid(backend->repo, name, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {`
	`747`	`+ if (!git_path_isvalid(backend->repo, name, 0, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {`
`748`	`748`	`giterr_set(GITERR_INVALID, "invalid reference name '%s'", name);`
`749`	`749`	`return GIT_EINVALIDSPEC;`
`750`	`750`	`}`
`@@ -1742,7 +1742,7 @@ static int lock_reflog(git_filebuf file, refdb_fs_backend backend, const char`
`1742`	`1742`
`1743`	`1743`	`repo = backend->repo;`
`1744`	`1744`
`1745`		`- if (!git_path_isvalid(backend->repo, refname, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {`
	`1745`	`+ if (!git_path_isvalid(backend->repo, refname, 0, GIT_PATH_REJECT_FILESYSTEM_DEFAULTS)) {`
`1746`	`1746`	`giterr_set(GITERR_INVALID, "invalid reference name '%s'", refname);`
`1747`	`1747`	`return GIT_EINVALIDSPEC;`
`1748`	`1748`	`}`
Original file line number	Diff line number	Diff line change
`@@ -382,7 +382,7 @@ int git_submodule_name_is_valid(const git_repository repo, const char name, in`
`382`	`382`	`}`
`383`	`383`
`384`	`384`	`/* FIXME: Un-consting it to reduce the amount of diff */`
`385`		`- isvalid = git_path_isvalid((git_repository *)repo, buf.ptr, flags);`
	`385`	`+ isvalid = git_path_isvalid((git_repository *)repo, buf.ptr, 0, flags);`
`386`	`386`	`git_buf_free(&buf);`
`387`	`387`
`388`	`388`	`return isvalid;`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ GIT_INLINE(git_filemode_t) normalize_filemode(git_filemode_t filemode)`
`54`	`54`	`static int valid_entry_name(git_repository repo, const char filename)`
`55`	`55`	`{`
`56`	`56`	`return *filename != '\0' &&`
`57`		`- git_path_isvalid(repo, filename,`
	`57`	`+ git_path_isvalid(repo, filename, 0,`
`58`	`58`	`GIT_PATH_REJECT_TRAVERSAL \| GIT_PATH_REJECT_DOT_GIT \| GIT_PATH_REJECT_SLASH);`
`59`	`59`	`}`
`60`	`60`