diff options
Diffstat (limited to 'third_party/git/fsck.c')
| -rw-r--r-- | third_party/git/fsck.c | 1218 |
1 files changed, 1218 insertions, 0 deletions
diff --git a/third_party/git/fsck.c b/third_party/git/fsck.c new file mode 100644 index 000000000000..73f30773f28a --- /dev/null +++ b/third_party/git/fsck.c @@ -0,0 +1,1218 @@ +#include "cache.h" +#include "object-store.h" +#include "repository.h" +#include "object.h" +#include "blob.h" +#include "tree.h" +#include "tree-walk.h" +#include "commit.h" +#include "tag.h" +#include "fsck.h" +#include "refs.h" +#include "url.h" +#include "utf8.h" +#include "decorate.h" +#include "oidset.h" +#include "packfile.h" +#include "submodule-config.h" +#include "config.h" +#include "credential.h" +#include "help.h" + +static struct oidset gitmodules_found = OIDSET_INIT; +static struct oidset gitmodules_done = OIDSET_INIT; + +#define FSCK_FATAL -1 +#define FSCK_INFO -2 + +#define FOREACH_MSG_ID(FUNC) \ + /* fatal errors */ \ + FUNC(NUL_IN_HEADER, FATAL) \ + FUNC(UNTERMINATED_HEADER, FATAL) \ + /* errors */ \ + FUNC(BAD_DATE, ERROR) \ + FUNC(BAD_DATE_OVERFLOW, ERROR) \ + FUNC(BAD_EMAIL, ERROR) \ + FUNC(BAD_NAME, ERROR) \ + FUNC(BAD_OBJECT_SHA1, ERROR) \ + FUNC(BAD_PARENT_SHA1, ERROR) \ + FUNC(BAD_TAG_OBJECT, ERROR) \ + FUNC(BAD_TIMEZONE, ERROR) \ + FUNC(BAD_TREE, ERROR) \ + FUNC(BAD_TREE_SHA1, ERROR) \ + FUNC(BAD_TYPE, ERROR) \ + FUNC(DUPLICATE_ENTRIES, ERROR) \ + FUNC(MISSING_AUTHOR, ERROR) \ + FUNC(MISSING_COMMITTER, ERROR) \ + FUNC(MISSING_EMAIL, ERROR) \ + FUNC(MISSING_NAME_BEFORE_EMAIL, ERROR) \ + FUNC(MISSING_OBJECT, ERROR) \ + FUNC(MISSING_SPACE_BEFORE_DATE, ERROR) \ + FUNC(MISSING_SPACE_BEFORE_EMAIL, ERROR) \ + FUNC(MISSING_TAG, ERROR) \ + FUNC(MISSING_TAG_ENTRY, ERROR) \ + FUNC(MISSING_TREE, ERROR) \ + FUNC(MISSING_TREE_OBJECT, ERROR) \ + FUNC(MISSING_TYPE, ERROR) \ + FUNC(MISSING_TYPE_ENTRY, ERROR) \ + FUNC(MULTIPLE_AUTHORS, ERROR) \ + FUNC(TREE_NOT_SORTED, ERROR) \ + FUNC(UNKNOWN_TYPE, ERROR) \ + FUNC(ZERO_PADDED_DATE, ERROR) \ + FUNC(GITMODULES_MISSING, ERROR) \ + FUNC(GITMODULES_BLOB, ERROR) \ + FUNC(GITMODULES_LARGE, ERROR) \ + FUNC(GITMODULES_NAME, ERROR) \ + FUNC(GITMODULES_SYMLINK, ERROR) \ + FUNC(GITMODULES_URL, ERROR) \ + FUNC(GITMODULES_PATH, ERROR) \ + FUNC(GITMODULES_UPDATE, ERROR) \ + /* warnings */ \ + FUNC(BAD_FILEMODE, WARN) \ + FUNC(EMPTY_NAME, WARN) \ + FUNC(FULL_PATHNAME, WARN) \ + FUNC(HAS_DOT, WARN) \ + FUNC(HAS_DOTDOT, WARN) \ + FUNC(HAS_DOTGIT, WARN) \ + FUNC(NULL_SHA1, WARN) \ + FUNC(ZERO_PADDED_FILEMODE, WARN) \ + FUNC(NUL_IN_COMMIT, WARN) \ + /* infos (reported as warnings, but ignored by default) */ \ + FUNC(GITMODULES_PARSE, INFO) \ + FUNC(BAD_TAG_NAME, INFO) \ + FUNC(MISSING_TAGGER_ENTRY, INFO) + +#define MSG_ID(id, msg_type) FSCK_MSG_##id, +enum fsck_msg_id { + FOREACH_MSG_ID(MSG_ID) + FSCK_MSG_MAX +}; +#undef MSG_ID + +#define STR(x) #x +#define MSG_ID(id, msg_type) { STR(id), NULL, NULL, FSCK_##msg_type }, +static struct { + const char *id_string; + const char *downcased; + const char *camelcased; + int msg_type; +} msg_id_info[FSCK_MSG_MAX + 1] = { + FOREACH_MSG_ID(MSG_ID) + { NULL, NULL, NULL, -1 } +}; +#undef MSG_ID + +static void prepare_msg_ids(void) +{ + int i; + + if (msg_id_info[0].downcased) + return; + + /* convert id_string to lower case, without underscores. */ + for (i = 0; i < FSCK_MSG_MAX; i++) { + const char *p = msg_id_info[i].id_string; + int len = strlen(p); + char *q = xmalloc(len); + + msg_id_info[i].downcased = q; + while (*p) + if (*p == '_') + p++; + else + *(q)++ = tolower(*(p)++); + *q = '\0'; + + p = msg_id_info[i].id_string; + q = xmalloc(len); + msg_id_info[i].camelcased = q; + while (*p) { + if (*p == '_') { + p++; + if (*p) + *q++ = *p++; + } else { + *q++ = tolower(*p++); + } + } + *q = '\0'; + } +} + +static int parse_msg_id(const char *text) +{ + int i; + + prepare_msg_ids(); + + for (i = 0; i < FSCK_MSG_MAX; i++) + if (!strcmp(text, msg_id_info[i].downcased)) + return i; + + return -1; +} + +void list_config_fsck_msg_ids(struct string_list *list, const char *prefix) +{ + int i; + + prepare_msg_ids(); + + for (i = 0; i < FSCK_MSG_MAX; i++) + list_config_item(list, prefix, msg_id_info[i].camelcased); +} + +static int fsck_msg_type(enum fsck_msg_id msg_id, + struct fsck_options *options) +{ + int msg_type; + + assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX); + + if (options->msg_type) + msg_type = options->msg_type[msg_id]; + else { + msg_type = msg_id_info[msg_id].msg_type; + if (options->strict && msg_type == FSCK_WARN) + msg_type = FSCK_ERROR; + } + + return msg_type; +} + +static int parse_msg_type(const char *str) +{ + if (!strcmp(str, "error")) + return FSCK_ERROR; + else if (!strcmp(str, "warn")) + return FSCK_WARN; + else if (!strcmp(str, "ignore")) + return FSCK_IGNORE; + else + die("Unknown fsck message type: '%s'", str); +} + +int is_valid_msg_type(const char *msg_id, const char *msg_type) +{ + if (parse_msg_id(msg_id) < 0) + return 0; + parse_msg_type(msg_type); + return 1; +} + +void fsck_set_msg_type(struct fsck_options *options, + const char *msg_id, const char *msg_type) +{ + int id = parse_msg_id(msg_id), type; + + if (id < 0) + die("Unhandled message id: %s", msg_id); + type = parse_msg_type(msg_type); + + if (type != FSCK_ERROR && msg_id_info[id].msg_type == FSCK_FATAL) + die("Cannot demote %s to %s", msg_id, msg_type); + + if (!options->msg_type) { + int i; + int *msg_type; + ALLOC_ARRAY(msg_type, FSCK_MSG_MAX); + for (i = 0; i < FSCK_MSG_MAX; i++) + msg_type[i] = fsck_msg_type(i, options); + options->msg_type = msg_type; + } + + options->msg_type[id] = type; +} + +void fsck_set_msg_types(struct fsck_options *options, const char *values) +{ + char *buf = xstrdup(values), *to_free = buf; + int done = 0; + + while (!done) { + int len = strcspn(buf, " ,|"), equal; + + done = !buf[len]; + if (!len) { + buf++; + continue; + } + buf[len] = '\0'; + + for (equal = 0; + equal < len && buf[equal] != '=' && buf[equal] != ':'; + equal++) + buf[equal] = tolower(buf[equal]); + buf[equal] = '\0'; + + if (!strcmp(buf, "skiplist")) { + if (equal == len) + die("skiplist requires a path"); + oidset_parse_file(&options->skiplist, buf + equal + 1); + buf += len + 1; + continue; + } + + if (equal == len) + die("Missing '=': '%s'", buf); + + fsck_set_msg_type(options, buf, buf + equal + 1); + buf += len + 1; + } + free(to_free); +} + +static void append_msg_id(struct strbuf *sb, const char *msg_id) +{ + for (;;) { + char c = *(msg_id)++; + + if (!c) + break; + if (c != '_') + strbuf_addch(sb, tolower(c)); + else { + assert(*msg_id); + strbuf_addch(sb, *(msg_id)++); + } + } + + strbuf_addstr(sb, ": "); +} + +static int object_on_skiplist(struct fsck_options *opts, + const struct object_id *oid) +{ + return opts && oid && oidset_contains(&opts->skiplist, oid); +} + +__attribute__((format (printf, 5, 6))) +static int report(struct fsck_options *options, + const struct object_id *oid, enum object_type object_type, + enum fsck_msg_id id, const char *fmt, ...) +{ + va_list ap; + struct strbuf sb = STRBUF_INIT; + int msg_type = fsck_msg_type(id, options), result; + + if (msg_type == FSCK_IGNORE) + return 0; + + if (object_on_skiplist(options, oid)) + return 0; + + if (msg_type == FSCK_FATAL) + msg_type = FSCK_ERROR; + else if (msg_type == FSCK_INFO) + msg_type = FSCK_WARN; + + append_msg_id(&sb, msg_id_info[id].id_string); + + va_start(ap, fmt); + strbuf_vaddf(&sb, fmt, ap); + result = options->error_func(options, oid, object_type, + msg_type, sb.buf); + strbuf_release(&sb); + va_end(ap); + + return result; +} + +void fsck_enable_object_names(struct fsck_options *options) +{ + if (!options->object_names) + options->object_names = kh_init_oid_map(); +} + +const char *fsck_get_object_name(struct fsck_options *options, + const struct object_id *oid) +{ + khiter_t pos; + if (!options->object_names) + return NULL; + pos = kh_get_oid_map(options->object_names, *oid); + if (pos >= kh_end(options->object_names)) + return NULL; + return kh_value(options->object_names, pos); +} + +void fsck_put_object_name(struct fsck_options *options, + const struct object_id *oid, + const char *fmt, ...) +{ + va_list ap; + struct strbuf buf = STRBUF_INIT; + khiter_t pos; + int hashret; + + if (!options->object_names) + return; + + pos = kh_put_oid_map(options->object_names, *oid, &hashret); + if (!hashret) + return; + va_start(ap, fmt); + strbuf_vaddf(&buf, fmt, ap); + kh_value(options->object_names, pos) = strbuf_detach(&buf, NULL); + va_end(ap); +} + +const char *fsck_describe_object(struct fsck_options *options, + const struct object_id *oid) +{ + static struct strbuf bufs[] = { + STRBUF_INIT, STRBUF_INIT, STRBUF_INIT, STRBUF_INIT + }; + static int b = 0; + struct strbuf *buf; + const char *name = fsck_get_object_name(options, oid); + + buf = bufs + b; + b = (b + 1) % ARRAY_SIZE(bufs); + strbuf_reset(buf); + strbuf_addstr(buf, oid_to_hex(oid)); + if (name) + strbuf_addf(buf, " (%s)", name); + + return buf->buf; +} + +static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options) +{ + struct tree_desc desc; + struct name_entry entry; + int res = 0; + const char *name; + + if (parse_tree(tree)) + return -1; + + name = fsck_get_object_name(options, &tree->object.oid); + if (init_tree_desc_gently(&desc, tree->buffer, tree->size)) + return -1; + while (tree_entry_gently(&desc, &entry)) { + struct object *obj; + int result; + + if (S_ISGITLINK(entry.mode)) + continue; + + if (S_ISDIR(entry.mode)) { + obj = (struct object *)lookup_tree(the_repository, &entry.oid); + if (name && obj) + fsck_put_object_name(options, &entry.oid, "%s%s/", + name, entry.path); + result = options->walk(obj, OBJ_TREE, data, options); + } + else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) { + obj = (struct object *)lookup_blob(the_repository, &entry.oid); + if (name && obj) + fsck_put_object_name(options, &entry.oid, "%s%s", + name, entry.path); + result = options->walk(obj, OBJ_BLOB, data, options); + } + else { + result = error("in tree %s: entry %s has bad mode %.6o", + fsck_describe_object(options, &tree->object.oid), + entry.path, entry.mode); + } + if (result < 0) + return result; + if (!res) + res = result; + } + return res; +} + +static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options) +{ + int counter = 0, generation = 0, name_prefix_len = 0; + struct commit_list *parents; + int res; + int result; + const char *name; + + if (parse_commit(commit)) + return -1; + + name = fsck_get_object_name(options, &commit->object.oid); + if (name) + fsck_put_object_name(options, get_commit_tree_oid(commit), + "%s:", name); + + result = options->walk((struct object *)get_commit_tree(commit), + OBJ_TREE, data, options); + if (result < 0) + return result; + res = result; + + parents = commit->parents; + if (name && parents) { + int len = strlen(name), power; + + if (len && name[len - 1] == '^') { + generation = 1; + name_prefix_len = len - 1; + } + else { /* parse ~<generation> suffix */ + for (generation = 0, power = 1; + len && isdigit(name[len - 1]); + power *= 10) + generation += power * (name[--len] - '0'); + if (power > 1 && len && name[len - 1] == '~') + name_prefix_len = len - 1; + } + } + + while (parents) { + if (name) { + struct object_id *oid = &parents->item->object.oid; + + if (counter++) + fsck_put_object_name(options, oid, "%s^%d", + name, counter); + else if (generation > 0) + fsck_put_object_name(options, oid, "%.*s~%d", + name_prefix_len, name, + generation + 1); + else + fsck_put_object_name(options, oid, "%s^", name); + } + result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options); + if (result < 0) + return result; + if (!res) + res = result; + parents = parents->next; + } + return res; +} + +static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options) +{ + const char *name = fsck_get_object_name(options, &tag->object.oid); + + if (parse_tag(tag)) + return -1; + if (name) + fsck_put_object_name(options, &tag->tagged->oid, "%s", name); + return options->walk(tag->tagged, OBJ_ANY, data, options); +} + +int fsck_walk(struct object *obj, void *data, struct fsck_options *options) +{ + if (!obj) + return -1; + + if (obj->type == OBJ_NONE) + parse_object(the_repository, &obj->oid); + + switch (obj->type) { + case OBJ_BLOB: + return 0; + case OBJ_TREE: + return fsck_walk_tree((struct tree *)obj, data, options); + case OBJ_COMMIT: + return fsck_walk_commit((struct commit *)obj, data, options); + case OBJ_TAG: + return fsck_walk_tag((struct tag *)obj, data, options); + default: + error("Unknown object type for %s", + fsck_describe_object(options, &obj->oid)); + return -1; + } +} + +/* + * The entries in a tree are ordered in the _path_ order, + * which means that a directory entry is ordered by adding + * a slash to the end of it. + * + * So a directory called "a" is ordered _after_ a file + * called "a.c", because "a/" sorts after "a.c". + */ +#define TREE_UNORDERED (-1) +#define TREE_HAS_DUPS (-2) + +static int verify_ordered(unsigned mode1, const char *name1, unsigned mode2, const char *name2) +{ + int len1 = strlen(name1); + int len2 = strlen(name2); + int len = len1 < len2 ? len1 : len2; + unsigned char c1, c2; + int cmp; + + cmp = memcmp(name1, name2, len); + if (cmp < 0) + return 0; + if (cmp > 0) + return TREE_UNORDERED; + + /* + * Ok, the first <len> characters are the same. + * Now we need to order the next one, but turn + * a '\0' into a '/' for a directory entry. + */ + c1 = name1[len]; + c2 = name2[len]; + if (!c1 && !c2) + /* + * git-write-tree used to write out a nonsense tree that has + * entries with the same name, one blob and one tree. Make + * sure we do not have duplicate entries. + */ + return TREE_HAS_DUPS; + if (!c1 && S_ISDIR(mode1)) + c1 = '/'; + if (!c2 && S_ISDIR(mode2)) + c2 = '/'; + return c1 < c2 ? 0 : TREE_UNORDERED; +} + +static int fsck_tree(const struct object_id *oid, + const char *buffer, unsigned long size, + struct fsck_options *options) +{ + int retval = 0; + int has_null_sha1 = 0; + int has_full_path = 0; + int has_empty_name = 0; + int has_dot = 0; + int has_dotdot = 0; + int has_dotgit = 0; + int has_zero_pad = 0; + int has_bad_modes = 0; + int has_dup_entries = 0; + int not_properly_sorted = 0; + struct tree_desc desc; + unsigned o_mode; + const char *o_name; + + if (init_tree_desc_gently(&desc, buffer, size)) { + retval += report(options, oid, OBJ_TREE, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree"); + return retval; + } + + o_mode = 0; + o_name = NULL; + + while (desc.size) { + unsigned short mode; + const char *name, *backslash; + const struct object_id *oid; + + oid = tree_entry_extract(&desc, &name, &mode); + + has_null_sha1 |= is_null_oid(oid); + has_full_path |= !!strchr(name, '/'); + has_empty_name |= !*name; + has_dot |= !strcmp(name, "."); + has_dotdot |= !strcmp(name, ".."); + has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name); + has_zero_pad |= *(char *)desc.buffer == '0'; + + if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) { + if (!S_ISLNK(mode)) + oidset_insert(&gitmodules_found, oid); + else + retval += report(options, + oid, OBJ_TREE, + FSCK_MSG_GITMODULES_SYMLINK, + ".gitmodules is a symbolic link"); + } + + if ((backslash = strchr(name, '\\'))) { + while (backslash) { + backslash++; + has_dotgit |= is_ntfs_dotgit(backslash); + if (is_ntfs_dotgitmodules(backslash)) { + if (!S_ISLNK(mode)) + oidset_insert(&gitmodules_found, oid); + else + retval += report(options, oid, OBJ_TREE, + FSCK_MSG_GITMODULES_SYMLINK, + ".gitmodules is a symbolic link"); + } + backslash = strchr(backslash, '\\'); + } + } + + if (update_tree_entry_gently(&desc)) { + retval += report(options, oid, OBJ_TREE, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree"); + break; + } + + switch (mode) { + /* + * Standard modes.. + */ + case S_IFREG | 0755: + case S_IFREG | 0644: + case S_IFLNK: + case S_IFDIR: + case S_IFGITLINK: + break; + /* + * This is nonstandard, but we had a few of these + * early on when we honored the full set of mode + * bits.. + */ + case S_IFREG | 0664: + if (!options->strict) + break; + /* fallthrough */ + default: + has_bad_modes = 1; + } + + if (o_name) { + switch (verify_ordered(o_mode, o_name, mode, name)) { + case TREE_UNORDERED: + not_properly_sorted = 1; + break; + case TREE_HAS_DUPS: + has_dup_entries = 1; + break; + default: + break; + } + } + + o_mode = mode; + o_name = name; + } + + if (has_null_sha1) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_NULL_SHA1, "contains entries pointing to null sha1"); + if (has_full_path) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_FULL_PATHNAME, "contains full pathnames"); + if (has_empty_name) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_EMPTY_NAME, "contains empty pathname"); + if (has_dot) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_HAS_DOT, "contains '.'"); + if (has_dotdot) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_HAS_DOTDOT, "contains '..'"); + if (has_dotgit) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_HAS_DOTGIT, "contains '.git'"); + if (has_zero_pad) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_ZERO_PADDED_FILEMODE, "contains zero-padded file modes"); + if (has_bad_modes) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_BAD_FILEMODE, "contains bad file modes"); + if (has_dup_entries) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_DUPLICATE_ENTRIES, "contains duplicate file entries"); + if (not_properly_sorted) + retval += report(options, oid, OBJ_TREE, FSCK_MSG_TREE_NOT_SORTED, "not properly sorted"); + return retval; +} + +static int verify_headers(const void *data, unsigned long size, + const struct object_id *oid, enum object_type type, + struct fsck_options *options) +{ + const char *buffer = (const char *)data; + unsigned long i; + + for (i = 0; i < size; i++) { + switch (buffer[i]) { + case '\0': + return report(options, oid, type, + FSCK_MSG_NUL_IN_HEADER, + "unterminated header: NUL at offset %ld", i); + case '\n': + if (i + 1 < size && buffer[i + 1] == '\n') + return 0; + } + } + + /* + * We did not find double-LF that separates the header + * and the body. Not having a body is not a crime but + * we do want to see the terminating LF for the last header + * line. + */ + if (size && buffer[size - 1] == '\n') + return 0; + + return report(options, oid, type, + FSCK_MSG_UNTERMINATED_HEADER, "unterminated header"); +} + +static int fsck_ident(const char **ident, + const struct object_id *oid, enum object_type type, + struct fsck_options *options) +{ + const char *p = *ident; + char *end; + + *ident = strchrnul(*ident, '\n'); + if (**ident == '\n') + (*ident)++; + + if (*p == '<') + return report(options, oid, type, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email"); + p += strcspn(p, "<>\n"); + if (*p == '>') + return report(options, oid, type, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name"); + if (*p != '<') + return report(options, oid, type, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email"); + if (p[-1] != ' ') + return report(options, oid, type, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email"); + p++; + p += strcspn(p, "<>\n"); + if (*p != '>') + return report(options, oid, type, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email"); + p++; + if (*p != ' ') + return report(options, oid, type, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date"); + p++; + if (*p == '0' && p[1] != ' ') + return report(options, oid, type, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date"); + if (date_overflows(parse_timestamp(p, &end, 10))) + return report(options, oid, type, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow"); + if ((end == p || *end != ' ')) + return report(options, oid, type, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date"); + p = end + 1; + if ((*p != '+' && *p != '-') || + !isdigit(p[1]) || + !isdigit(p[2]) || + !isdigit(p[3]) || + !isdigit(p[4]) || + (p[5] != '\n')) + return report(options, oid, type, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone"); + p += 6; + return 0; +} + +static int fsck_commit(const struct object_id *oid, + const char *buffer, unsigned long size, + struct fsck_options *options) +{ + struct object_id tree_oid, parent_oid; + unsigned author_count; + int err; + const char *buffer_begin = buffer; + const char *p; + + if (verify_headers(buffer, size, oid, OBJ_COMMIT, options)) + return -1; + + if (!skip_prefix(buffer, "tree ", &buffer)) + return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line"); + if (parse_oid_hex(buffer, &tree_oid, &p) || *p != '\n') { + err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1"); + if (err) + return err; + } + buffer = p + 1; + while (skip_prefix(buffer, "parent ", &buffer)) { + if (parse_oid_hex(buffer, &parent_oid, &p) || *p != '\n') { + err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1"); + if (err) + return err; + } + buffer = p + 1; + } + author_count = 0; + while (skip_prefix(buffer, "author ", &buffer)) { + author_count++; + err = fsck_ident(&buffer, oid, OBJ_COMMIT, options); + if (err) + return err; + } + if (author_count < 1) + err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line"); + else if (author_count > 1) + err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines"); + if (err) + return err; + if (!skip_prefix(buffer, "committer ", &buffer)) + return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line"); + err = fsck_ident(&buffer, oid, OBJ_COMMIT, options); + if (err) + return err; + if (memchr(buffer_begin, '\0', size)) { + err = report(options, oid, OBJ_COMMIT, FSCK_MSG_NUL_IN_COMMIT, + "NUL byte in the commit object body"); + if (err) + return err; + } + return 0; +} + +static int fsck_tag(const struct object_id *oid, const char *buffer, + unsigned long size, struct fsck_options *options) +{ + struct object_id tagged_oid; + int ret = 0; + char *eol; + struct strbuf sb = STRBUF_INIT; + const char *p; + + ret = verify_headers(buffer, size, oid, OBJ_TAG, options); + if (ret) + goto done; + + if (!skip_prefix(buffer, "object ", &buffer)) { + ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line"); + goto done; + } + if (parse_oid_hex(buffer, &tagged_oid, &p) || *p != '\n') { + ret = report(options, oid, OBJ_TAG, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1"); + if (ret) + goto done; + } + buffer = p + 1; + + if (!skip_prefix(buffer, "type ", &buffer)) { + ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line"); + goto done; + } + eol = strchr(buffer, '\n'); + if (!eol) { + ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line"); + goto done; + } + if (type_from_string_gently(buffer, eol - buffer, 1) < 0) + ret = report(options, oid, OBJ_TAG, FSCK_MSG_BAD_TYPE, "invalid 'type' value"); + if (ret) + goto done; + buffer = eol + 1; + + if (!skip_prefix(buffer, "tag ", &buffer)) { + ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line"); + goto done; + } + eol = strchr(buffer, '\n'); + if (!eol) { + ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line"); + goto done; + } + strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer); + if (check_refname_format(sb.buf, 0)) { + ret = report(options, oid, OBJ_TAG, + FSCK_MSG_BAD_TAG_NAME, + "invalid 'tag' name: %.*s", + (int)(eol - buffer), buffer); + if (ret) + goto done; + } + buffer = eol + 1; + + if (!skip_prefix(buffer, "tagger ", &buffer)) { + /* early tags do not contain 'tagger' lines; warn only */ + ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line"); + if (ret) + goto done; + } + else + ret = fsck_ident(&buffer, oid, OBJ_TAG, options); + +done: + strbuf_release(&sb); + return ret; +} + +/* + * Like builtin/submodule--helper.c's starts_with_dot_slash, but without + * relying on the platform-dependent is_dir_sep helper. + * + * This is for use in checking whether a submodule URL is interpreted as + * relative to the current directory on any platform, since \ is a + * directory separator on Windows but not on other platforms. + */ +static int starts_with_dot_slash(const char *str) +{ + return str[0] == '.' && (str[1] == '/' || str[1] == '\\'); +} + +/* + * Like starts_with_dot_slash, this is a variant of submodule--helper's + * helper of the same name with the twist that it accepts backslash as a + * directory separator even on non-Windows platforms. + */ +static int starts_with_dot_dot_slash(const char *str) +{ + return str[0] == '.' && starts_with_dot_slash(str + 1); +} + +static int submodule_url_is_relative(const char *url) +{ + return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url); +} + +/* + * Count directory components that a relative submodule URL should chop + * from the remote_url it is to be resolved against. + * + * In other words, this counts "../" components at the start of a + * submodule URL. + * + * Returns the number of directory components to chop and writes a + * pointer to the next character of url after all leading "./" and + * "../" components to out. + */ +static int count_leading_dotdots(const char *url, const char **out) +{ + int result = 0; + while (1) { + if (starts_with_dot_dot_slash(url)) { + result++; + url += strlen("../"); + continue; + } + if (starts_with_dot_slash(url)) { + url += strlen("./"); + continue; + } + *out = url; + return result; + } +} +/* + * Check whether a transport is implemented by git-remote-curl. + * + * If it is, returns 1 and writes the URL that would be passed to + * git-remote-curl to the "out" parameter. + * + * Otherwise, returns 0 and leaves "out" untouched. + * + * Examples: + * http::https://example.com/repo.git -> 1, https://example.com/repo.git + * https://example.com/repo.git -> 1, https://example.com/repo.git + * git://example.com/repo.git -> 0 + * + * This is for use in checking for previously exploitable bugs that + * required a submodule URL to be passed to git-remote-curl. + */ +static int url_to_curl_url(const char *url, const char **out) +{ + /* + * We don't need to check for case-aliases, "http.exe", and so + * on because in the default configuration, is_transport_allowed + * prevents URLs with those schemes from being cloned + * automatically. + */ + if (skip_prefix(url, "http::", out) || + skip_prefix(url, "https::", out) || + skip_prefix(url, "ftp::", out) || + skip_prefix(url, "ftps::", out)) + return 1; + if (starts_with(url, "http://") || + starts_with(url, "https://") || + starts_with(url, "ftp://") || + starts_with(url, "ftps://")) { + *out = url; + return 1; + } + return 0; +} + +static int check_submodule_url(const char *url) +{ + const char *curl_url; + + if (looks_like_command_line_option(url)) + return -1; + + if (submodule_url_is_relative(url)) { + char *decoded; + const char *next; + int has_nl; + + /* + * This could be appended to an http URL and url-decoded; + * check for malicious characters. + */ + decoded = url_decode(url); + has_nl = !!strchr(decoded, '\n'); + + free(decoded); + if (has_nl) + return -1; + + /* + * URLs which escape their root via "../" can overwrite + * the host field and previous components, resolving to + * URLs like https::example.com/submodule.git and + * https:///example.com/submodule.git that were + * susceptible to CVE-2020-11008. + */ + if (count_leading_dotdots(url, &next) > 0 && + (*next == ':' || *next == '/')) + return -1; + } + + else if (url_to_curl_url(url, &curl_url)) { + struct credential c = CREDENTIAL_INIT; + int ret = 0; + if (credential_from_url_gently(&c, curl_url, 1) || + !*c.host) + ret = -1; + credential_clear(&c); + return ret; + } + + return 0; +} + +struct fsck_gitmodules_data { + const struct object_id *oid; + struct fsck_options *options; + int ret; +}; + +static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata) +{ + struct fsck_gitmodules_data *data = vdata; + const char *subsection, *key; + int subsection_len; + char *name; + + if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 || + !subsection) + return 0; + + name = xmemdupz(subsection, subsection_len); + if (check_submodule_name(name) < 0) + data->ret |= report(data->options, + data->oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_NAME, + "disallowed submodule name: %s", + name); + if (!strcmp(key, "url") && value && + check_submodule_url(value) < 0) + data->ret |= report(data->options, + data->oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_URL, + "disallowed submodule url: %s", + value); + if (!strcmp(key, "path") && value && + looks_like_command_line_option(value)) + data->ret |= report(data->options, + data->oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_PATH, + "disallowed submodule path: %s", + value); + if (!strcmp(key, "update") && value && + parse_submodule_update_type(value) == SM_UPDATE_COMMAND) + data->ret |= report(data->options, data->oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_UPDATE, + "disallowed submodule update setting: %s", + value); + free(name); + + return 0; +} + +static int fsck_blob(const struct object_id *oid, const char *buf, + unsigned long size, struct fsck_options *options) +{ + struct fsck_gitmodules_data data; + struct config_options config_opts = { 0 }; + + if (!oidset_contains(&gitmodules_found, oid)) + return 0; + oidset_insert(&gitmodules_done, oid); + + if (object_on_skiplist(options, oid)) + return 0; + + if (!buf) { + /* + * A missing buffer here is a sign that the caller found the + * blob too gigantic to load into memory. Let's just consider + * that an error. + */ + return report(options, oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_LARGE, + ".gitmodules too large to parse"); + } + + data.oid = oid; + data.options = options; + data.ret = 0; + config_opts.error_action = CONFIG_ERROR_SILENT; + if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB, + ".gitmodules", buf, size, &data, &config_opts)) + data.ret |= report(options, oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_PARSE, + "could not parse gitmodules blob"); + + return data.ret; +} + +int fsck_object(struct object *obj, void *data, unsigned long size, + struct fsck_options *options) +{ + if (!obj) + return report(options, NULL, OBJ_NONE, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck"); + + if (obj->type == OBJ_BLOB) + return fsck_blob(&obj->oid, data, size, options); + if (obj->type == OBJ_TREE) + return fsck_tree(&obj->oid, data, size, options); + if (obj->type == OBJ_COMMIT) + return fsck_commit(&obj->oid, data, size, options); + if (obj->type == OBJ_TAG) + return fsck_tag(&obj->oid, data, size, options); + + return report(options, &obj->oid, obj->type, + FSCK_MSG_UNKNOWN_TYPE, + "unknown type '%d' (internal fsck error)", + obj->type); +} + +int fsck_error_function(struct fsck_options *o, + const struct object_id *oid, + enum object_type object_type, + int msg_type, const char *message) +{ + if (msg_type == FSCK_WARN) { + warning("object %s: %s", fsck_describe_object(o, oid), message); + return 0; + } + error("object %s: %s", fsck_describe_object(o, oid), message); + return 1; +} + +int fsck_finish(struct fsck_options *options) +{ + int ret = 0; + struct oidset_iter iter; + const struct object_id *oid; + + oidset_iter_init(&gitmodules_found, &iter); + while ((oid = oidset_iter_next(&iter))) { + enum object_type type; + unsigned long size; + char *buf; + + if (oidset_contains(&gitmodules_done, oid)) + continue; + + buf = read_object_file(oid, &type, &size); + if (!buf) { + if (is_promisor_object(oid)) + continue; + ret |= report(options, + oid, OBJ_BLOB, + FSCK_MSG_GITMODULES_MISSING, + "unable to read .gitmodules blob"); + continue; + } + + if (type == OBJ_BLOB) + ret |= fsck_blob(oid, buf, size, options); + else + ret |= report(options, + oid, type, + FSCK_MSG_GITMODULES_BLOB, + "non-blob found at .gitmodules"); + free(buf); + } + + + oidset_clear(&gitmodules_found); + oidset_clear(&gitmodules_done); + return ret; +} |