mirror of
https://github.com/git/git.git
synced 2024-11-23 18:05:29 +08:00
0fbcaef6b4
In general, Git tries not to arbitrarily limit what it will store, and there are currently no limits at all on the size of the path we find in a tree. In theory you could have one that is gigabytes long. But in practice this freedom is not really helping anybody, and is potentially harmful: 1. Most operating systems have much lower limits for the size of a single pathname component (e.g., on Linux you'll generally get ENAMETOOLONG for anything over 255 bytes). And while you _can_ use Git in a way that never touches the filesystem (manipulating the index and trees directly), it's still probably not a good idea to have gigantic tree names. Many operations load and traverse them, so any clever Git-as-a-database scheme is likely to perform poorly in that case. 2. We still have a lot of code which assumes strings are reasonably sized, and I won't be at all surprised if you can trigger some interesting integer overflows with gigantic pathnames. Stopping malicious trees from entering the repository provides an extra line of defense, protecting downstream code. This patch implements an fsck check so that such trees can be rejected by transfer.fsckObjects. I've picked a reasonably high maximum depth here (4096) that hopefully should not bother anybody in practice. I've also made it configurable, as an escape hatch. Signed-off-by: Jeff King <peff@peff.net> Signed-off-by: Junio C Hamano <gitster@pobox.com>
1444 lines
38 KiB
C
1444 lines
38 KiB
C
#include "git-compat-util.h"
|
|
#include "date.h"
|
|
#include "dir.h"
|
|
#include "hex.h"
|
|
#include "object-store-ll.h"
|
|
#include "path.h"
|
|
#include "repository.h"
|
|
#include "object.h"
|
|
#include "attr.h"
|
|
#include "blob.h"
|
|
#include "tree.h"
|
|
#include "tree-walk.h"
|
|
#include "commit.h"
|
|
#include "tag.h"
|
|
#include "fsck.h"
|
|
#include "refs.h"
|
|
#include "url.h"
|
|
#include "utf8.h"
|
|
#include "decorate.h"
|
|
#include "oidset.h"
|
|
#include "packfile.h"
|
|
#include "submodule-config.h"
|
|
#include "config.h"
|
|
#include "credential.h"
|
|
#include "help.h"
|
|
|
|
static ssize_t max_tree_entry_len = 4096;
|
|
|
|
#define STR(x) #x
|
|
#define MSG_ID(id, msg_type) { STR(id), NULL, NULL, FSCK_##msg_type },
|
|
static struct {
|
|
const char *id_string;
|
|
const char *downcased;
|
|
const char *camelcased;
|
|
enum fsck_msg_type msg_type;
|
|
} msg_id_info[FSCK_MSG_MAX + 1] = {
|
|
FOREACH_FSCK_MSG_ID(MSG_ID)
|
|
{ NULL, NULL, NULL, -1 }
|
|
};
|
|
#undef MSG_ID
|
|
#undef STR
|
|
|
|
static void prepare_msg_ids(void)
|
|
{
|
|
int i;
|
|
|
|
if (msg_id_info[0].downcased)
|
|
return;
|
|
|
|
/* convert id_string to lower case, without underscores. */
|
|
for (i = 0; i < FSCK_MSG_MAX; i++) {
|
|
const char *p = msg_id_info[i].id_string;
|
|
int len = strlen(p);
|
|
char *q = xmalloc(len);
|
|
|
|
msg_id_info[i].downcased = q;
|
|
while (*p)
|
|
if (*p == '_')
|
|
p++;
|
|
else
|
|
*(q)++ = tolower(*(p)++);
|
|
*q = '\0';
|
|
|
|
p = msg_id_info[i].id_string;
|
|
q = xmalloc(len);
|
|
msg_id_info[i].camelcased = q;
|
|
while (*p) {
|
|
if (*p == '_') {
|
|
p++;
|
|
if (*p)
|
|
*q++ = *p++;
|
|
} else {
|
|
*q++ = tolower(*p++);
|
|
}
|
|
}
|
|
*q = '\0';
|
|
}
|
|
}
|
|
|
|
static int parse_msg_id(const char *text)
|
|
{
|
|
int i;
|
|
|
|
prepare_msg_ids();
|
|
|
|
for (i = 0; i < FSCK_MSG_MAX; i++)
|
|
if (!strcmp(text, msg_id_info[i].downcased))
|
|
return i;
|
|
|
|
return -1;
|
|
}
|
|
|
|
void list_config_fsck_msg_ids(struct string_list *list, const char *prefix)
|
|
{
|
|
int i;
|
|
|
|
prepare_msg_ids();
|
|
|
|
for (i = 0; i < FSCK_MSG_MAX; i++)
|
|
list_config_item(list, prefix, msg_id_info[i].camelcased);
|
|
}
|
|
|
|
static enum fsck_msg_type fsck_msg_type(enum fsck_msg_id msg_id,
|
|
struct fsck_options *options)
|
|
{
|
|
assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX);
|
|
|
|
if (!options->msg_type) {
|
|
enum fsck_msg_type msg_type = msg_id_info[msg_id].msg_type;
|
|
|
|
if (options->strict && msg_type == FSCK_WARN)
|
|
msg_type = FSCK_ERROR;
|
|
return msg_type;
|
|
}
|
|
|
|
return options->msg_type[msg_id];
|
|
}
|
|
|
|
static enum fsck_msg_type parse_msg_type(const char *str)
|
|
{
|
|
if (!strcmp(str, "error"))
|
|
return FSCK_ERROR;
|
|
else if (!strcmp(str, "warn"))
|
|
return FSCK_WARN;
|
|
else if (!strcmp(str, "ignore"))
|
|
return FSCK_IGNORE;
|
|
else
|
|
die("Unknown fsck message type: '%s'", str);
|
|
}
|
|
|
|
int is_valid_msg_type(const char *msg_id, const char *msg_type)
|
|
{
|
|
if (parse_msg_id(msg_id) < 0)
|
|
return 0;
|
|
parse_msg_type(msg_type);
|
|
return 1;
|
|
}
|
|
|
|
void fsck_set_msg_type_from_ids(struct fsck_options *options,
|
|
enum fsck_msg_id msg_id,
|
|
enum fsck_msg_type msg_type)
|
|
{
|
|
if (!options->msg_type) {
|
|
int i;
|
|
enum fsck_msg_type *severity;
|
|
ALLOC_ARRAY(severity, FSCK_MSG_MAX);
|
|
for (i = 0; i < FSCK_MSG_MAX; i++)
|
|
severity[i] = fsck_msg_type(i, options);
|
|
options->msg_type = severity;
|
|
}
|
|
|
|
options->msg_type[msg_id] = msg_type;
|
|
}
|
|
|
|
void fsck_set_msg_type(struct fsck_options *options,
|
|
const char *msg_id_str, const char *msg_type_str)
|
|
{
|
|
int msg_id = parse_msg_id(msg_id_str);
|
|
char *to_free = NULL;
|
|
enum fsck_msg_type msg_type;
|
|
|
|
if (msg_id < 0)
|
|
die("Unhandled message id: %s", msg_id_str);
|
|
|
|
if (msg_id == FSCK_MSG_LARGE_PATHNAME) {
|
|
const char *colon = strchr(msg_type_str, ':');
|
|
if (colon) {
|
|
msg_type_str = to_free =
|
|
xmemdupz(msg_type_str, colon - msg_type_str);
|
|
colon++;
|
|
if (!git_parse_ssize_t(colon, &max_tree_entry_len))
|
|
die("unable to parse max tree entry len: %s", colon);
|
|
}
|
|
}
|
|
msg_type = parse_msg_type(msg_type_str);
|
|
|
|
if (msg_type != FSCK_ERROR && msg_id_info[msg_id].msg_type == FSCK_FATAL)
|
|
die("Cannot demote %s to %s", msg_id_str, msg_type_str);
|
|
|
|
fsck_set_msg_type_from_ids(options, msg_id, msg_type);
|
|
free(to_free);
|
|
}
|
|
|
|
void fsck_set_msg_types(struct fsck_options *options, const char *values)
|
|
{
|
|
char *buf = xstrdup(values), *to_free = buf;
|
|
int done = 0;
|
|
|
|
while (!done) {
|
|
int len = strcspn(buf, " ,|"), equal;
|
|
|
|
done = !buf[len];
|
|
if (!len) {
|
|
buf++;
|
|
continue;
|
|
}
|
|
buf[len] = '\0';
|
|
|
|
for (equal = 0;
|
|
equal < len && buf[equal] != '=' && buf[equal] != ':';
|
|
equal++)
|
|
buf[equal] = tolower(buf[equal]);
|
|
buf[equal] = '\0';
|
|
|
|
if (!strcmp(buf, "skiplist")) {
|
|
if (equal == len)
|
|
die("skiplist requires a path");
|
|
oidset_parse_file(&options->skiplist, buf + equal + 1);
|
|
buf += len + 1;
|
|
continue;
|
|
}
|
|
|
|
if (equal == len)
|
|
die("Missing '=': '%s'", buf);
|
|
|
|
fsck_set_msg_type(options, buf, buf + equal + 1);
|
|
buf += len + 1;
|
|
}
|
|
free(to_free);
|
|
}
|
|
|
|
static int object_on_skiplist(struct fsck_options *opts,
|
|
const struct object_id *oid)
|
|
{
|
|
return opts && oid && oidset_contains(&opts->skiplist, oid);
|
|
}
|
|
|
|
__attribute__((format (printf, 5, 6)))
|
|
static int report(struct fsck_options *options,
|
|
const struct object_id *oid, enum object_type object_type,
|
|
enum fsck_msg_id msg_id, const char *fmt, ...)
|
|
{
|
|
va_list ap;
|
|
struct strbuf sb = STRBUF_INIT;
|
|
enum fsck_msg_type msg_type = fsck_msg_type(msg_id, options);
|
|
int result;
|
|
|
|
if (msg_type == FSCK_IGNORE)
|
|
return 0;
|
|
|
|
if (object_on_skiplist(options, oid))
|
|
return 0;
|
|
|
|
if (msg_type == FSCK_FATAL)
|
|
msg_type = FSCK_ERROR;
|
|
else if (msg_type == FSCK_INFO)
|
|
msg_type = FSCK_WARN;
|
|
|
|
prepare_msg_ids();
|
|
strbuf_addf(&sb, "%s: ", msg_id_info[msg_id].camelcased);
|
|
|
|
va_start(ap, fmt);
|
|
strbuf_vaddf(&sb, fmt, ap);
|
|
result = options->error_func(options, oid, object_type,
|
|
msg_type, msg_id, sb.buf);
|
|
strbuf_release(&sb);
|
|
va_end(ap);
|
|
|
|
return result;
|
|
}
|
|
|
|
void fsck_enable_object_names(struct fsck_options *options)
|
|
{
|
|
if (!options->object_names)
|
|
options->object_names = kh_init_oid_map();
|
|
}
|
|
|
|
const char *fsck_get_object_name(struct fsck_options *options,
|
|
const struct object_id *oid)
|
|
{
|
|
khiter_t pos;
|
|
if (!options->object_names)
|
|
return NULL;
|
|
pos = kh_get_oid_map(options->object_names, *oid);
|
|
if (pos >= kh_end(options->object_names))
|
|
return NULL;
|
|
return kh_value(options->object_names, pos);
|
|
}
|
|
|
|
void fsck_put_object_name(struct fsck_options *options,
|
|
const struct object_id *oid,
|
|
const char *fmt, ...)
|
|
{
|
|
va_list ap;
|
|
struct strbuf buf = STRBUF_INIT;
|
|
khiter_t pos;
|
|
int hashret;
|
|
|
|
if (!options->object_names)
|
|
return;
|
|
|
|
pos = kh_put_oid_map(options->object_names, *oid, &hashret);
|
|
if (!hashret)
|
|
return;
|
|
va_start(ap, fmt);
|
|
strbuf_vaddf(&buf, fmt, ap);
|
|
kh_value(options->object_names, pos) = strbuf_detach(&buf, NULL);
|
|
va_end(ap);
|
|
}
|
|
|
|
const char *fsck_describe_object(struct fsck_options *options,
|
|
const struct object_id *oid)
|
|
{
|
|
static struct strbuf bufs[] = {
|
|
STRBUF_INIT, STRBUF_INIT, STRBUF_INIT, STRBUF_INIT
|
|
};
|
|
static int b = 0;
|
|
struct strbuf *buf;
|
|
const char *name = fsck_get_object_name(options, oid);
|
|
|
|
buf = bufs + b;
|
|
b = (b + 1) % ARRAY_SIZE(bufs);
|
|
strbuf_reset(buf);
|
|
strbuf_addstr(buf, oid_to_hex(oid));
|
|
if (name)
|
|
strbuf_addf(buf, " (%s)", name);
|
|
|
|
return buf->buf;
|
|
}
|
|
|
|
static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options)
|
|
{
|
|
struct tree_desc desc;
|
|
struct name_entry entry;
|
|
int res = 0;
|
|
const char *name;
|
|
|
|
if (parse_tree(tree))
|
|
return -1;
|
|
|
|
name = fsck_get_object_name(options, &tree->object.oid);
|
|
if (init_tree_desc_gently(&desc, tree->buffer, tree->size, 0))
|
|
return -1;
|
|
while (tree_entry_gently(&desc, &entry)) {
|
|
struct object *obj;
|
|
int result;
|
|
|
|
if (S_ISGITLINK(entry.mode))
|
|
continue;
|
|
|
|
if (S_ISDIR(entry.mode)) {
|
|
obj = (struct object *)lookup_tree(the_repository, &entry.oid);
|
|
if (name && obj)
|
|
fsck_put_object_name(options, &entry.oid, "%s%s/",
|
|
name, entry.path);
|
|
result = options->walk(obj, OBJ_TREE, data, options);
|
|
}
|
|
else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) {
|
|
obj = (struct object *)lookup_blob(the_repository, &entry.oid);
|
|
if (name && obj)
|
|
fsck_put_object_name(options, &entry.oid, "%s%s",
|
|
name, entry.path);
|
|
result = options->walk(obj, OBJ_BLOB, data, options);
|
|
}
|
|
else {
|
|
result = error("in tree %s: entry %s has bad mode %.6o",
|
|
fsck_describe_object(options, &tree->object.oid),
|
|
entry.path, entry.mode);
|
|
}
|
|
if (result < 0)
|
|
return result;
|
|
if (!res)
|
|
res = result;
|
|
}
|
|
return res;
|
|
}
|
|
|
|
static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options)
|
|
{
|
|
int counter = 0, generation = 0, name_prefix_len = 0;
|
|
struct commit_list *parents;
|
|
int res;
|
|
int result;
|
|
const char *name;
|
|
|
|
if (repo_parse_commit(the_repository, commit))
|
|
return -1;
|
|
|
|
name = fsck_get_object_name(options, &commit->object.oid);
|
|
if (name)
|
|
fsck_put_object_name(options, get_commit_tree_oid(commit),
|
|
"%s:", name);
|
|
|
|
result = options->walk((struct object *) repo_get_commit_tree(the_repository, commit),
|
|
OBJ_TREE, data, options);
|
|
if (result < 0)
|
|
return result;
|
|
res = result;
|
|
|
|
parents = commit->parents;
|
|
if (name && parents) {
|
|
int len = strlen(name), power;
|
|
|
|
if (len && name[len - 1] == '^') {
|
|
generation = 1;
|
|
name_prefix_len = len - 1;
|
|
}
|
|
else { /* parse ~<generation> suffix */
|
|
for (generation = 0, power = 1;
|
|
len && isdigit(name[len - 1]);
|
|
power *= 10)
|
|
generation += power * (name[--len] - '0');
|
|
if (power > 1 && len && name[len - 1] == '~')
|
|
name_prefix_len = len - 1;
|
|
else {
|
|
/* Maybe a non-first parent, e.g. HEAD^2 */
|
|
generation = 0;
|
|
name_prefix_len = len;
|
|
}
|
|
}
|
|
}
|
|
|
|
while (parents) {
|
|
if (name) {
|
|
struct object_id *oid = &parents->item->object.oid;
|
|
|
|
if (counter++)
|
|
fsck_put_object_name(options, oid, "%s^%d",
|
|
name, counter);
|
|
else if (generation > 0)
|
|
fsck_put_object_name(options, oid, "%.*s~%d",
|
|
name_prefix_len, name,
|
|
generation + 1);
|
|
else
|
|
fsck_put_object_name(options, oid, "%s^", name);
|
|
}
|
|
result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options);
|
|
if (result < 0)
|
|
return result;
|
|
if (!res)
|
|
res = result;
|
|
parents = parents->next;
|
|
}
|
|
return res;
|
|
}
|
|
|
|
static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options)
|
|
{
|
|
const char *name = fsck_get_object_name(options, &tag->object.oid);
|
|
|
|
if (parse_tag(tag))
|
|
return -1;
|
|
if (name)
|
|
fsck_put_object_name(options, &tag->tagged->oid, "%s", name);
|
|
return options->walk(tag->tagged, OBJ_ANY, data, options);
|
|
}
|
|
|
|
int fsck_walk(struct object *obj, void *data, struct fsck_options *options)
|
|
{
|
|
if (!obj)
|
|
return -1;
|
|
|
|
if (obj->type == OBJ_NONE)
|
|
parse_object(the_repository, &obj->oid);
|
|
|
|
switch (obj->type) {
|
|
case OBJ_BLOB:
|
|
return 0;
|
|
case OBJ_TREE:
|
|
return fsck_walk_tree((struct tree *)obj, data, options);
|
|
case OBJ_COMMIT:
|
|
return fsck_walk_commit((struct commit *)obj, data, options);
|
|
case OBJ_TAG:
|
|
return fsck_walk_tag((struct tag *)obj, data, options);
|
|
default:
|
|
error("Unknown object type for %s",
|
|
fsck_describe_object(options, &obj->oid));
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
struct name_stack {
|
|
const char **names;
|
|
size_t nr, alloc;
|
|
};
|
|
|
|
static void name_stack_push(struct name_stack *stack, const char *name)
|
|
{
|
|
ALLOC_GROW(stack->names, stack->nr + 1, stack->alloc);
|
|
stack->names[stack->nr++] = name;
|
|
}
|
|
|
|
static const char *name_stack_pop(struct name_stack *stack)
|
|
{
|
|
return stack->nr ? stack->names[--stack->nr] : NULL;
|
|
}
|
|
|
|
static void name_stack_clear(struct name_stack *stack)
|
|
{
|
|
FREE_AND_NULL(stack->names);
|
|
stack->nr = stack->alloc = 0;
|
|
}
|
|
|
|
/*
|
|
* The entries in a tree are ordered in the _path_ order,
|
|
* which means that a directory entry is ordered by adding
|
|
* a slash to the end of it.
|
|
*
|
|
* So a directory called "a" is ordered _after_ a file
|
|
* called "a.c", because "a/" sorts after "a.c".
|
|
*/
|
|
#define TREE_UNORDERED (-1)
|
|
#define TREE_HAS_DUPS (-2)
|
|
|
|
static int is_less_than_slash(unsigned char c)
|
|
{
|
|
return '\0' < c && c < '/';
|
|
}
|
|
|
|
static int verify_ordered(unsigned mode1, const char *name1,
|
|
unsigned mode2, const char *name2,
|
|
struct name_stack *candidates)
|
|
{
|
|
int len1 = strlen(name1);
|
|
int len2 = strlen(name2);
|
|
int len = len1 < len2 ? len1 : len2;
|
|
unsigned char c1, c2;
|
|
int cmp;
|
|
|
|
cmp = memcmp(name1, name2, len);
|
|
if (cmp < 0)
|
|
return 0;
|
|
if (cmp > 0)
|
|
return TREE_UNORDERED;
|
|
|
|
/*
|
|
* Ok, the first <len> characters are the same.
|
|
* Now we need to order the next one, but turn
|
|
* a '\0' into a '/' for a directory entry.
|
|
*/
|
|
c1 = name1[len];
|
|
c2 = name2[len];
|
|
if (!c1 && !c2)
|
|
/*
|
|
* git-write-tree used to write out a nonsense tree that has
|
|
* entries with the same name, one blob and one tree. Make
|
|
* sure we do not have duplicate entries.
|
|
*/
|
|
return TREE_HAS_DUPS;
|
|
if (!c1 && S_ISDIR(mode1))
|
|
c1 = '/';
|
|
if (!c2 && S_ISDIR(mode2))
|
|
c2 = '/';
|
|
|
|
/*
|
|
* There can be non-consecutive duplicates due to the implicitly
|
|
* added slash, e.g.:
|
|
*
|
|
* foo
|
|
* foo.bar
|
|
* foo.bar.baz
|
|
* foo.bar/
|
|
* foo/
|
|
*
|
|
* Record non-directory candidates (like "foo" and "foo.bar" in
|
|
* the example) on a stack and check directory candidates (like
|
|
* foo/" and "foo.bar/") against that stack.
|
|
*/
|
|
if (!c1 && is_less_than_slash(c2)) {
|
|
name_stack_push(candidates, name1);
|
|
} else if (c2 == '/' && is_less_than_slash(c1)) {
|
|
for (;;) {
|
|
const char *p;
|
|
const char *f_name = name_stack_pop(candidates);
|
|
|
|
if (!f_name)
|
|
break;
|
|
if (!skip_prefix(name2, f_name, &p))
|
|
continue;
|
|
if (!*p)
|
|
return TREE_HAS_DUPS;
|
|
if (is_less_than_slash(*p)) {
|
|
name_stack_push(candidates, f_name);
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
return c1 < c2 ? 0 : TREE_UNORDERED;
|
|
}
|
|
|
|
static int fsck_tree(const struct object_id *tree_oid,
|
|
const char *buffer, unsigned long size,
|
|
struct fsck_options *options)
|
|
{
|
|
int retval = 0;
|
|
int has_null_sha1 = 0;
|
|
int has_full_path = 0;
|
|
int has_empty_name = 0;
|
|
int has_dot = 0;
|
|
int has_dotdot = 0;
|
|
int has_dotgit = 0;
|
|
int has_zero_pad = 0;
|
|
int has_bad_modes = 0;
|
|
int has_dup_entries = 0;
|
|
int not_properly_sorted = 0;
|
|
int has_large_name = 0;
|
|
struct tree_desc desc;
|
|
unsigned o_mode;
|
|
const char *o_name;
|
|
struct name_stack df_dup_candidates = { NULL };
|
|
|
|
if (init_tree_desc_gently(&desc, buffer, size, TREE_DESC_RAW_MODES)) {
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_BAD_TREE,
|
|
"cannot be parsed as a tree");
|
|
return retval;
|
|
}
|
|
|
|
o_mode = 0;
|
|
o_name = NULL;
|
|
|
|
while (desc.size) {
|
|
unsigned short mode;
|
|
const char *name, *backslash;
|
|
const struct object_id *entry_oid;
|
|
|
|
entry_oid = tree_entry_extract(&desc, &name, &mode);
|
|
|
|
has_null_sha1 |= is_null_oid(entry_oid);
|
|
has_full_path |= !!strchr(name, '/');
|
|
has_empty_name |= !*name;
|
|
has_dot |= !strcmp(name, ".");
|
|
has_dotdot |= !strcmp(name, "..");
|
|
has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name);
|
|
has_zero_pad |= *(char *)desc.buffer == '0';
|
|
has_large_name |= tree_entry_len(&desc.entry) > max_tree_entry_len;
|
|
|
|
if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) {
|
|
if (!S_ISLNK(mode))
|
|
oidset_insert(&options->gitmodules_found,
|
|
entry_oid);
|
|
else
|
|
retval += report(options,
|
|
tree_oid, OBJ_TREE,
|
|
FSCK_MSG_GITMODULES_SYMLINK,
|
|
".gitmodules is a symbolic link");
|
|
}
|
|
|
|
if (is_hfs_dotgitattributes(name) || is_ntfs_dotgitattributes(name)) {
|
|
if (!S_ISLNK(mode))
|
|
oidset_insert(&options->gitattributes_found,
|
|
entry_oid);
|
|
else
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_GITATTRIBUTES_SYMLINK,
|
|
".gitattributes is a symlink");
|
|
}
|
|
|
|
if (S_ISLNK(mode)) {
|
|
if (is_hfs_dotgitignore(name) ||
|
|
is_ntfs_dotgitignore(name))
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_GITIGNORE_SYMLINK,
|
|
".gitignore is a symlink");
|
|
if (is_hfs_dotmailmap(name) ||
|
|
is_ntfs_dotmailmap(name))
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_MAILMAP_SYMLINK,
|
|
".mailmap is a symlink");
|
|
}
|
|
|
|
if ((backslash = strchr(name, '\\'))) {
|
|
while (backslash) {
|
|
backslash++;
|
|
has_dotgit |= is_ntfs_dotgit(backslash);
|
|
if (is_ntfs_dotgitmodules(backslash)) {
|
|
if (!S_ISLNK(mode))
|
|
oidset_insert(&options->gitmodules_found,
|
|
entry_oid);
|
|
else
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_GITMODULES_SYMLINK,
|
|
".gitmodules is a symbolic link");
|
|
}
|
|
backslash = strchr(backslash, '\\');
|
|
}
|
|
}
|
|
|
|
if (update_tree_entry_gently(&desc)) {
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_BAD_TREE,
|
|
"cannot be parsed as a tree");
|
|
break;
|
|
}
|
|
|
|
switch (mode) {
|
|
/*
|
|
* Standard modes..
|
|
*/
|
|
case S_IFREG | 0755:
|
|
case S_IFREG | 0644:
|
|
case S_IFLNK:
|
|
case S_IFDIR:
|
|
case S_IFGITLINK:
|
|
break;
|
|
/*
|
|
* This is nonstandard, but we had a few of these
|
|
* early on when we honored the full set of mode
|
|
* bits..
|
|
*/
|
|
case S_IFREG | 0664:
|
|
if (!options->strict)
|
|
break;
|
|
/* fallthrough */
|
|
default:
|
|
has_bad_modes = 1;
|
|
}
|
|
|
|
if (o_name) {
|
|
switch (verify_ordered(o_mode, o_name, mode, name,
|
|
&df_dup_candidates)) {
|
|
case TREE_UNORDERED:
|
|
not_properly_sorted = 1;
|
|
break;
|
|
case TREE_HAS_DUPS:
|
|
has_dup_entries = 1;
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
}
|
|
|
|
o_mode = mode;
|
|
o_name = name;
|
|
}
|
|
|
|
name_stack_clear(&df_dup_candidates);
|
|
|
|
if (has_null_sha1)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_NULL_SHA1,
|
|
"contains entries pointing to null sha1");
|
|
if (has_full_path)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_FULL_PATHNAME,
|
|
"contains full pathnames");
|
|
if (has_empty_name)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_EMPTY_NAME,
|
|
"contains empty pathname");
|
|
if (has_dot)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_HAS_DOT,
|
|
"contains '.'");
|
|
if (has_dotdot)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_HAS_DOTDOT,
|
|
"contains '..'");
|
|
if (has_dotgit)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_HAS_DOTGIT,
|
|
"contains '.git'");
|
|
if (has_zero_pad)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_ZERO_PADDED_FILEMODE,
|
|
"contains zero-padded file modes");
|
|
if (has_bad_modes)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_BAD_FILEMODE,
|
|
"contains bad file modes");
|
|
if (has_dup_entries)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_DUPLICATE_ENTRIES,
|
|
"contains duplicate file entries");
|
|
if (not_properly_sorted)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_TREE_NOT_SORTED,
|
|
"not properly sorted");
|
|
if (has_large_name)
|
|
retval += report(options, tree_oid, OBJ_TREE,
|
|
FSCK_MSG_LARGE_PATHNAME,
|
|
"contains excessively large pathname");
|
|
return retval;
|
|
}
|
|
|
|
/*
|
|
* Confirm that the headers of a commit or tag object end in a reasonable way,
|
|
* either with the usual "\n\n" separator, or at least with a trailing newline
|
|
* on the final header line.
|
|
*
|
|
* This property is important for the memory safety of our callers. It allows
|
|
* them to scan the buffer linewise without constantly checking the remaining
|
|
* size as long as:
|
|
*
|
|
* - they check that there are bytes left in the buffer at the start of any
|
|
* line (i.e., that the last newline they saw was not the final one we
|
|
* found here)
|
|
*
|
|
* - any intra-line scanning they do will stop at a newline, which will worst
|
|
* case hit the newline we found here as the end-of-header. This makes it
|
|
* OK for them to use helpers like parse_oid_hex(), or even skip_prefix().
|
|
*/
|
|
static int verify_headers(const void *data, unsigned long size,
|
|
const struct object_id *oid, enum object_type type,
|
|
struct fsck_options *options)
|
|
{
|
|
const char *buffer = (const char *)data;
|
|
unsigned long i;
|
|
|
|
for (i = 0; i < size; i++) {
|
|
switch (buffer[i]) {
|
|
case '\0':
|
|
return report(options, oid, type,
|
|
FSCK_MSG_NUL_IN_HEADER,
|
|
"unterminated header: NUL at offset %ld", i);
|
|
case '\n':
|
|
if (i + 1 < size && buffer[i + 1] == '\n')
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* We did not find double-LF that separates the header
|
|
* and the body. Not having a body is not a crime but
|
|
* we do want to see the terminating LF for the last header
|
|
* line.
|
|
*/
|
|
if (size && buffer[size - 1] == '\n')
|
|
return 0;
|
|
|
|
return report(options, oid, type,
|
|
FSCK_MSG_UNTERMINATED_HEADER, "unterminated header");
|
|
}
|
|
|
|
static int fsck_ident(const char **ident,
|
|
const struct object_id *oid, enum object_type type,
|
|
struct fsck_options *options)
|
|
{
|
|
const char *p = *ident;
|
|
char *end;
|
|
|
|
*ident = strchrnul(*ident, '\n');
|
|
if (**ident == '\n')
|
|
(*ident)++;
|
|
|
|
if (*p == '<')
|
|
return report(options, oid, type, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
|
|
p += strcspn(p, "<>\n");
|
|
if (*p == '>')
|
|
return report(options, oid, type, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name");
|
|
if (*p != '<')
|
|
return report(options, oid, type, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email");
|
|
if (p[-1] != ' ')
|
|
return report(options, oid, type, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
|
|
p++;
|
|
p += strcspn(p, "<>\n");
|
|
if (*p != '>')
|
|
return report(options, oid, type, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email");
|
|
p++;
|
|
if (*p != ' ')
|
|
return report(options, oid, type, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date");
|
|
p++;
|
|
/*
|
|
* Our timestamp parser is based on the C strto*() functions, which
|
|
* will happily eat whitespace, including the newline that is supposed
|
|
* to prevent us walking past the end of the buffer. So do our own
|
|
* scan, skipping linear whitespace but not newlines, and then
|
|
* confirming we found a digit. We _could_ be even more strict here,
|
|
* as we really expect only a single space, but since we have
|
|
* traditionally allowed extra whitespace, we'll continue to do so.
|
|
*/
|
|
while (*p == ' ' || *p == '\t')
|
|
p++;
|
|
if (!isdigit(*p))
|
|
return report(options, oid, type, FSCK_MSG_BAD_DATE,
|
|
"invalid author/committer line - bad date");
|
|
if (*p == '0' && p[1] != ' ')
|
|
return report(options, oid, type, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date");
|
|
if (date_overflows(parse_timestamp(p, &end, 10)))
|
|
return report(options, oid, type, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow");
|
|
if ((end == p || *end != ' '))
|
|
return report(options, oid, type, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date");
|
|
p = end + 1;
|
|
if ((*p != '+' && *p != '-') ||
|
|
!isdigit(p[1]) ||
|
|
!isdigit(p[2]) ||
|
|
!isdigit(p[3]) ||
|
|
!isdigit(p[4]) ||
|
|
(p[5] != '\n'))
|
|
return report(options, oid, type, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone");
|
|
p += 6;
|
|
return 0;
|
|
}
|
|
|
|
static int fsck_commit(const struct object_id *oid,
|
|
const char *buffer, unsigned long size,
|
|
struct fsck_options *options)
|
|
{
|
|
struct object_id tree_oid, parent_oid;
|
|
unsigned author_count;
|
|
int err;
|
|
const char *buffer_begin = buffer;
|
|
const char *buffer_end = buffer + size;
|
|
const char *p;
|
|
|
|
/*
|
|
* We _must_ stop parsing immediately if this reports failure, as the
|
|
* memory safety of the rest of the function depends on it. See the
|
|
* comment above the definition of verify_headers() for more details.
|
|
*/
|
|
if (verify_headers(buffer, size, oid, OBJ_COMMIT, options))
|
|
return -1;
|
|
|
|
if (buffer >= buffer_end || !skip_prefix(buffer, "tree ", &buffer))
|
|
return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line");
|
|
if (parse_oid_hex(buffer, &tree_oid, &p) || *p != '\n') {
|
|
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1");
|
|
if (err)
|
|
return err;
|
|
}
|
|
buffer = p + 1;
|
|
while (buffer < buffer_end && skip_prefix(buffer, "parent ", &buffer)) {
|
|
if (parse_oid_hex(buffer, &parent_oid, &p) || *p != '\n') {
|
|
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
|
|
if (err)
|
|
return err;
|
|
}
|
|
buffer = p + 1;
|
|
}
|
|
author_count = 0;
|
|
while (buffer < buffer_end && skip_prefix(buffer, "author ", &buffer)) {
|
|
author_count++;
|
|
err = fsck_ident(&buffer, oid, OBJ_COMMIT, options);
|
|
if (err)
|
|
return err;
|
|
}
|
|
if (author_count < 1)
|
|
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line");
|
|
else if (author_count > 1)
|
|
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
|
|
if (err)
|
|
return err;
|
|
if (buffer >= buffer_end || !skip_prefix(buffer, "committer ", &buffer))
|
|
return report(options, oid, OBJ_COMMIT, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
|
|
err = fsck_ident(&buffer, oid, OBJ_COMMIT, options);
|
|
if (err)
|
|
return err;
|
|
if (memchr(buffer_begin, '\0', size)) {
|
|
err = report(options, oid, OBJ_COMMIT, FSCK_MSG_NUL_IN_COMMIT,
|
|
"NUL byte in the commit object body");
|
|
if (err)
|
|
return err;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int fsck_tag(const struct object_id *oid, const char *buffer,
|
|
unsigned long size, struct fsck_options *options)
|
|
{
|
|
struct object_id tagged_oid;
|
|
int tagged_type;
|
|
return fsck_tag_standalone(oid, buffer, size, options, &tagged_oid,
|
|
&tagged_type);
|
|
}
|
|
|
|
int fsck_tag_standalone(const struct object_id *oid, const char *buffer,
|
|
unsigned long size, struct fsck_options *options,
|
|
struct object_id *tagged_oid,
|
|
int *tagged_type)
|
|
{
|
|
int ret = 0;
|
|
char *eol;
|
|
struct strbuf sb = STRBUF_INIT;
|
|
const char *buffer_end = buffer + size;
|
|
const char *p;
|
|
|
|
/*
|
|
* We _must_ stop parsing immediately if this reports failure, as the
|
|
* memory safety of the rest of the function depends on it. See the
|
|
* comment above the definition of verify_headers() for more details.
|
|
*/
|
|
ret = verify_headers(buffer, size, oid, OBJ_TAG, options);
|
|
if (ret)
|
|
goto done;
|
|
|
|
if (buffer >= buffer_end || !skip_prefix(buffer, "object ", &buffer)) {
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line");
|
|
goto done;
|
|
}
|
|
if (parse_oid_hex(buffer, tagged_oid, &p) || *p != '\n') {
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1");
|
|
if (ret)
|
|
goto done;
|
|
}
|
|
buffer = p + 1;
|
|
|
|
if (buffer >= buffer_end || !skip_prefix(buffer, "type ", &buffer)) {
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line");
|
|
goto done;
|
|
}
|
|
eol = memchr(buffer, '\n', buffer_end - buffer);
|
|
if (!eol) {
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line");
|
|
goto done;
|
|
}
|
|
*tagged_type = type_from_string_gently(buffer, eol - buffer, 1);
|
|
if (*tagged_type < 0)
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_BAD_TYPE, "invalid 'type' value");
|
|
if (ret)
|
|
goto done;
|
|
buffer = eol + 1;
|
|
|
|
if (buffer >= buffer_end || !skip_prefix(buffer, "tag ", &buffer)) {
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line");
|
|
goto done;
|
|
}
|
|
eol = memchr(buffer, '\n', buffer_end - buffer);
|
|
if (!eol) {
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line");
|
|
goto done;
|
|
}
|
|
strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer);
|
|
if (check_refname_format(sb.buf, 0)) {
|
|
ret = report(options, oid, OBJ_TAG,
|
|
FSCK_MSG_BAD_TAG_NAME,
|
|
"invalid 'tag' name: %.*s",
|
|
(int)(eol - buffer), buffer);
|
|
if (ret)
|
|
goto done;
|
|
}
|
|
buffer = eol + 1;
|
|
|
|
if (buffer >= buffer_end || !skip_prefix(buffer, "tagger ", &buffer)) {
|
|
/* early tags do not contain 'tagger' lines; warn only */
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line");
|
|
if (ret)
|
|
goto done;
|
|
}
|
|
else
|
|
ret = fsck_ident(&buffer, oid, OBJ_TAG, options);
|
|
|
|
if (buffer < buffer_end && !starts_with(buffer, "\n")) {
|
|
/*
|
|
* The verify_headers() check will allow
|
|
* e.g. "[...]tagger <tagger>\nsome
|
|
* garbage\n\nmessage" to pass, thinking "some
|
|
* garbage" could be a custom header. E.g. "mktag"
|
|
* doesn't want any unknown headers.
|
|
*/
|
|
ret = report(options, oid, OBJ_TAG, FSCK_MSG_EXTRA_HEADER_ENTRY, "invalid format - extra header(s) after 'tagger'");
|
|
if (ret)
|
|
goto done;
|
|
}
|
|
|
|
done:
|
|
strbuf_release(&sb);
|
|
return ret;
|
|
}
|
|
|
|
static int starts_with_dot_slash(const char *const path)
|
|
{
|
|
return path_match_flags(path, PATH_MATCH_STARTS_WITH_DOT_SLASH |
|
|
PATH_MATCH_XPLATFORM);
|
|
}
|
|
|
|
static int starts_with_dot_dot_slash(const char *const path)
|
|
{
|
|
return path_match_flags(path, PATH_MATCH_STARTS_WITH_DOT_DOT_SLASH |
|
|
PATH_MATCH_XPLATFORM);
|
|
}
|
|
|
|
static int submodule_url_is_relative(const char *url)
|
|
{
|
|
return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
|
|
}
|
|
|
|
/*
|
|
* Count directory components that a relative submodule URL should chop
|
|
* from the remote_url it is to be resolved against.
|
|
*
|
|
* In other words, this counts "../" components at the start of a
|
|
* submodule URL.
|
|
*
|
|
* Returns the number of directory components to chop and writes a
|
|
* pointer to the next character of url after all leading "./" and
|
|
* "../" components to out.
|
|
*/
|
|
static int count_leading_dotdots(const char *url, const char **out)
|
|
{
|
|
int result = 0;
|
|
while (1) {
|
|
if (starts_with_dot_dot_slash(url)) {
|
|
result++;
|
|
url += strlen("../");
|
|
continue;
|
|
}
|
|
if (starts_with_dot_slash(url)) {
|
|
url += strlen("./");
|
|
continue;
|
|
}
|
|
*out = url;
|
|
return result;
|
|
}
|
|
}
|
|
/*
|
|
* Check whether a transport is implemented by git-remote-curl.
|
|
*
|
|
* If it is, returns 1 and writes the URL that would be passed to
|
|
* git-remote-curl to the "out" parameter.
|
|
*
|
|
* Otherwise, returns 0 and leaves "out" untouched.
|
|
*
|
|
* Examples:
|
|
* http::https://example.com/repo.git -> 1, https://example.com/repo.git
|
|
* https://example.com/repo.git -> 1, https://example.com/repo.git
|
|
* git://example.com/repo.git -> 0
|
|
*
|
|
* This is for use in checking for previously exploitable bugs that
|
|
* required a submodule URL to be passed to git-remote-curl.
|
|
*/
|
|
static int url_to_curl_url(const char *url, const char **out)
|
|
{
|
|
/*
|
|
* We don't need to check for case-aliases, "http.exe", and so
|
|
* on because in the default configuration, is_transport_allowed
|
|
* prevents URLs with those schemes from being cloned
|
|
* automatically.
|
|
*/
|
|
if (skip_prefix(url, "http::", out) ||
|
|
skip_prefix(url, "https::", out) ||
|
|
skip_prefix(url, "ftp::", out) ||
|
|
skip_prefix(url, "ftps::", out))
|
|
return 1;
|
|
if (starts_with(url, "http://") ||
|
|
starts_with(url, "https://") ||
|
|
starts_with(url, "ftp://") ||
|
|
starts_with(url, "ftps://")) {
|
|
*out = url;
|
|
return 1;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
static int check_submodule_url(const char *url)
|
|
{
|
|
const char *curl_url;
|
|
|
|
if (looks_like_command_line_option(url))
|
|
return -1;
|
|
|
|
if (submodule_url_is_relative(url) || starts_with(url, "git://")) {
|
|
char *decoded;
|
|
const char *next;
|
|
int has_nl;
|
|
|
|
/*
|
|
* This could be appended to an http URL and url-decoded;
|
|
* check for malicious characters.
|
|
*/
|
|
decoded = url_decode(url);
|
|
has_nl = !!strchr(decoded, '\n');
|
|
|
|
free(decoded);
|
|
if (has_nl)
|
|
return -1;
|
|
|
|
/*
|
|
* URLs which escape their root via "../" can overwrite
|
|
* the host field and previous components, resolving to
|
|
* URLs like https::example.com/submodule.git and
|
|
* https:///example.com/submodule.git that were
|
|
* susceptible to CVE-2020-11008.
|
|
*/
|
|
if (count_leading_dotdots(url, &next) > 0 &&
|
|
(*next == ':' || *next == '/'))
|
|
return -1;
|
|
}
|
|
|
|
else if (url_to_curl_url(url, &curl_url)) {
|
|
struct credential c = CREDENTIAL_INIT;
|
|
int ret = 0;
|
|
if (credential_from_url_gently(&c, curl_url, 1) ||
|
|
!*c.host)
|
|
ret = -1;
|
|
credential_clear(&c);
|
|
return ret;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
struct fsck_gitmodules_data {
|
|
const struct object_id *oid;
|
|
struct fsck_options *options;
|
|
int ret;
|
|
};
|
|
|
|
static int fsck_gitmodules_fn(const char *var, const char *value,
|
|
const struct config_context *ctx UNUSED,
|
|
void *vdata)
|
|
{
|
|
struct fsck_gitmodules_data *data = vdata;
|
|
const char *subsection, *key;
|
|
size_t subsection_len;
|
|
char *name;
|
|
|
|
if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 ||
|
|
!subsection)
|
|
return 0;
|
|
|
|
name = xmemdupz(subsection, subsection_len);
|
|
if (check_submodule_name(name) < 0)
|
|
data->ret |= report(data->options,
|
|
data->oid, OBJ_BLOB,
|
|
FSCK_MSG_GITMODULES_NAME,
|
|
"disallowed submodule name: %s",
|
|
name);
|
|
if (!strcmp(key, "url") && value &&
|
|
check_submodule_url(value) < 0)
|
|
data->ret |= report(data->options,
|
|
data->oid, OBJ_BLOB,
|
|
FSCK_MSG_GITMODULES_URL,
|
|
"disallowed submodule url: %s",
|
|
value);
|
|
if (!strcmp(key, "path") && value &&
|
|
looks_like_command_line_option(value))
|
|
data->ret |= report(data->options,
|
|
data->oid, OBJ_BLOB,
|
|
FSCK_MSG_GITMODULES_PATH,
|
|
"disallowed submodule path: %s",
|
|
value);
|
|
if (!strcmp(key, "update") && value &&
|
|
parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
|
|
data->ret |= report(data->options, data->oid, OBJ_BLOB,
|
|
FSCK_MSG_GITMODULES_UPDATE,
|
|
"disallowed submodule update setting: %s",
|
|
value);
|
|
free(name);
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int fsck_blob(const struct object_id *oid, const char *buf,
|
|
unsigned long size, struct fsck_options *options)
|
|
{
|
|
int ret = 0;
|
|
|
|
if (object_on_skiplist(options, oid))
|
|
return 0;
|
|
|
|
if (oidset_contains(&options->gitmodules_found, oid)) {
|
|
struct config_options config_opts = { 0 };
|
|
struct fsck_gitmodules_data data;
|
|
|
|
oidset_insert(&options->gitmodules_done, oid);
|
|
|
|
if (!buf) {
|
|
/*
|
|
* A missing buffer here is a sign that the caller found the
|
|
* blob too gigantic to load into memory. Let's just consider
|
|
* that an error.
|
|
*/
|
|
return report(options, oid, OBJ_BLOB,
|
|
FSCK_MSG_GITMODULES_LARGE,
|
|
".gitmodules too large to parse");
|
|
}
|
|
|
|
data.oid = oid;
|
|
data.options = options;
|
|
data.ret = 0;
|
|
config_opts.error_action = CONFIG_ERROR_SILENT;
|
|
if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB,
|
|
".gitmodules", buf, size, &data,
|
|
CONFIG_SCOPE_UNKNOWN, &config_opts))
|
|
data.ret |= report(options, oid, OBJ_BLOB,
|
|
FSCK_MSG_GITMODULES_PARSE,
|
|
"could not parse gitmodules blob");
|
|
ret |= data.ret;
|
|
}
|
|
|
|
if (oidset_contains(&options->gitattributes_found, oid)) {
|
|
const char *ptr;
|
|
|
|
oidset_insert(&options->gitattributes_done, oid);
|
|
|
|
if (!buf || size > ATTR_MAX_FILE_SIZE) {
|
|
/*
|
|
* A missing buffer here is a sign that the caller found the
|
|
* blob too gigantic to load into memory. Let's just consider
|
|
* that an error.
|
|
*/
|
|
return report(options, oid, OBJ_BLOB,
|
|
FSCK_MSG_GITATTRIBUTES_LARGE,
|
|
".gitattributes too large to parse");
|
|
}
|
|
|
|
for (ptr = buf; *ptr; ) {
|
|
const char *eol = strchrnul(ptr, '\n');
|
|
if (eol - ptr >= ATTR_MAX_LINE_LENGTH) {
|
|
ret |= report(options, oid, OBJ_BLOB,
|
|
FSCK_MSG_GITATTRIBUTES_LINE_LENGTH,
|
|
".gitattributes has too long lines to parse");
|
|
break;
|
|
}
|
|
|
|
ptr = *eol ? eol + 1 : eol;
|
|
}
|
|
}
|
|
|
|
return ret;
|
|
}
|
|
|
|
int fsck_object(struct object *obj, void *data, unsigned long size,
|
|
struct fsck_options *options)
|
|
{
|
|
if (!obj)
|
|
return report(options, NULL, OBJ_NONE, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck");
|
|
|
|
return fsck_buffer(&obj->oid, obj->type, data, size, options);
|
|
}
|
|
|
|
int fsck_buffer(const struct object_id *oid, enum object_type type,
|
|
void *data, unsigned long size,
|
|
struct fsck_options *options)
|
|
{
|
|
if (type == OBJ_BLOB)
|
|
return fsck_blob(oid, data, size, options);
|
|
if (type == OBJ_TREE)
|
|
return fsck_tree(oid, data, size, options);
|
|
if (type == OBJ_COMMIT)
|
|
return fsck_commit(oid, data, size, options);
|
|
if (type == OBJ_TAG)
|
|
return fsck_tag(oid, data, size, options);
|
|
|
|
return report(options, oid, type,
|
|
FSCK_MSG_UNKNOWN_TYPE,
|
|
"unknown type '%d' (internal fsck error)",
|
|
type);
|
|
}
|
|
|
|
int fsck_error_function(struct fsck_options *o,
|
|
const struct object_id *oid,
|
|
enum object_type object_type UNUSED,
|
|
enum fsck_msg_type msg_type,
|
|
enum fsck_msg_id msg_id UNUSED,
|
|
const char *message)
|
|
{
|
|
if (msg_type == FSCK_WARN) {
|
|
warning("object %s: %s", fsck_describe_object(o, oid), message);
|
|
return 0;
|
|
}
|
|
error("object %s: %s", fsck_describe_object(o, oid), message);
|
|
return 1;
|
|
}
|
|
|
|
static int fsck_blobs(struct oidset *blobs_found, struct oidset *blobs_done,
|
|
enum fsck_msg_id msg_missing, enum fsck_msg_id msg_type,
|
|
struct fsck_options *options, const char *blob_type)
|
|
{
|
|
int ret = 0;
|
|
struct oidset_iter iter;
|
|
const struct object_id *oid;
|
|
|
|
oidset_iter_init(blobs_found, &iter);
|
|
while ((oid = oidset_iter_next(&iter))) {
|
|
enum object_type type;
|
|
unsigned long size;
|
|
char *buf;
|
|
|
|
if (oidset_contains(blobs_done, oid))
|
|
continue;
|
|
|
|
buf = repo_read_object_file(the_repository, oid, &type, &size);
|
|
if (!buf) {
|
|
if (is_promisor_object(oid))
|
|
continue;
|
|
ret |= report(options,
|
|
oid, OBJ_BLOB, msg_missing,
|
|
"unable to read %s blob", blob_type);
|
|
continue;
|
|
}
|
|
|
|
if (type == OBJ_BLOB)
|
|
ret |= fsck_blob(oid, buf, size, options);
|
|
else
|
|
ret |= report(options, oid, type, msg_type,
|
|
"non-blob found at %s", blob_type);
|
|
free(buf);
|
|
}
|
|
|
|
oidset_clear(blobs_found);
|
|
oidset_clear(blobs_done);
|
|
|
|
return ret;
|
|
}
|
|
|
|
int fsck_finish(struct fsck_options *options)
|
|
{
|
|
int ret = 0;
|
|
|
|
ret |= fsck_blobs(&options->gitmodules_found, &options->gitmodules_done,
|
|
FSCK_MSG_GITMODULES_MISSING, FSCK_MSG_GITMODULES_BLOB,
|
|
options, ".gitmodules");
|
|
ret |= fsck_blobs(&options->gitattributes_found, &options->gitattributes_done,
|
|
FSCK_MSG_GITATTRIBUTES_MISSING, FSCK_MSG_GITATTRIBUTES_BLOB,
|
|
options, ".gitattributes");
|
|
|
|
return ret;
|
|
}
|
|
|
|
int git_fsck_config(const char *var, const char *value,
|
|
const struct config_context *ctx, void *cb)
|
|
{
|
|
struct fsck_options *options = cb;
|
|
if (strcmp(var, "fsck.skiplist") == 0) {
|
|
const char *path;
|
|
struct strbuf sb = STRBUF_INIT;
|
|
|
|
if (git_config_pathname(&path, var, value))
|
|
return 1;
|
|
strbuf_addf(&sb, "skiplist=%s", path);
|
|
free((char *)path);
|
|
fsck_set_msg_types(options, sb.buf);
|
|
strbuf_release(&sb);
|
|
return 0;
|
|
}
|
|
|
|
if (skip_prefix(var, "fsck.", &var)) {
|
|
fsck_set_msg_type(options, var, value);
|
|
return 0;
|
|
}
|
|
|
|
return git_default_config(var, value, ctx, cb);
|
|
}
|
|
|
|
/*
|
|
* Custom error callbacks that are used in more than one place.
|
|
*/
|
|
|
|
int fsck_error_cb_print_missing_gitmodules(struct fsck_options *o,
|
|
const struct object_id *oid,
|
|
enum object_type object_type,
|
|
enum fsck_msg_type msg_type,
|
|
enum fsck_msg_id msg_id,
|
|
const char *message)
|
|
{
|
|
if (msg_id == FSCK_MSG_GITMODULES_MISSING) {
|
|
puts(oid_to_hex(oid));
|
|
return 0;
|
|
}
|
|
return fsck_error_function(o, oid, object_type, msg_type, msg_id, message);
|
|
}
|