12 #include "sha1-array.h"
16 #include "submodule-config.h"
18 #include "credential.h"
20 static struct oidset gitmodules_found = OIDSET_INIT;
21 static struct oidset gitmodules_done = OIDSET_INIT;
26 #define FOREACH_MSG_ID(FUNC) \
28 FUNC(NUL_IN_HEADER, FATAL) \
29 FUNC(UNTERMINATED_HEADER, FATAL) \
31 FUNC(BAD_DATE, ERROR) \
32 FUNC(BAD_DATE_OVERFLOW, ERROR) \
33 FUNC(BAD_EMAIL, ERROR) \
34 FUNC(BAD_NAME, ERROR) \
35 FUNC(BAD_OBJECT_SHA1, ERROR) \
36 FUNC(BAD_PARENT_SHA1, ERROR) \
37 FUNC(BAD_TAG_OBJECT, ERROR) \
38 FUNC(BAD_TIMEZONE, ERROR) \
39 FUNC(BAD_TREE, ERROR) \
40 FUNC(BAD_TREE_SHA1, ERROR) \
41 FUNC(BAD_TYPE, ERROR) \
42 FUNC(DUPLICATE_ENTRIES, ERROR) \
43 FUNC(MISSING_AUTHOR, ERROR) \
44 FUNC(MISSING_COMMITTER, ERROR) \
45 FUNC(MISSING_EMAIL, ERROR) \
46 FUNC(MISSING_GRAFT, ERROR) \
47 FUNC(MISSING_NAME_BEFORE_EMAIL, ERROR) \
48 FUNC(MISSING_OBJECT, ERROR) \
49 FUNC(MISSING_PARENT, ERROR) \
50 FUNC(MISSING_SPACE_BEFORE_DATE, ERROR) \
51 FUNC(MISSING_SPACE_BEFORE_EMAIL, ERROR) \
52 FUNC(MISSING_TAG, ERROR) \
53 FUNC(MISSING_TAG_ENTRY, ERROR) \
54 FUNC(MISSING_TAG_OBJECT, ERROR) \
55 FUNC(MISSING_TREE, ERROR) \
56 FUNC(MISSING_TREE_OBJECT, ERROR) \
57 FUNC(MISSING_TYPE, ERROR) \
58 FUNC(MISSING_TYPE_ENTRY, ERROR) \
59 FUNC(MULTIPLE_AUTHORS, ERROR) \
60 FUNC(TAG_OBJECT_NOT_TAG, ERROR) \
61 FUNC(TREE_NOT_SORTED, ERROR) \
62 FUNC(UNKNOWN_TYPE, ERROR) \
63 FUNC(ZERO_PADDED_DATE, ERROR) \
64 FUNC(GITMODULES_MISSING, ERROR) \
65 FUNC(GITMODULES_BLOB, ERROR) \
66 FUNC(GITMODULES_PARSE, ERROR) \
67 FUNC(GITMODULES_NAME, ERROR) \
68 FUNC(GITMODULES_SYMLINK, ERROR) \
69 FUNC(GITMODULES_URL, ERROR) \
70 FUNC(GITMODULES_PATH, ERROR) \
71 FUNC(GITMODULES_UPDATE, ERROR) \
73 FUNC(BAD_FILEMODE, WARN) \
74 FUNC(EMPTY_NAME, WARN) \
75 FUNC(FULL_PATHNAME, WARN) \
77 FUNC(HAS_DOTDOT, WARN) \
78 FUNC(HAS_DOTGIT, WARN) \
79 FUNC(NULL_SHA1, WARN) \
80 FUNC(ZERO_PADDED_FILEMODE, WARN) \
81 FUNC(NUL_IN_COMMIT, WARN) \
82 /* infos (reported as warnings, but ignored by default) */ \
83 FUNC(BAD_TAG_NAME, INFO) \
84 FUNC(MISSING_TAGGER_ENTRY, INFO)
86 #define MSG_ID(id, msg_type) FSCK_MSG_##id,
88 FOREACH_MSG_ID(MSG_ID)
94 #define MSG_ID(id, msg_type) { STR(id), NULL, FSCK_##msg_type },
96 const char *id_string;
97 const char *downcased;
99 } msg_id_info[FSCK_MSG_MAX + 1] = {
100 FOREACH_MSG_ID(MSG_ID)
105 static int parse_msg_id(const char *text)
109 if (!msg_id_info[0].downcased) {
110 /* convert id_string to lower case, without underscores. */
111 for (i = 0; i < FSCK_MSG_MAX; i++) {
112 const char *p = msg_id_info[i].id_string;
114 char *q = xmalloc(len);
116 msg_id_info[i].downcased = q;
121 *(q)++ = tolower(*(p)++);
126 for (i = 0; i < FSCK_MSG_MAX; i++)
127 if (!strcmp(text, msg_id_info[i].downcased))
133 static int fsck_msg_type(enum fsck_msg_id msg_id,
134 struct fsck_options *options)
138 assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX);
140 if (options->msg_type)
141 msg_type = options->msg_type[msg_id];
143 msg_type = msg_id_info[msg_id].msg_type;
144 if (options->strict && msg_type == FSCK_WARN)
145 msg_type = FSCK_ERROR;
151 static void init_skiplist(struct fsck_options *options, const char *path)
153 static struct oid_array skiplist = OID_ARRAY_INIT;
155 char buffer[GIT_MAX_HEXSZ + 1];
156 struct object_id oid;
158 if (options->skiplist)
159 sorted = options->skiplist->sorted;
162 options->skiplist = &skiplist;
165 fd = open(path, O_RDONLY);
167 die("Could not open skip list: %s", path);
170 int result = read_in_full(fd, buffer, sizeof(buffer));
172 die_errno("Could not read '%s'", path);
175 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n')
176 die("Invalid SHA-1: %s", buffer);
177 oid_array_append(&skiplist, &oid);
178 if (sorted && skiplist.nr > 1 &&
179 oidcmp(&skiplist.oid[skiplist.nr - 2],
189 static int parse_msg_type(const char *str)
191 if (!strcmp(str, "error"))
193 else if (!strcmp(str, "warn"))
195 else if (!strcmp(str, "ignore"))
198 die("Unknown fsck message type: '%s'", str);
201 int is_valid_msg_type(const char *msg_id, const char *msg_type)
203 if (parse_msg_id(msg_id) < 0)
205 parse_msg_type(msg_type);
209 void fsck_set_msg_type(struct fsck_options *options,
210 const char *msg_id, const char *msg_type)
212 int id = parse_msg_id(msg_id), type;
215 die("Unhandled message id: %s", msg_id);
216 type = parse_msg_type(msg_type);
218 if (type != FSCK_ERROR && msg_id_info[id].msg_type == FSCK_FATAL)
219 die("Cannot demote %s to %s", msg_id, msg_type);
221 if (!options->msg_type) {
224 ALLOC_ARRAY(msg_type, FSCK_MSG_MAX);
225 for (i = 0; i < FSCK_MSG_MAX; i++)
226 msg_type[i] = fsck_msg_type(i, options);
227 options->msg_type = msg_type;
230 options->msg_type[id] = type;
233 void fsck_set_msg_types(struct fsck_options *options, const char *values)
235 char *buf = xstrdup(values), *to_free = buf;
239 int len = strcspn(buf, " ,|"), equal;
249 equal < len && buf[equal] != '=' && buf[equal] != ':';
251 buf[equal] = tolower(buf[equal]);
254 if (!strcmp(buf, "skiplist")) {
256 die("skiplist requires a path");
257 init_skiplist(options, buf + equal + 1);
263 die("Missing '=': '%s'", buf);
265 fsck_set_msg_type(options, buf, buf + equal + 1);
271 static void append_msg_id(struct strbuf *sb, const char *msg_id)
274 char c = *(msg_id)++;
279 strbuf_addch(sb, tolower(c));
282 strbuf_addch(sb, *(msg_id)++);
286 strbuf_addstr(sb, ": ");
289 __attribute__((format (printf, 4, 5)))
290 static int report(struct fsck_options *options, struct object *object,
291 enum fsck_msg_id id, const char *fmt, ...)
294 struct strbuf sb = STRBUF_INIT;
295 int msg_type = fsck_msg_type(id, options), result;
297 if (msg_type == FSCK_IGNORE)
300 if (options->skiplist && object &&
301 oid_array_lookup(options->skiplist, &object->oid) >= 0)
304 if (msg_type == FSCK_FATAL)
305 msg_type = FSCK_ERROR;
306 else if (msg_type == FSCK_INFO)
307 msg_type = FSCK_WARN;
309 append_msg_id(&sb, msg_id_info[id].id_string);
312 strbuf_vaddf(&sb, fmt, ap);
313 result = options->error_func(options, object, msg_type, sb.buf);
320 static char *get_object_name(struct fsck_options *options, struct object *obj)
322 if (!options->object_names)
324 return lookup_decoration(options->object_names, obj);
327 static void put_object_name(struct fsck_options *options, struct object *obj,
328 const char *fmt, ...)
331 struct strbuf buf = STRBUF_INIT;
334 if (!options->object_names)
336 existing = lookup_decoration(options->object_names, obj);
340 strbuf_vaddf(&buf, fmt, ap);
341 add_decoration(options->object_names, obj, strbuf_detach(&buf, NULL));
345 static const char *describe_object(struct fsck_options *o, struct object *obj)
347 static struct strbuf buf = STRBUF_INIT;
351 strbuf_addstr(&buf, oid_to_hex(&obj->oid));
352 if (o->object_names && (name = lookup_decoration(o->object_names, obj)))
353 strbuf_addf(&buf, " (%s)", name);
358 static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options)
360 struct tree_desc desc;
361 struct name_entry entry;
365 if (parse_tree(tree))
368 name = get_object_name(options, &tree->object);
369 if (init_tree_desc_gently(&desc, tree->buffer, tree->size))
371 while (tree_entry_gently(&desc, &entry)) {
375 if (S_ISGITLINK(entry.mode))
378 if (S_ISDIR(entry.mode)) {
379 obj = (struct object *)lookup_tree(entry.oid);
381 put_object_name(options, obj, "%s%s/", name,
383 result = options->walk(obj, OBJ_TREE, data, options);
385 else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) {
386 obj = (struct object *)lookup_blob(entry.oid);
388 put_object_name(options, obj, "%s%s", name,
390 result = options->walk(obj, OBJ_BLOB, data, options);
393 result = error("in tree %s: entry %s has bad mode %.6o",
394 describe_object(options, &tree->object), entry.path, entry.mode);
404 static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options)
406 int counter = 0, generation = 0, name_prefix_len = 0;
407 struct commit_list *parents;
412 if (parse_commit(commit))
415 name = get_object_name(options, &commit->object);
417 put_object_name(options, &get_commit_tree(commit)->object,
420 result = options->walk((struct object *)get_commit_tree(commit),
421 OBJ_TREE, data, options);
426 parents = commit->parents;
427 if (name && parents) {
428 int len = strlen(name), power;
430 if (len && name[len - 1] == '^') {
432 name_prefix_len = len - 1;
434 else { /* parse ~<generation> suffix */
435 for (generation = 0, power = 1;
436 len && isdigit(name[len - 1]);
438 generation += power * (name[--len] - '0');
439 if (power > 1 && len && name[len - 1] == '~')
440 name_prefix_len = len - 1;
446 struct object *obj = &parents->item->object;
449 put_object_name(options, obj, "%s^%d",
451 else if (generation > 0)
452 put_object_name(options, obj, "%.*s~%d",
453 name_prefix_len, name, generation + 1);
455 put_object_name(options, obj, "%s^", name);
457 result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options);
462 parents = parents->next;
467 static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options)
469 char *name = get_object_name(options, &tag->object);
474 put_object_name(options, tag->tagged, "%s", name);
475 return options->walk(tag->tagged, OBJ_ANY, data, options);
478 int fsck_walk(struct object *obj, void *data, struct fsck_options *options)
483 if (obj->type == OBJ_NONE)
484 parse_object(&obj->oid);
490 return fsck_walk_tree((struct tree *)obj, data, options);
492 return fsck_walk_commit((struct commit *)obj, data, options);
494 return fsck_walk_tag((struct tag *)obj, data, options);
496 error("Unknown object type for %s", describe_object(options, obj));
502 * The entries in a tree are ordered in the _path_ order,
503 * which means that a directory entry is ordered by adding
504 * a slash to the end of it.
506 * So a directory called "a" is ordered _after_ a file
507 * called "a.c", because "a/" sorts after "a.c".
509 #define TREE_UNORDERED (-1)
510 #define TREE_HAS_DUPS (-2)
512 static int verify_ordered(unsigned mode1, const char *name1, unsigned mode2, const char *name2)
514 int len1 = strlen(name1);
515 int len2 = strlen(name2);
516 int len = len1 < len2 ? len1 : len2;
517 unsigned char c1, c2;
520 cmp = memcmp(name1, name2, len);
524 return TREE_UNORDERED;
527 * Ok, the first <len> characters are the same.
528 * Now we need to order the next one, but turn
529 * a '\0' into a '/' for a directory entry.
535 * git-write-tree used to write out a nonsense tree that has
536 * entries with the same name, one blob and one tree. Make
537 * sure we do not have duplicate entries.
539 return TREE_HAS_DUPS;
540 if (!c1 && S_ISDIR(mode1))
542 if (!c2 && S_ISDIR(mode2))
544 return c1 < c2 ? 0 : TREE_UNORDERED;
547 static int fsck_tree(struct tree *item, struct fsck_options *options)
550 int has_null_sha1 = 0;
551 int has_full_path = 0;
552 int has_empty_name = 0;
556 int has_zero_pad = 0;
557 int has_bad_modes = 0;
558 int has_dup_entries = 0;
559 int not_properly_sorted = 0;
560 struct tree_desc desc;
564 if (init_tree_desc_gently(&desc, item->buffer, item->size)) {
565 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
574 const char *name, *backslash;
575 const struct object_id *oid;
577 oid = tree_entry_extract(&desc, &name, &mode);
579 has_null_sha1 |= is_null_oid(oid);
580 has_full_path |= !!strchr(name, '/');
581 has_empty_name |= !*name;
582 has_dot |= !strcmp(name, ".");
583 has_dotdot |= !strcmp(name, "..");
584 has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name);
585 has_zero_pad |= *(char *)desc.buffer == '0';
587 if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) {
589 oidset_insert(&gitmodules_found, oid);
591 retval += report(options, &item->object,
592 FSCK_MSG_GITMODULES_SYMLINK,
593 ".gitmodules is a symbolic link");
596 if ((backslash = strchr(name, '\\'))) {
599 has_dotgit |= is_ntfs_dotgit(backslash);
600 if (is_ntfs_dotgitmodules(backslash)) {
602 oidset_insert(&gitmodules_found, oid);
604 retval += report(options, &item->object,
605 FSCK_MSG_GITMODULES_SYMLINK,
606 ".gitmodules is a symbolic link");
608 backslash = strchr(backslash, '\\');
612 if (update_tree_entry_gently(&desc)) {
613 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
628 * This is nonstandard, but we had a few of these
629 * early on when we honored the full set of mode
633 if (!options->strict)
641 switch (verify_ordered(o_mode, o_name, mode, name)) {
643 not_properly_sorted = 1;
658 retval += report(options, &item->object, FSCK_MSG_NULL_SHA1, "contains entries pointing to null sha1");
660 retval += report(options, &item->object, FSCK_MSG_FULL_PATHNAME, "contains full pathnames");
662 retval += report(options, &item->object, FSCK_MSG_EMPTY_NAME, "contains empty pathname");
664 retval += report(options, &item->object, FSCK_MSG_HAS_DOT, "contains '.'");
666 retval += report(options, &item->object, FSCK_MSG_HAS_DOTDOT, "contains '..'");
668 retval += report(options, &item->object, FSCK_MSG_HAS_DOTGIT, "contains '.git'");
670 retval += report(options, &item->object, FSCK_MSG_ZERO_PADDED_FILEMODE, "contains zero-padded file modes");
672 retval += report(options, &item->object, FSCK_MSG_BAD_FILEMODE, "contains bad file modes");
674 retval += report(options, &item->object, FSCK_MSG_DUPLICATE_ENTRIES, "contains duplicate file entries");
675 if (not_properly_sorted)
676 retval += report(options, &item->object, FSCK_MSG_TREE_NOT_SORTED, "not properly sorted");
680 static int verify_headers(const void *data, unsigned long size,
681 struct object *obj, struct fsck_options *options)
683 const char *buffer = (const char *)data;
686 for (i = 0; i < size; i++) {
689 return report(options, obj,
690 FSCK_MSG_NUL_IN_HEADER,
691 "unterminated header: NUL at offset %ld", i);
693 if (i + 1 < size && buffer[i + 1] == '\n')
699 * We did not find double-LF that separates the header
700 * and the body. Not having a body is not a crime but
701 * we do want to see the terminating LF for the last header
704 if (size && buffer[size - 1] == '\n')
707 return report(options, obj,
708 FSCK_MSG_UNTERMINATED_HEADER, "unterminated header");
711 static int fsck_ident(const char **ident, struct object *obj, struct fsck_options *options)
713 const char *p = *ident;
716 *ident = strchrnul(*ident, '\n');
721 return report(options, obj, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
722 p += strcspn(p, "<>\n");
724 return report(options, obj, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name");
726 return report(options, obj, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email");
728 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
730 p += strcspn(p, "<>\n");
732 return report(options, obj, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email");
735 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date");
737 if (*p == '0' && p[1] != ' ')
738 return report(options, obj, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date");
739 if (date_overflows(parse_timestamp(p, &end, 10)))
740 return report(options, obj, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow");
741 if ((end == p || *end != ' '))
742 return report(options, obj, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date");
744 if ((*p != '+' && *p != '-') ||
750 return report(options, obj, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone");
755 static int fsck_commit_buffer(struct commit *commit, const char *buffer,
756 unsigned long size, struct fsck_options *options)
758 struct object_id tree_oid, oid;
759 struct commit_graft *graft;
760 unsigned parent_count, parent_line_count = 0, author_count;
762 const char *buffer_begin = buffer;
765 if (verify_headers(buffer, size, &commit->object, options))
768 if (!skip_prefix(buffer, "tree ", &buffer))
769 return report(options, &commit->object, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line");
770 if (parse_oid_hex(buffer, &tree_oid, &p) || *p != '\n') {
771 err = report(options, &commit->object, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1");
776 while (skip_prefix(buffer, "parent ", &buffer)) {
777 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n') {
778 err = report(options, &commit->object, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
785 graft = lookup_commit_graft(&commit->object.oid);
786 parent_count = commit_list_count(commit->parents);
788 if (graft->nr_parent == -1 && !parent_count)
789 ; /* shallow commit */
790 else if (graft->nr_parent != parent_count) {
791 err = report(options, &commit->object, FSCK_MSG_MISSING_GRAFT, "graft objects missing");
796 if (parent_count != parent_line_count) {
797 err = report(options, &commit->object, FSCK_MSG_MISSING_PARENT, "parent objects missing");
803 while (skip_prefix(buffer, "author ", &buffer)) {
805 err = fsck_ident(&buffer, &commit->object, options);
809 if (author_count < 1)
810 err = report(options, &commit->object, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line");
811 else if (author_count > 1)
812 err = report(options, &commit->object, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
815 if (!skip_prefix(buffer, "committer ", &buffer))
816 return report(options, &commit->object, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
817 err = fsck_ident(&buffer, &commit->object, options);
820 if (!get_commit_tree(commit)) {
821 err = report(options, &commit->object, FSCK_MSG_BAD_TREE, "could not load commit's tree %s", oid_to_hex(&tree_oid));
825 if (memchr(buffer_begin, '\0', size)) {
826 err = report(options, &commit->object, FSCK_MSG_NUL_IN_COMMIT,
827 "NUL byte in the commit object body");
834 static int fsck_commit(struct commit *commit, const char *data,
835 unsigned long size, struct fsck_options *options)
837 const char *buffer = data ? data : get_commit_buffer(commit, &size);
838 int ret = fsck_commit_buffer(commit, buffer, size, options);
840 unuse_commit_buffer(commit, buffer);
844 static int fsck_tag_buffer(struct tag *tag, const char *data,
845 unsigned long size, struct fsck_options *options)
847 struct object_id oid;
850 char *to_free = NULL, *eol;
851 struct strbuf sb = STRBUF_INIT;
857 enum object_type type;
860 read_object_file(&tag->object.oid, &type, &size);
862 return report(options, &tag->object,
863 FSCK_MSG_MISSING_TAG_OBJECT,
864 "cannot read tag object");
866 if (type != OBJ_TAG) {
867 ret = report(options, &tag->object,
868 FSCK_MSG_TAG_OBJECT_NOT_TAG,
869 "expected tag got %s",
875 ret = verify_headers(buffer, size, &tag->object, options);
879 if (!skip_prefix(buffer, "object ", &buffer)) {
880 ret = report(options, &tag->object, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line");
883 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n') {
884 ret = report(options, &tag->object, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1");
890 if (!skip_prefix(buffer, "type ", &buffer)) {
891 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line");
894 eol = strchr(buffer, '\n');
896 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line");
899 if (type_from_string_gently(buffer, eol - buffer, 1) < 0)
900 ret = report(options, &tag->object, FSCK_MSG_BAD_TYPE, "invalid 'type' value");
905 if (!skip_prefix(buffer, "tag ", &buffer)) {
906 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line");
909 eol = strchr(buffer, '\n');
911 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line");
914 strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer);
915 if (check_refname_format(sb.buf, 0)) {
916 ret = report(options, &tag->object, FSCK_MSG_BAD_TAG_NAME,
917 "invalid 'tag' name: %.*s",
918 (int)(eol - buffer), buffer);
924 if (!skip_prefix(buffer, "tagger ", &buffer)) {
925 /* early tags do not contain 'tagger' lines; warn only */
926 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line");
931 ret = fsck_ident(&buffer, &tag->object, options);
939 static int fsck_tag(struct tag *tag, const char *data,
940 unsigned long size, struct fsck_options *options)
942 struct object *tagged = tag->tagged;
945 return report(options, &tag->object, FSCK_MSG_BAD_TAG_OBJECT, "could not load tagged object");
947 return fsck_tag_buffer(tag, data, size, options);
951 * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
952 * relying on the platform-dependent is_dir_sep helper.
954 * This is for use in checking whether a submodule URL is interpreted as
955 * relative to the current directory on any platform, since \ is a
956 * directory separator on Windows but not on other platforms.
958 static int starts_with_dot_slash(const char *str)
960 return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
964 * Like starts_with_dot_slash, this is a variant of submodule--helper's
965 * helper of the same name with the twist that it accepts backslash as a
966 * directory separator even on non-Windows platforms.
968 static int starts_with_dot_dot_slash(const char *str)
970 return str[0] == '.' && starts_with_dot_slash(str + 1);
973 static int submodule_url_is_relative(const char *url)
975 return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
979 * Count directory components that a relative submodule URL should chop
980 * from the remote_url it is to be resolved against.
982 * In other words, this counts "../" components at the start of a
985 * Returns the number of directory components to chop and writes a
986 * pointer to the next character of url after all leading "./" and
987 * "../" components to out.
989 static int count_leading_dotdots(const char *url, const char **out)
993 if (starts_with_dot_dot_slash(url)) {
995 url += strlen("../");
998 if (starts_with_dot_slash(url)) {
1007 * Check whether a transport is implemented by git-remote-curl.
1009 * If it is, returns 1 and writes the URL that would be passed to
1010 * git-remote-curl to the "out" parameter.
1012 * Otherwise, returns 0 and leaves "out" untouched.
1015 * http::https://example.com/repo.git -> 1, https://example.com/repo.git
1016 * https://example.com/repo.git -> 1, https://example.com/repo.git
1017 * git://example.com/repo.git -> 0
1019 * This is for use in checking for previously exploitable bugs that
1020 * required a submodule URL to be passed to git-remote-curl.
1022 static int url_to_curl_url(const char *url, const char **out)
1025 * We don't need to check for case-aliases, "http.exe", and so
1026 * on because in the default configuration, is_transport_allowed
1027 * prevents URLs with those schemes from being cloned
1030 if (skip_prefix(url, "http::", out) ||
1031 skip_prefix(url, "https::", out) ||
1032 skip_prefix(url, "ftp::", out) ||
1033 skip_prefix(url, "ftps::", out))
1035 if (starts_with(url, "http://") ||
1036 starts_with(url, "https://") ||
1037 starts_with(url, "ftp://") ||
1038 starts_with(url, "ftps://")) {
1045 static int check_submodule_url(const char *url)
1047 const char *curl_url;
1049 if (looks_like_command_line_option(url))
1052 if (submodule_url_is_relative(url)) {
1058 * This could be appended to an http URL and url-decoded;
1059 * check for malicious characters.
1061 decoded = url_decode(url);
1062 has_nl = !!strchr(decoded, '\n');
1069 * URLs which escape their root via "../" can overwrite
1070 * the host field and previous components, resolving to
1071 * URLs like https::example.com/submodule.git and
1072 * https:///example.com/submodule.git that were
1073 * susceptible to CVE-2020-11008.
1075 if (count_leading_dotdots(url, &next) > 0 &&
1076 (*next == ':' || *next == '/'))
1080 else if (url_to_curl_url(url, &curl_url)) {
1081 struct credential c = CREDENTIAL_INIT;
1083 if (credential_from_url_gently(&c, curl_url, 1) ||
1086 credential_clear(&c);
1093 struct fsck_gitmodules_data {
1095 struct fsck_options *options;
1099 static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
1101 struct fsck_gitmodules_data *data = vdata;
1102 const char *subsection, *key;
1106 if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 ||
1110 name = xmemdupz(subsection, subsection_len);
1111 if (check_submodule_name(name) < 0)
1112 data->ret |= report(data->options, data->obj,
1113 FSCK_MSG_GITMODULES_NAME,
1114 "disallowed submodule name: %s",
1116 if (!strcmp(key, "url") && value &&
1117 check_submodule_url(value) < 0)
1118 data->ret |= report(data->options, data->obj,
1119 FSCK_MSG_GITMODULES_URL,
1120 "disallowed submodule url: %s",
1122 if (!strcmp(key, "path") && value &&
1123 looks_like_command_line_option(value))
1124 data->ret |= report(data->options, data->obj,
1125 FSCK_MSG_GITMODULES_PATH,
1126 "disallowed submodule path: %s",
1128 if (!strcmp(key, "update") && value &&
1129 parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
1130 data->ret |= report(data->options, data->obj,
1131 FSCK_MSG_GITMODULES_UPDATE,
1132 "disallowed submodule update setting: %s",
1139 static int fsck_blob(struct blob *blob, const char *buf,
1140 unsigned long size, struct fsck_options *options)
1142 struct fsck_gitmodules_data data;
1144 if (!oidset_contains(&gitmodules_found, &blob->object.oid))
1146 oidset_insert(&gitmodules_done, &blob->object.oid);
1150 * A missing buffer here is a sign that the caller found the
1151 * blob too gigantic to load into memory. Let's just consider
1154 return report(options, &blob->object,
1155 FSCK_MSG_GITMODULES_PARSE,
1156 ".gitmodules too large to parse");
1159 data.obj = &blob->object;
1160 data.options = options;
1162 if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB,
1163 ".gitmodules", buf, size, &data))
1164 data.ret |= report(options, &blob->object,
1165 FSCK_MSG_GITMODULES_PARSE,
1166 "could not parse gitmodules blob");
1171 int fsck_object(struct object *obj, void *data, unsigned long size,
1172 struct fsck_options *options)
1175 return report(options, obj, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck");
1177 if (obj->type == OBJ_BLOB)
1178 return fsck_blob((struct blob *)obj, data, size, options);
1179 if (obj->type == OBJ_TREE)
1180 return fsck_tree((struct tree *) obj, options);
1181 if (obj->type == OBJ_COMMIT)
1182 return fsck_commit((struct commit *) obj, (const char *) data,
1184 if (obj->type == OBJ_TAG)
1185 return fsck_tag((struct tag *) obj, (const char *) data,
1188 return report(options, obj, FSCK_MSG_UNKNOWN_TYPE, "unknown type '%d' (internal fsck error)",
1192 int fsck_error_function(struct fsck_options *o,
1193 struct object *obj, int msg_type, const char *message)
1195 if (msg_type == FSCK_WARN) {
1196 warning("object %s: %s", describe_object(o, obj), message);
1199 error("object %s: %s", describe_object(o, obj), message);
1203 int fsck_finish(struct fsck_options *options)
1206 struct oidset_iter iter;
1207 const struct object_id *oid;
1209 oidset_iter_init(&gitmodules_found, &iter);
1210 while ((oid = oidset_iter_next(&iter))) {
1212 enum object_type type;
1216 if (oidset_contains(&gitmodules_done, oid))
1219 blob = lookup_blob(oid);
1221 struct object *obj = lookup_unknown_object(oid->hash);
1222 ret |= report(options, obj,
1223 FSCK_MSG_GITMODULES_BLOB,
1224 "non-blob found at .gitmodules");
1228 buf = read_object_file(oid, &type, &size);
1230 if (is_promisor_object(&blob->object.oid))
1232 ret |= report(options, &blob->object,
1233 FSCK_MSG_GITMODULES_MISSING,
1234 "unable to read .gitmodules blob");
1238 if (type == OBJ_BLOB)
1239 ret |= fsck_blob(blob, buf, size, options);
1241 ret |= report(options, &blob->object,
1242 FSCK_MSG_GITMODULES_BLOB,
1243 "non-blob found at .gitmodules");
1248 oidset_clear(&gitmodules_found);
1249 oidset_clear(&gitmodules_done);