2 #include "object-store.h"
3 #include "repository.h"
14 #include "sha1-array.h"
18 #include "submodule-config.h"
20 #include "credential.h"
23 static struct oidset gitmodules_found = OIDSET_INIT;
24 static struct oidset gitmodules_done = OIDSET_INIT;
29 #define FOREACH_MSG_ID(FUNC) \
31 FUNC(NUL_IN_HEADER, FATAL) \
32 FUNC(UNTERMINATED_HEADER, FATAL) \
34 FUNC(BAD_DATE, ERROR) \
35 FUNC(BAD_DATE_OVERFLOW, ERROR) \
36 FUNC(BAD_EMAIL, ERROR) \
37 FUNC(BAD_NAME, ERROR) \
38 FUNC(BAD_OBJECT_SHA1, ERROR) \
39 FUNC(BAD_PARENT_SHA1, ERROR) \
40 FUNC(BAD_TAG_OBJECT, ERROR) \
41 FUNC(BAD_TIMEZONE, ERROR) \
42 FUNC(BAD_TREE, ERROR) \
43 FUNC(BAD_TREE_SHA1, ERROR) \
44 FUNC(BAD_TYPE, ERROR) \
45 FUNC(DUPLICATE_ENTRIES, ERROR) \
46 FUNC(MISSING_AUTHOR, ERROR) \
47 FUNC(MISSING_COMMITTER, ERROR) \
48 FUNC(MISSING_EMAIL, ERROR) \
49 FUNC(MISSING_GRAFT, ERROR) \
50 FUNC(MISSING_NAME_BEFORE_EMAIL, ERROR) \
51 FUNC(MISSING_OBJECT, ERROR) \
52 FUNC(MISSING_PARENT, ERROR) \
53 FUNC(MISSING_SPACE_BEFORE_DATE, ERROR) \
54 FUNC(MISSING_SPACE_BEFORE_EMAIL, ERROR) \
55 FUNC(MISSING_TAG, ERROR) \
56 FUNC(MISSING_TAG_ENTRY, ERROR) \
57 FUNC(MISSING_TAG_OBJECT, ERROR) \
58 FUNC(MISSING_TREE, ERROR) \
59 FUNC(MISSING_TREE_OBJECT, ERROR) \
60 FUNC(MISSING_TYPE, ERROR) \
61 FUNC(MISSING_TYPE_ENTRY, ERROR) \
62 FUNC(MULTIPLE_AUTHORS, ERROR) \
63 FUNC(TAG_OBJECT_NOT_TAG, ERROR) \
64 FUNC(TREE_NOT_SORTED, ERROR) \
65 FUNC(UNKNOWN_TYPE, ERROR) \
66 FUNC(ZERO_PADDED_DATE, ERROR) \
67 FUNC(GITMODULES_MISSING, ERROR) \
68 FUNC(GITMODULES_BLOB, ERROR) \
69 FUNC(GITMODULES_LARGE, ERROR) \
70 FUNC(GITMODULES_NAME, ERROR) \
71 FUNC(GITMODULES_SYMLINK, ERROR) \
72 FUNC(GITMODULES_URL, ERROR) \
73 FUNC(GITMODULES_PATH, ERROR) \
74 FUNC(GITMODULES_UPDATE, ERROR) \
76 FUNC(BAD_FILEMODE, WARN) \
77 FUNC(EMPTY_NAME, WARN) \
78 FUNC(FULL_PATHNAME, WARN) \
80 FUNC(HAS_DOTDOT, WARN) \
81 FUNC(HAS_DOTGIT, WARN) \
82 FUNC(NULL_SHA1, WARN) \
83 FUNC(ZERO_PADDED_FILEMODE, WARN) \
84 FUNC(NUL_IN_COMMIT, WARN) \
85 /* infos (reported as warnings, but ignored by default) */ \
86 FUNC(GITMODULES_PARSE, INFO) \
87 FUNC(BAD_TAG_NAME, INFO) \
88 FUNC(MISSING_TAGGER_ENTRY, INFO)
90 #define MSG_ID(id, msg_type) FSCK_MSG_##id,
92 FOREACH_MSG_ID(MSG_ID)
98 #define MSG_ID(id, msg_type) { STR(id), NULL, NULL, FSCK_##msg_type },
100 const char *id_string;
101 const char *downcased;
102 const char *camelcased;
104 } msg_id_info[FSCK_MSG_MAX + 1] = {
105 FOREACH_MSG_ID(MSG_ID)
106 { NULL, NULL, NULL, -1 }
110 static void prepare_msg_ids(void)
114 if (msg_id_info[0].downcased)
117 /* convert id_string to lower case, without underscores. */
118 for (i = 0; i < FSCK_MSG_MAX; i++) {
119 const char *p = msg_id_info[i].id_string;
121 char *q = xmalloc(len);
123 msg_id_info[i].downcased = q;
128 *(q)++ = tolower(*(p)++);
131 p = msg_id_info[i].id_string;
133 msg_id_info[i].camelcased = q;
140 *q++ = tolower(*p++);
147 static int parse_msg_id(const char *text)
153 for (i = 0; i < FSCK_MSG_MAX; i++)
154 if (!strcmp(text, msg_id_info[i].downcased))
160 void list_config_fsck_msg_ids(struct string_list *list, const char *prefix)
166 for (i = 0; i < FSCK_MSG_MAX; i++)
167 list_config_item(list, prefix, msg_id_info[i].camelcased);
170 static int fsck_msg_type(enum fsck_msg_id msg_id,
171 struct fsck_options *options)
175 assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX);
177 if (options->msg_type)
178 msg_type = options->msg_type[msg_id];
180 msg_type = msg_id_info[msg_id].msg_type;
181 if (options->strict && msg_type == FSCK_WARN)
182 msg_type = FSCK_ERROR;
188 static void init_skiplist(struct fsck_options *options, const char *path)
190 static struct oid_array skiplist = OID_ARRAY_INIT;
192 char buffer[GIT_MAX_HEXSZ + 1];
193 struct object_id oid;
195 if (options->skiplist)
196 sorted = options->skiplist->sorted;
199 options->skiplist = &skiplist;
202 fd = open(path, O_RDONLY);
204 die("Could not open skip list: %s", path);
207 int result = read_in_full(fd, buffer, sizeof(buffer));
209 die_errno("Could not read '%s'", path);
212 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n')
213 die("Invalid SHA-1: %s", buffer);
214 oid_array_append(&skiplist, &oid);
215 if (sorted && skiplist.nr > 1 &&
216 oidcmp(&skiplist.oid[skiplist.nr - 2],
226 static int parse_msg_type(const char *str)
228 if (!strcmp(str, "error"))
230 else if (!strcmp(str, "warn"))
232 else if (!strcmp(str, "ignore"))
235 die("Unknown fsck message type: '%s'", str);
238 int is_valid_msg_type(const char *msg_id, const char *msg_type)
240 if (parse_msg_id(msg_id) < 0)
242 parse_msg_type(msg_type);
246 void fsck_set_msg_type(struct fsck_options *options,
247 const char *msg_id, const char *msg_type)
249 int id = parse_msg_id(msg_id), type;
252 die("Unhandled message id: %s", msg_id);
253 type = parse_msg_type(msg_type);
255 if (type != FSCK_ERROR && msg_id_info[id].msg_type == FSCK_FATAL)
256 die("Cannot demote %s to %s", msg_id, msg_type);
258 if (!options->msg_type) {
261 ALLOC_ARRAY(msg_type, FSCK_MSG_MAX);
262 for (i = 0; i < FSCK_MSG_MAX; i++)
263 msg_type[i] = fsck_msg_type(i, options);
264 options->msg_type = msg_type;
267 options->msg_type[id] = type;
270 void fsck_set_msg_types(struct fsck_options *options, const char *values)
272 char *buf = xstrdup(values), *to_free = buf;
276 int len = strcspn(buf, " ,|"), equal;
286 equal < len && buf[equal] != '=' && buf[equal] != ':';
288 buf[equal] = tolower(buf[equal]);
291 if (!strcmp(buf, "skiplist")) {
293 die("skiplist requires a path");
294 init_skiplist(options, buf + equal + 1);
300 die("Missing '=': '%s'", buf);
302 fsck_set_msg_type(options, buf, buf + equal + 1);
308 static void append_msg_id(struct strbuf *sb, const char *msg_id)
311 char c = *(msg_id)++;
316 strbuf_addch(sb, tolower(c));
319 strbuf_addch(sb, *(msg_id)++);
323 strbuf_addstr(sb, ": ");
326 static int object_on_skiplist(struct fsck_options *opts, struct object *obj)
328 if (opts && opts->skiplist && obj)
329 return oid_array_lookup(opts->skiplist, &obj->oid) >= 0;
333 __attribute__((format (printf, 4, 5)))
334 static int report(struct fsck_options *options, struct object *object,
335 enum fsck_msg_id id, const char *fmt, ...)
338 struct strbuf sb = STRBUF_INIT;
339 int msg_type = fsck_msg_type(id, options), result;
341 if (msg_type == FSCK_IGNORE)
344 if (object_on_skiplist(options, object))
347 if (msg_type == FSCK_FATAL)
348 msg_type = FSCK_ERROR;
349 else if (msg_type == FSCK_INFO)
350 msg_type = FSCK_WARN;
352 append_msg_id(&sb, msg_id_info[id].id_string);
355 strbuf_vaddf(&sb, fmt, ap);
356 result = options->error_func(options, object, msg_type, sb.buf);
363 static char *get_object_name(struct fsck_options *options, struct object *obj)
365 if (!options->object_names)
367 return lookup_decoration(options->object_names, obj);
370 static void put_object_name(struct fsck_options *options, struct object *obj,
371 const char *fmt, ...)
374 struct strbuf buf = STRBUF_INIT;
377 if (!options->object_names)
379 existing = lookup_decoration(options->object_names, obj);
383 strbuf_vaddf(&buf, fmt, ap);
384 add_decoration(options->object_names, obj, strbuf_detach(&buf, NULL));
388 static const char *describe_object(struct fsck_options *o, struct object *obj)
390 static struct strbuf buf = STRBUF_INIT;
394 strbuf_addstr(&buf, oid_to_hex(&obj->oid));
395 if (o->object_names && (name = lookup_decoration(o->object_names, obj)))
396 strbuf_addf(&buf, " (%s)", name);
401 static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options)
403 struct tree_desc desc;
404 struct name_entry entry;
408 if (parse_tree(tree))
411 name = get_object_name(options, &tree->object);
412 if (init_tree_desc_gently(&desc, tree->buffer, tree->size))
414 while (tree_entry_gently(&desc, &entry)) {
418 if (S_ISGITLINK(entry.mode))
421 if (S_ISDIR(entry.mode)) {
422 obj = (struct object *)lookup_tree(the_repository, entry.oid);
424 put_object_name(options, obj, "%s%s/", name,
426 result = options->walk(obj, OBJ_TREE, data, options);
428 else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) {
429 obj = (struct object *)lookup_blob(the_repository, entry.oid);
431 put_object_name(options, obj, "%s%s", name,
433 result = options->walk(obj, OBJ_BLOB, data, options);
436 result = error("in tree %s: entry %s has bad mode %.6o",
437 describe_object(options, &tree->object), entry.path, entry.mode);
447 static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options)
449 int counter = 0, generation = 0, name_prefix_len = 0;
450 struct commit_list *parents;
455 if (parse_commit(commit))
458 name = get_object_name(options, &commit->object);
460 put_object_name(options, &get_commit_tree(commit)->object,
463 result = options->walk((struct object *)get_commit_tree(commit),
464 OBJ_TREE, data, options);
469 parents = commit->parents;
470 if (name && parents) {
471 int len = strlen(name), power;
473 if (len && name[len - 1] == '^') {
475 name_prefix_len = len - 1;
477 else { /* parse ~<generation> suffix */
478 for (generation = 0, power = 1;
479 len && isdigit(name[len - 1]);
481 generation += power * (name[--len] - '0');
482 if (power > 1 && len && name[len - 1] == '~')
483 name_prefix_len = len - 1;
489 struct object *obj = &parents->item->object;
492 put_object_name(options, obj, "%s^%d",
494 else if (generation > 0)
495 put_object_name(options, obj, "%.*s~%d",
496 name_prefix_len, name, generation + 1);
498 put_object_name(options, obj, "%s^", name);
500 result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options);
505 parents = parents->next;
510 static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options)
512 char *name = get_object_name(options, &tag->object);
517 put_object_name(options, tag->tagged, "%s", name);
518 return options->walk(tag->tagged, OBJ_ANY, data, options);
521 int fsck_walk(struct object *obj, void *data, struct fsck_options *options)
526 if (obj->type == OBJ_NONE)
527 parse_object(the_repository, &obj->oid);
533 return fsck_walk_tree((struct tree *)obj, data, options);
535 return fsck_walk_commit((struct commit *)obj, data, options);
537 return fsck_walk_tag((struct tag *)obj, data, options);
539 error("Unknown object type for %s", describe_object(options, obj));
545 * The entries in a tree are ordered in the _path_ order,
546 * which means that a directory entry is ordered by adding
547 * a slash to the end of it.
549 * So a directory called "a" is ordered _after_ a file
550 * called "a.c", because "a/" sorts after "a.c".
552 #define TREE_UNORDERED (-1)
553 #define TREE_HAS_DUPS (-2)
555 static int verify_ordered(unsigned mode1, const char *name1, unsigned mode2, const char *name2)
557 int len1 = strlen(name1);
558 int len2 = strlen(name2);
559 int len = len1 < len2 ? len1 : len2;
560 unsigned char c1, c2;
563 cmp = memcmp(name1, name2, len);
567 return TREE_UNORDERED;
570 * Ok, the first <len> characters are the same.
571 * Now we need to order the next one, but turn
572 * a '\0' into a '/' for a directory entry.
578 * git-write-tree used to write out a nonsense tree that has
579 * entries with the same name, one blob and one tree. Make
580 * sure we do not have duplicate entries.
582 return TREE_HAS_DUPS;
583 if (!c1 && S_ISDIR(mode1))
585 if (!c2 && S_ISDIR(mode2))
587 return c1 < c2 ? 0 : TREE_UNORDERED;
590 static int fsck_tree(struct tree *item, struct fsck_options *options)
593 int has_null_sha1 = 0;
594 int has_full_path = 0;
595 int has_empty_name = 0;
599 int has_zero_pad = 0;
600 int has_bad_modes = 0;
601 int has_dup_entries = 0;
602 int not_properly_sorted = 0;
603 struct tree_desc desc;
607 if (init_tree_desc_gently(&desc, item->buffer, item->size)) {
608 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
617 const char *name, *backslash;
618 const struct object_id *oid;
620 oid = tree_entry_extract(&desc, &name, &mode);
622 has_null_sha1 |= is_null_oid(oid);
623 has_full_path |= !!strchr(name, '/');
624 has_empty_name |= !*name;
625 has_dot |= !strcmp(name, ".");
626 has_dotdot |= !strcmp(name, "..");
627 has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name);
628 has_zero_pad |= *(char *)desc.buffer == '0';
630 if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) {
632 oidset_insert(&gitmodules_found, oid);
634 retval += report(options, &item->object,
635 FSCK_MSG_GITMODULES_SYMLINK,
636 ".gitmodules is a symbolic link");
639 if ((backslash = strchr(name, '\\'))) {
642 has_dotgit |= is_ntfs_dotgit(backslash);
643 if (is_ntfs_dotgitmodules(backslash)) {
645 oidset_insert(&gitmodules_found, oid);
647 retval += report(options, &item->object,
648 FSCK_MSG_GITMODULES_SYMLINK,
649 ".gitmodules is a symbolic link");
651 backslash = strchr(backslash, '\\');
655 if (update_tree_entry_gently(&desc)) {
656 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
671 * This is nonstandard, but we had a few of these
672 * early on when we honored the full set of mode
676 if (!options->strict)
684 switch (verify_ordered(o_mode, o_name, mode, name)) {
686 not_properly_sorted = 1;
701 retval += report(options, &item->object, FSCK_MSG_NULL_SHA1, "contains entries pointing to null sha1");
703 retval += report(options, &item->object, FSCK_MSG_FULL_PATHNAME, "contains full pathnames");
705 retval += report(options, &item->object, FSCK_MSG_EMPTY_NAME, "contains empty pathname");
707 retval += report(options, &item->object, FSCK_MSG_HAS_DOT, "contains '.'");
709 retval += report(options, &item->object, FSCK_MSG_HAS_DOTDOT, "contains '..'");
711 retval += report(options, &item->object, FSCK_MSG_HAS_DOTGIT, "contains '.git'");
713 retval += report(options, &item->object, FSCK_MSG_ZERO_PADDED_FILEMODE, "contains zero-padded file modes");
715 retval += report(options, &item->object, FSCK_MSG_BAD_FILEMODE, "contains bad file modes");
717 retval += report(options, &item->object, FSCK_MSG_DUPLICATE_ENTRIES, "contains duplicate file entries");
718 if (not_properly_sorted)
719 retval += report(options, &item->object, FSCK_MSG_TREE_NOT_SORTED, "not properly sorted");
723 static int verify_headers(const void *data, unsigned long size,
724 struct object *obj, struct fsck_options *options)
726 const char *buffer = (const char *)data;
729 for (i = 0; i < size; i++) {
732 return report(options, obj,
733 FSCK_MSG_NUL_IN_HEADER,
734 "unterminated header: NUL at offset %ld", i);
736 if (i + 1 < size && buffer[i + 1] == '\n')
742 * We did not find double-LF that separates the header
743 * and the body. Not having a body is not a crime but
744 * we do want to see the terminating LF for the last header
747 if (size && buffer[size - 1] == '\n')
750 return report(options, obj,
751 FSCK_MSG_UNTERMINATED_HEADER, "unterminated header");
754 static int fsck_ident(const char **ident, struct object *obj, struct fsck_options *options)
756 const char *p = *ident;
759 *ident = strchrnul(*ident, '\n');
764 return report(options, obj, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
765 p += strcspn(p, "<>\n");
767 return report(options, obj, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name");
769 return report(options, obj, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email");
771 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
773 p += strcspn(p, "<>\n");
775 return report(options, obj, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email");
778 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date");
780 if (*p == '0' && p[1] != ' ')
781 return report(options, obj, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date");
782 if (date_overflows(parse_timestamp(p, &end, 10)))
783 return report(options, obj, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow");
784 if ((end == p || *end != ' '))
785 return report(options, obj, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date");
787 if ((*p != '+' && *p != '-') ||
793 return report(options, obj, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone");
798 static int fsck_commit_buffer(struct commit *commit, const char *buffer,
799 unsigned long size, struct fsck_options *options)
801 struct object_id tree_oid, oid;
802 struct commit_graft *graft;
803 unsigned parent_count, parent_line_count = 0, author_count;
805 const char *buffer_begin = buffer;
808 if (verify_headers(buffer, size, &commit->object, options))
811 if (!skip_prefix(buffer, "tree ", &buffer))
812 return report(options, &commit->object, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line");
813 if (parse_oid_hex(buffer, &tree_oid, &p) || *p != '\n') {
814 err = report(options, &commit->object, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1");
819 while (skip_prefix(buffer, "parent ", &buffer)) {
820 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n') {
821 err = report(options, &commit->object, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
828 graft = lookup_commit_graft(the_repository, &commit->object.oid);
829 parent_count = commit_list_count(commit->parents);
831 if (graft->nr_parent == -1 && !parent_count)
832 ; /* shallow commit */
833 else if (graft->nr_parent != parent_count) {
834 err = report(options, &commit->object, FSCK_MSG_MISSING_GRAFT, "graft objects missing");
839 if (parent_count != parent_line_count) {
840 err = report(options, &commit->object, FSCK_MSG_MISSING_PARENT, "parent objects missing");
846 while (skip_prefix(buffer, "author ", &buffer)) {
848 err = fsck_ident(&buffer, &commit->object, options);
852 if (author_count < 1)
853 err = report(options, &commit->object, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line");
854 else if (author_count > 1)
855 err = report(options, &commit->object, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
858 if (!skip_prefix(buffer, "committer ", &buffer))
859 return report(options, &commit->object, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
860 err = fsck_ident(&buffer, &commit->object, options);
863 if (!get_commit_tree(commit)) {
864 err = report(options, &commit->object, FSCK_MSG_BAD_TREE, "could not load commit's tree %s", oid_to_hex(&tree_oid));
868 if (memchr(buffer_begin, '\0', size)) {
869 err = report(options, &commit->object, FSCK_MSG_NUL_IN_COMMIT,
870 "NUL byte in the commit object body");
877 static int fsck_commit(struct commit *commit, const char *data,
878 unsigned long size, struct fsck_options *options)
880 const char *buffer = data ? data : get_commit_buffer(commit, &size);
881 int ret = fsck_commit_buffer(commit, buffer, size, options);
883 unuse_commit_buffer(commit, buffer);
887 static int fsck_tag_buffer(struct tag *tag, const char *data,
888 unsigned long size, struct fsck_options *options)
890 struct object_id oid;
893 char *to_free = NULL, *eol;
894 struct strbuf sb = STRBUF_INIT;
900 enum object_type type;
903 read_object_file(&tag->object.oid, &type, &size);
905 return report(options, &tag->object,
906 FSCK_MSG_MISSING_TAG_OBJECT,
907 "cannot read tag object");
909 if (type != OBJ_TAG) {
910 ret = report(options, &tag->object,
911 FSCK_MSG_TAG_OBJECT_NOT_TAG,
912 "expected tag got %s",
918 ret = verify_headers(buffer, size, &tag->object, options);
922 if (!skip_prefix(buffer, "object ", &buffer)) {
923 ret = report(options, &tag->object, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line");
926 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n') {
927 ret = report(options, &tag->object, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1");
933 if (!skip_prefix(buffer, "type ", &buffer)) {
934 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line");
937 eol = strchr(buffer, '\n');
939 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line");
942 if (type_from_string_gently(buffer, eol - buffer, 1) < 0)
943 ret = report(options, &tag->object, FSCK_MSG_BAD_TYPE, "invalid 'type' value");
948 if (!skip_prefix(buffer, "tag ", &buffer)) {
949 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line");
952 eol = strchr(buffer, '\n');
954 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line");
957 strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer);
958 if (check_refname_format(sb.buf, 0)) {
959 ret = report(options, &tag->object, FSCK_MSG_BAD_TAG_NAME,
960 "invalid 'tag' name: %.*s",
961 (int)(eol - buffer), buffer);
967 if (!skip_prefix(buffer, "tagger ", &buffer)) {
968 /* early tags do not contain 'tagger' lines; warn only */
969 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line");
974 ret = fsck_ident(&buffer, &tag->object, options);
982 static int fsck_tag(struct tag *tag, const char *data,
983 unsigned long size, struct fsck_options *options)
985 struct object *tagged = tag->tagged;
988 return report(options, &tag->object, FSCK_MSG_BAD_TAG_OBJECT, "could not load tagged object");
990 return fsck_tag_buffer(tag, data, size, options);
994 * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
995 * relying on the platform-dependent is_dir_sep helper.
997 * This is for use in checking whether a submodule URL is interpreted as
998 * relative to the current directory on any platform, since \ is a
999 * directory separator on Windows but not on other platforms.
1001 static int starts_with_dot_slash(const char *str)
1003 return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
1007 * Like starts_with_dot_slash, this is a variant of submodule--helper's
1008 * helper of the same name with the twist that it accepts backslash as a
1009 * directory separator even on non-Windows platforms.
1011 static int starts_with_dot_dot_slash(const char *str)
1013 return str[0] == '.' && starts_with_dot_slash(str + 1);
1016 static int submodule_url_is_relative(const char *url)
1018 return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
1022 * Count directory components that a relative submodule URL should chop
1023 * from the remote_url it is to be resolved against.
1025 * In other words, this counts "../" components at the start of a
1028 * Returns the number of directory components to chop and writes a
1029 * pointer to the next character of url after all leading "./" and
1030 * "../" components to out.
1032 static int count_leading_dotdots(const char *url, const char **out)
1036 if (starts_with_dot_dot_slash(url)) {
1038 url += strlen("../");
1041 if (starts_with_dot_slash(url)) {
1042 url += strlen("./");
1050 * Check whether a transport is implemented by git-remote-curl.
1052 * If it is, returns 1 and writes the URL that would be passed to
1053 * git-remote-curl to the "out" parameter.
1055 * Otherwise, returns 0 and leaves "out" untouched.
1058 * http::https://example.com/repo.git -> 1, https://example.com/repo.git
1059 * https://example.com/repo.git -> 1, https://example.com/repo.git
1060 * git://example.com/repo.git -> 0
1062 * This is for use in checking for previously exploitable bugs that
1063 * required a submodule URL to be passed to git-remote-curl.
1065 static int url_to_curl_url(const char *url, const char **out)
1068 * We don't need to check for case-aliases, "http.exe", and so
1069 * on because in the default configuration, is_transport_allowed
1070 * prevents URLs with those schemes from being cloned
1073 if (skip_prefix(url, "http::", out) ||
1074 skip_prefix(url, "https::", out) ||
1075 skip_prefix(url, "ftp::", out) ||
1076 skip_prefix(url, "ftps::", out))
1078 if (starts_with(url, "http://") ||
1079 starts_with(url, "https://") ||
1080 starts_with(url, "ftp://") ||
1081 starts_with(url, "ftps://")) {
1088 static int check_submodule_url(const char *url)
1090 const char *curl_url;
1092 if (looks_like_command_line_option(url))
1095 if (submodule_url_is_relative(url)) {
1101 * This could be appended to an http URL and url-decoded;
1102 * check for malicious characters.
1104 decoded = url_decode(url);
1105 has_nl = !!strchr(decoded, '\n');
1112 * URLs which escape their root via "../" can overwrite
1113 * the host field and previous components, resolving to
1114 * URLs like https::example.com/submodule.git and
1115 * https:///example.com/submodule.git that were
1116 * susceptible to CVE-2020-11008.
1118 if (count_leading_dotdots(url, &next) > 0 &&
1119 (*next == ':' || *next == '/'))
1123 else if (url_to_curl_url(url, &curl_url)) {
1124 struct credential c = CREDENTIAL_INIT;
1126 if (credential_from_url_gently(&c, curl_url, 1) ||
1129 credential_clear(&c);
1136 struct fsck_gitmodules_data {
1138 struct fsck_options *options;
1142 static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
1144 struct fsck_gitmodules_data *data = vdata;
1145 const char *subsection, *key;
1149 if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 ||
1153 name = xmemdupz(subsection, subsection_len);
1154 if (check_submodule_name(name) < 0)
1155 data->ret |= report(data->options, data->obj,
1156 FSCK_MSG_GITMODULES_NAME,
1157 "disallowed submodule name: %s",
1159 if (!strcmp(key, "url") && value &&
1160 check_submodule_url(value) < 0)
1161 data->ret |= report(data->options, data->obj,
1162 FSCK_MSG_GITMODULES_URL,
1163 "disallowed submodule url: %s",
1165 if (!strcmp(key, "path") && value &&
1166 looks_like_command_line_option(value))
1167 data->ret |= report(data->options, data->obj,
1168 FSCK_MSG_GITMODULES_PATH,
1169 "disallowed submodule path: %s",
1171 if (!strcmp(key, "update") && value &&
1172 parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
1173 data->ret |= report(data->options, data->obj,
1174 FSCK_MSG_GITMODULES_UPDATE,
1175 "disallowed submodule update setting: %s",
1182 static int fsck_blob(struct blob *blob, const char *buf,
1183 unsigned long size, struct fsck_options *options)
1185 struct fsck_gitmodules_data data;
1186 struct config_options config_opts = { 0 };
1188 if (!oidset_contains(&gitmodules_found, &blob->object.oid))
1190 oidset_insert(&gitmodules_done, &blob->object.oid);
1192 if (object_on_skiplist(options, &blob->object))
1197 * A missing buffer here is a sign that the caller found the
1198 * blob too gigantic to load into memory. Let's just consider
1201 return report(options, &blob->object,
1202 FSCK_MSG_GITMODULES_LARGE,
1203 ".gitmodules too large to parse");
1206 data.obj = &blob->object;
1207 data.options = options;
1209 config_opts.error_action = CONFIG_ERROR_SILENT;
1210 if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB,
1211 ".gitmodules", buf, size, &data, &config_opts))
1212 data.ret |= report(options, &blob->object,
1213 FSCK_MSG_GITMODULES_PARSE,
1214 "could not parse gitmodules blob");
1219 int fsck_object(struct object *obj, void *data, unsigned long size,
1220 struct fsck_options *options)
1223 return report(options, obj, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck");
1225 if (obj->type == OBJ_BLOB)
1226 return fsck_blob((struct blob *)obj, data, size, options);
1227 if (obj->type == OBJ_TREE)
1228 return fsck_tree((struct tree *) obj, options);
1229 if (obj->type == OBJ_COMMIT)
1230 return fsck_commit((struct commit *) obj, (const char *) data,
1232 if (obj->type == OBJ_TAG)
1233 return fsck_tag((struct tag *) obj, (const char *) data,
1236 return report(options, obj, FSCK_MSG_UNKNOWN_TYPE, "unknown type '%d' (internal fsck error)",
1240 int fsck_error_function(struct fsck_options *o,
1241 struct object *obj, int msg_type, const char *message)
1243 if (msg_type == FSCK_WARN) {
1244 warning("object %s: %s", describe_object(o, obj), message);
1247 error("object %s: %s", describe_object(o, obj), message);
1251 int fsck_finish(struct fsck_options *options)
1254 struct oidset_iter iter;
1255 const struct object_id *oid;
1257 oidset_iter_init(&gitmodules_found, &iter);
1258 while ((oid = oidset_iter_next(&iter))) {
1260 enum object_type type;
1264 if (oidset_contains(&gitmodules_done, oid))
1267 blob = lookup_blob(the_repository, oid);
1269 struct object *obj = lookup_unknown_object(oid->hash);
1270 ret |= report(options, obj,
1271 FSCK_MSG_GITMODULES_BLOB,
1272 "non-blob found at .gitmodules");
1276 buf = read_object_file(oid, &type, &size);
1278 if (is_promisor_object(&blob->object.oid))
1280 ret |= report(options, &blob->object,
1281 FSCK_MSG_GITMODULES_MISSING,
1282 "unable to read .gitmodules blob");
1286 if (type == OBJ_BLOB)
1287 ret |= fsck_blob(blob, buf, size, options);
1289 ret |= report(options, &blob->object,
1290 FSCK_MSG_GITMODULES_BLOB,
1291 "non-blob found at .gitmodules");
1296 oidset_clear(&gitmodules_found);
1297 oidset_clear(&gitmodules_done);