12 #include "sha1-array.h"
16 #include "submodule-config.h"
18 #include "credential.h"
20 static struct oidset gitmodules_found = OIDSET_INIT;
21 static struct oidset gitmodules_done = OIDSET_INIT;
26 #define FOREACH_MSG_ID(FUNC) \
28 FUNC(NUL_IN_HEADER, FATAL) \
29 FUNC(UNTERMINATED_HEADER, FATAL) \
31 FUNC(BAD_DATE, ERROR) \
32 FUNC(BAD_DATE_OVERFLOW, ERROR) \
33 FUNC(BAD_EMAIL, ERROR) \
34 FUNC(BAD_NAME, ERROR) \
35 FUNC(BAD_OBJECT_SHA1, ERROR) \
36 FUNC(BAD_PARENT_SHA1, ERROR) \
37 FUNC(BAD_TAG_OBJECT, ERROR) \
38 FUNC(BAD_TIMEZONE, ERROR) \
39 FUNC(BAD_TREE, ERROR) \
40 FUNC(BAD_TREE_SHA1, ERROR) \
41 FUNC(BAD_TYPE, ERROR) \
42 FUNC(DUPLICATE_ENTRIES, ERROR) \
43 FUNC(MISSING_AUTHOR, ERROR) \
44 FUNC(MISSING_COMMITTER, ERROR) \
45 FUNC(MISSING_EMAIL, ERROR) \
46 FUNC(MISSING_GRAFT, ERROR) \
47 FUNC(MISSING_NAME_BEFORE_EMAIL, ERROR) \
48 FUNC(MISSING_OBJECT, ERROR) \
49 FUNC(MISSING_PARENT, ERROR) \
50 FUNC(MISSING_SPACE_BEFORE_DATE, ERROR) \
51 FUNC(MISSING_SPACE_BEFORE_EMAIL, ERROR) \
52 FUNC(MISSING_TAG, ERROR) \
53 FUNC(MISSING_TAG_ENTRY, ERROR) \
54 FUNC(MISSING_TAG_OBJECT, ERROR) \
55 FUNC(MISSING_TREE, ERROR) \
56 FUNC(MISSING_TREE_OBJECT, ERROR) \
57 FUNC(MISSING_TYPE, ERROR) \
58 FUNC(MISSING_TYPE_ENTRY, ERROR) \
59 FUNC(MULTIPLE_AUTHORS, ERROR) \
60 FUNC(TAG_OBJECT_NOT_TAG, ERROR) \
61 FUNC(TREE_NOT_SORTED, ERROR) \
62 FUNC(UNKNOWN_TYPE, ERROR) \
63 FUNC(ZERO_PADDED_DATE, ERROR) \
64 FUNC(GITMODULES_MISSING, ERROR) \
65 FUNC(GITMODULES_BLOB, ERROR) \
66 FUNC(GITMODULES_PARSE, ERROR) \
67 FUNC(GITMODULES_NAME, ERROR) \
68 FUNC(GITMODULES_SYMLINK, ERROR) \
69 FUNC(GITMODULES_URL, ERROR) \
70 FUNC(GITMODULES_PATH, ERROR) \
71 FUNC(GITMODULES_UPDATE, ERROR) \
73 FUNC(BAD_FILEMODE, WARN) \
74 FUNC(EMPTY_NAME, WARN) \
75 FUNC(FULL_PATHNAME, WARN) \
77 FUNC(HAS_DOTDOT, WARN) \
78 FUNC(HAS_DOTGIT, WARN) \
79 FUNC(NULL_SHA1, WARN) \
80 FUNC(ZERO_PADDED_FILEMODE, WARN) \
81 FUNC(NUL_IN_COMMIT, WARN) \
82 /* infos (reported as warnings, but ignored by default) */ \
83 FUNC(BAD_TAG_NAME, INFO) \
84 FUNC(MISSING_TAGGER_ENTRY, INFO)
86 #define MSG_ID(id, msg_type) FSCK_MSG_##id,
88 FOREACH_MSG_ID(MSG_ID)
94 #define MSG_ID(id, msg_type) { STR(id), NULL, FSCK_##msg_type },
96 const char *id_string;
97 const char *downcased;
99 } msg_id_info[FSCK_MSG_MAX + 1] = {
100 FOREACH_MSG_ID(MSG_ID)
105 static int parse_msg_id(const char *text)
109 if (!msg_id_info[0].downcased) {
110 /* convert id_string to lower case, without underscores. */
111 for (i = 0; i < FSCK_MSG_MAX; i++) {
112 const char *p = msg_id_info[i].id_string;
114 char *q = xmalloc(len);
116 msg_id_info[i].downcased = q;
121 *(q)++ = tolower(*(p)++);
126 for (i = 0; i < FSCK_MSG_MAX; i++)
127 if (!strcmp(text, msg_id_info[i].downcased))
133 static int fsck_msg_type(enum fsck_msg_id msg_id,
134 struct fsck_options *options)
138 assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX);
140 if (options->msg_type)
141 msg_type = options->msg_type[msg_id];
143 msg_type = msg_id_info[msg_id].msg_type;
144 if (options->strict && msg_type == FSCK_WARN)
145 msg_type = FSCK_ERROR;
151 static void init_skiplist(struct fsck_options *options, const char *path)
153 static struct oid_array skiplist = OID_ARRAY_INIT;
155 char buffer[GIT_MAX_HEXSZ + 1];
156 struct object_id oid;
158 if (options->skiplist)
159 sorted = options->skiplist->sorted;
162 options->skiplist = &skiplist;
165 fd = open(path, O_RDONLY);
167 die("Could not open skip list: %s", path);
170 int result = read_in_full(fd, buffer, sizeof(buffer));
172 die_errno("Could not read '%s'", path);
175 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n')
176 die("Invalid SHA-1: %s", buffer);
177 oid_array_append(&skiplist, &oid);
178 if (sorted && skiplist.nr > 1 &&
179 oidcmp(&skiplist.oid[skiplist.nr - 2],
189 static int parse_msg_type(const char *str)
191 if (!strcmp(str, "error"))
193 else if (!strcmp(str, "warn"))
195 else if (!strcmp(str, "ignore"))
198 die("Unknown fsck message type: '%s'", str);
201 int is_valid_msg_type(const char *msg_id, const char *msg_type)
203 if (parse_msg_id(msg_id) < 0)
205 parse_msg_type(msg_type);
209 void fsck_set_msg_type(struct fsck_options *options,
210 const char *msg_id, const char *msg_type)
212 int id = parse_msg_id(msg_id), type;
215 die("Unhandled message id: %s", msg_id);
216 type = parse_msg_type(msg_type);
218 if (type != FSCK_ERROR && msg_id_info[id].msg_type == FSCK_FATAL)
219 die("Cannot demote %s to %s", msg_id, msg_type);
221 if (!options->msg_type) {
224 ALLOC_ARRAY(msg_type, FSCK_MSG_MAX);
225 for (i = 0; i < FSCK_MSG_MAX; i++)
226 msg_type[i] = fsck_msg_type(i, options);
227 options->msg_type = msg_type;
230 options->msg_type[id] = type;
233 void fsck_set_msg_types(struct fsck_options *options, const char *values)
235 char *buf = xstrdup(values), *to_free = buf;
239 int len = strcspn(buf, " ,|"), equal;
249 equal < len && buf[equal] != '=' && buf[equal] != ':';
251 buf[equal] = tolower(buf[equal]);
254 if (!strcmp(buf, "skiplist")) {
256 die("skiplist requires a path");
257 init_skiplist(options, buf + equal + 1);
263 die("Missing '=': '%s'", buf);
265 fsck_set_msg_type(options, buf, buf + equal + 1);
271 static void append_msg_id(struct strbuf *sb, const char *msg_id)
274 char c = *(msg_id)++;
279 strbuf_addch(sb, tolower(c));
282 strbuf_addch(sb, *(msg_id)++);
286 strbuf_addstr(sb, ": ");
289 __attribute__((format (printf, 4, 5)))
290 static int report(struct fsck_options *options, struct object *object,
291 enum fsck_msg_id id, const char *fmt, ...)
294 struct strbuf sb = STRBUF_INIT;
295 int msg_type = fsck_msg_type(id, options), result;
297 if (msg_type == FSCK_IGNORE)
300 if (options->skiplist && object &&
301 oid_array_lookup(options->skiplist, &object->oid) >= 0)
304 if (msg_type == FSCK_FATAL)
305 msg_type = FSCK_ERROR;
306 else if (msg_type == FSCK_INFO)
307 msg_type = FSCK_WARN;
309 append_msg_id(&sb, msg_id_info[id].id_string);
312 strbuf_vaddf(&sb, fmt, ap);
313 result = options->error_func(options, object, msg_type, sb.buf);
320 static char *get_object_name(struct fsck_options *options, struct object *obj)
322 if (!options->object_names)
324 return lookup_decoration(options->object_names, obj);
327 static void put_object_name(struct fsck_options *options, struct object *obj,
328 const char *fmt, ...)
331 struct strbuf buf = STRBUF_INIT;
334 if (!options->object_names)
336 existing = lookup_decoration(options->object_names, obj);
340 strbuf_vaddf(&buf, fmt, ap);
341 add_decoration(options->object_names, obj, strbuf_detach(&buf, NULL));
345 static const char *describe_object(struct fsck_options *o, struct object *obj)
347 static struct strbuf buf = STRBUF_INIT;
351 strbuf_addstr(&buf, oid_to_hex(&obj->oid));
352 if (o->object_names && (name = lookup_decoration(o->object_names, obj)))
353 strbuf_addf(&buf, " (%s)", name);
358 static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options)
360 struct tree_desc desc;
361 struct name_entry entry;
365 if (parse_tree(tree))
368 name = get_object_name(options, &tree->object);
369 if (init_tree_desc_gently(&desc, tree->buffer, tree->size))
371 while (tree_entry_gently(&desc, &entry)) {
375 if (S_ISGITLINK(entry.mode))
378 if (S_ISDIR(entry.mode)) {
379 obj = (struct object *)lookup_tree(entry.oid);
381 put_object_name(options, obj, "%s%s/", name,
383 result = options->walk(obj, OBJ_TREE, data, options);
385 else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) {
386 obj = (struct object *)lookup_blob(entry.oid);
388 put_object_name(options, obj, "%s%s", name,
390 result = options->walk(obj, OBJ_BLOB, data, options);
393 result = error("in tree %s: entry %s has bad mode %.6o",
394 describe_object(options, &tree->object), entry.path, entry.mode);
404 static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options)
406 int counter = 0, generation = 0, name_prefix_len = 0;
407 struct commit_list *parents;
412 if (parse_commit(commit))
415 name = get_object_name(options, &commit->object);
417 put_object_name(options, &commit->tree->object, "%s:", name);
419 result = options->walk((struct object *)commit->tree, OBJ_TREE, data, options);
424 parents = commit->parents;
425 if (name && parents) {
426 int len = strlen(name), power;
428 if (len && name[len - 1] == '^') {
430 name_prefix_len = len - 1;
432 else { /* parse ~<generation> suffix */
433 for (generation = 0, power = 1;
434 len && isdigit(name[len - 1]);
436 generation += power * (name[--len] - '0');
437 if (power > 1 && len && name[len - 1] == '~')
438 name_prefix_len = len - 1;
444 struct object *obj = &parents->item->object;
447 put_object_name(options, obj, "%s^%d",
449 else if (generation > 0)
450 put_object_name(options, obj, "%.*s~%d",
451 name_prefix_len, name, generation + 1);
453 put_object_name(options, obj, "%s^", name);
455 result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options);
460 parents = parents->next;
465 static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options)
467 char *name = get_object_name(options, &tag->object);
472 put_object_name(options, tag->tagged, "%s", name);
473 return options->walk(tag->tagged, OBJ_ANY, data, options);
476 int fsck_walk(struct object *obj, void *data, struct fsck_options *options)
481 if (obj->type == OBJ_NONE)
482 parse_object(&obj->oid);
488 return fsck_walk_tree((struct tree *)obj, data, options);
490 return fsck_walk_commit((struct commit *)obj, data, options);
492 return fsck_walk_tag((struct tag *)obj, data, options);
494 error("Unknown object type for %s", describe_object(options, obj));
500 * The entries in a tree are ordered in the _path_ order,
501 * which means that a directory entry is ordered by adding
502 * a slash to the end of it.
504 * So a directory called "a" is ordered _after_ a file
505 * called "a.c", because "a/" sorts after "a.c".
507 #define TREE_UNORDERED (-1)
508 #define TREE_HAS_DUPS (-2)
510 static int verify_ordered(unsigned mode1, const char *name1, unsigned mode2, const char *name2)
512 int len1 = strlen(name1);
513 int len2 = strlen(name2);
514 int len = len1 < len2 ? len1 : len2;
515 unsigned char c1, c2;
518 cmp = memcmp(name1, name2, len);
522 return TREE_UNORDERED;
525 * Ok, the first <len> characters are the same.
526 * Now we need to order the next one, but turn
527 * a '\0' into a '/' for a directory entry.
533 * git-write-tree used to write out a nonsense tree that has
534 * entries with the same name, one blob and one tree. Make
535 * sure we do not have duplicate entries.
537 return TREE_HAS_DUPS;
538 if (!c1 && S_ISDIR(mode1))
540 if (!c2 && S_ISDIR(mode2))
542 return c1 < c2 ? 0 : TREE_UNORDERED;
545 static int fsck_tree(struct tree *item, struct fsck_options *options)
548 int has_null_sha1 = 0;
549 int has_full_path = 0;
550 int has_empty_name = 0;
554 int has_zero_pad = 0;
555 int has_bad_modes = 0;
556 int has_dup_entries = 0;
557 int not_properly_sorted = 0;
558 struct tree_desc desc;
562 if (init_tree_desc_gently(&desc, item->buffer, item->size)) {
563 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
572 const char *name, *backslash;
573 const struct object_id *oid;
575 oid = tree_entry_extract(&desc, &name, &mode);
577 has_null_sha1 |= is_null_oid(oid);
578 has_full_path |= !!strchr(name, '/');
579 has_empty_name |= !*name;
580 has_dot |= !strcmp(name, ".");
581 has_dotdot |= !strcmp(name, "..");
582 has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name);
583 has_zero_pad |= *(char *)desc.buffer == '0';
585 if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) {
587 oidset_insert(&gitmodules_found, oid);
589 retval += report(options, &item->object,
590 FSCK_MSG_GITMODULES_SYMLINK,
591 ".gitmodules is a symbolic link");
594 if ((backslash = strchr(name, '\\'))) {
597 has_dotgit |= is_ntfs_dotgit(backslash);
598 if (is_ntfs_dotgitmodules(backslash)) {
600 oidset_insert(&gitmodules_found, oid);
602 retval += report(options, &item->object,
603 FSCK_MSG_GITMODULES_SYMLINK,
604 ".gitmodules is a symbolic link");
606 backslash = strchr(backslash, '\\');
610 if (update_tree_entry_gently(&desc)) {
611 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
626 * This is nonstandard, but we had a few of these
627 * early on when we honored the full set of mode
631 if (!options->strict)
639 switch (verify_ordered(o_mode, o_name, mode, name)) {
641 not_properly_sorted = 1;
656 retval += report(options, &item->object, FSCK_MSG_NULL_SHA1, "contains entries pointing to null sha1");
658 retval += report(options, &item->object, FSCK_MSG_FULL_PATHNAME, "contains full pathnames");
660 retval += report(options, &item->object, FSCK_MSG_EMPTY_NAME, "contains empty pathname");
662 retval += report(options, &item->object, FSCK_MSG_HAS_DOT, "contains '.'");
664 retval += report(options, &item->object, FSCK_MSG_HAS_DOTDOT, "contains '..'");
666 retval += report(options, &item->object, FSCK_MSG_HAS_DOTGIT, "contains '.git'");
668 retval += report(options, &item->object, FSCK_MSG_ZERO_PADDED_FILEMODE, "contains zero-padded file modes");
670 retval += report(options, &item->object, FSCK_MSG_BAD_FILEMODE, "contains bad file modes");
672 retval += report(options, &item->object, FSCK_MSG_DUPLICATE_ENTRIES, "contains duplicate file entries");
673 if (not_properly_sorted)
674 retval += report(options, &item->object, FSCK_MSG_TREE_NOT_SORTED, "not properly sorted");
678 static int verify_headers(const void *data, unsigned long size,
679 struct object *obj, struct fsck_options *options)
681 const char *buffer = (const char *)data;
684 for (i = 0; i < size; i++) {
687 return report(options, obj,
688 FSCK_MSG_NUL_IN_HEADER,
689 "unterminated header: NUL at offset %ld", i);
691 if (i + 1 < size && buffer[i + 1] == '\n')
697 * We did not find double-LF that separates the header
698 * and the body. Not having a body is not a crime but
699 * we do want to see the terminating LF for the last header
702 if (size && buffer[size - 1] == '\n')
705 return report(options, obj,
706 FSCK_MSG_UNTERMINATED_HEADER, "unterminated header");
709 static int fsck_ident(const char **ident, struct object *obj, struct fsck_options *options)
711 const char *p = *ident;
714 *ident = strchrnul(*ident, '\n');
719 return report(options, obj, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
720 p += strcspn(p, "<>\n");
722 return report(options, obj, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name");
724 return report(options, obj, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email");
726 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
728 p += strcspn(p, "<>\n");
730 return report(options, obj, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email");
733 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date");
735 if (*p == '0' && p[1] != ' ')
736 return report(options, obj, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date");
737 if (date_overflows(parse_timestamp(p, &end, 10)))
738 return report(options, obj, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow");
739 if ((end == p || *end != ' '))
740 return report(options, obj, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date");
742 if ((*p != '+' && *p != '-') ||
748 return report(options, obj, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone");
753 static int fsck_commit_buffer(struct commit *commit, const char *buffer,
754 unsigned long size, struct fsck_options *options)
756 unsigned char tree_sha1[20], sha1[20];
757 struct commit_graft *graft;
758 unsigned parent_count, parent_line_count = 0, author_count;
760 const char *buffer_begin = buffer;
762 if (verify_headers(buffer, size, &commit->object, options))
765 if (!skip_prefix(buffer, "tree ", &buffer))
766 return report(options, &commit->object, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line");
767 if (get_sha1_hex(buffer, tree_sha1) || buffer[40] != '\n') {
768 err = report(options, &commit->object, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1");
773 while (skip_prefix(buffer, "parent ", &buffer)) {
774 if (get_sha1_hex(buffer, sha1) || buffer[40] != '\n') {
775 err = report(options, &commit->object, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
782 graft = lookup_commit_graft(&commit->object.oid);
783 parent_count = commit_list_count(commit->parents);
785 if (graft->nr_parent == -1 && !parent_count)
786 ; /* shallow commit */
787 else if (graft->nr_parent != parent_count) {
788 err = report(options, &commit->object, FSCK_MSG_MISSING_GRAFT, "graft objects missing");
793 if (parent_count != parent_line_count) {
794 err = report(options, &commit->object, FSCK_MSG_MISSING_PARENT, "parent objects missing");
800 while (skip_prefix(buffer, "author ", &buffer)) {
802 err = fsck_ident(&buffer, &commit->object, options);
806 if (author_count < 1)
807 err = report(options, &commit->object, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line");
808 else if (author_count > 1)
809 err = report(options, &commit->object, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
812 if (!skip_prefix(buffer, "committer ", &buffer))
813 return report(options, &commit->object, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
814 err = fsck_ident(&buffer, &commit->object, options);
818 err = report(options, &commit->object, FSCK_MSG_BAD_TREE, "could not load commit's tree %s", sha1_to_hex(tree_sha1));
822 if (memchr(buffer_begin, '\0', size)) {
823 err = report(options, &commit->object, FSCK_MSG_NUL_IN_COMMIT,
824 "NUL byte in the commit object body");
831 static int fsck_commit(struct commit *commit, const char *data,
832 unsigned long size, struct fsck_options *options)
834 const char *buffer = data ? data : get_commit_buffer(commit, &size);
835 int ret = fsck_commit_buffer(commit, buffer, size, options);
837 unuse_commit_buffer(commit, buffer);
841 static int fsck_tag_buffer(struct tag *tag, const char *data,
842 unsigned long size, struct fsck_options *options)
844 unsigned char sha1[20];
847 char *to_free = NULL, *eol;
848 struct strbuf sb = STRBUF_INIT;
853 enum object_type type;
856 read_sha1_file(tag->object.oid.hash, &type, &size);
858 return report(options, &tag->object,
859 FSCK_MSG_MISSING_TAG_OBJECT,
860 "cannot read tag object");
862 if (type != OBJ_TAG) {
863 ret = report(options, &tag->object,
864 FSCK_MSG_TAG_OBJECT_NOT_TAG,
865 "expected tag got %s",
871 ret = verify_headers(buffer, size, &tag->object, options);
875 if (!skip_prefix(buffer, "object ", &buffer)) {
876 ret = report(options, &tag->object, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line");
879 if (get_sha1_hex(buffer, sha1) || buffer[40] != '\n') {
880 ret = report(options, &tag->object, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1");
886 if (!skip_prefix(buffer, "type ", &buffer)) {
887 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line");
890 eol = strchr(buffer, '\n');
892 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line");
895 if (type_from_string_gently(buffer, eol - buffer, 1) < 0)
896 ret = report(options, &tag->object, FSCK_MSG_BAD_TYPE, "invalid 'type' value");
901 if (!skip_prefix(buffer, "tag ", &buffer)) {
902 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line");
905 eol = strchr(buffer, '\n');
907 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line");
910 strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer);
911 if (check_refname_format(sb.buf, 0)) {
912 ret = report(options, &tag->object, FSCK_MSG_BAD_TAG_NAME,
913 "invalid 'tag' name: %.*s",
914 (int)(eol - buffer), buffer);
920 if (!skip_prefix(buffer, "tagger ", &buffer)) {
921 /* early tags do not contain 'tagger' lines; warn only */
922 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line");
927 ret = fsck_ident(&buffer, &tag->object, options);
935 static int fsck_tag(struct tag *tag, const char *data,
936 unsigned long size, struct fsck_options *options)
938 struct object *tagged = tag->tagged;
941 return report(options, &tag->object, FSCK_MSG_BAD_TAG_OBJECT, "could not load tagged object");
943 return fsck_tag_buffer(tag, data, size, options);
947 * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
948 * relying on the platform-dependent is_dir_sep helper.
950 * This is for use in checking whether a submodule URL is interpreted as
951 * relative to the current directory on any platform, since \ is a
952 * directory separator on Windows but not on other platforms.
954 static int starts_with_dot_slash(const char *str)
956 return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
960 * Like starts_with_dot_slash, this is a variant of submodule--helper's
961 * helper of the same name with the twist that it accepts backslash as a
962 * directory separator even on non-Windows platforms.
964 static int starts_with_dot_dot_slash(const char *str)
966 return str[0] == '.' && starts_with_dot_slash(str + 1);
969 static int submodule_url_is_relative(const char *url)
971 return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
975 * Count directory components that a relative submodule URL should chop
976 * from the remote_url it is to be resolved against.
978 * In other words, this counts "../" components at the start of a
981 * Returns the number of directory components to chop and writes a
982 * pointer to the next character of url after all leading "./" and
983 * "../" components to out.
985 static int count_leading_dotdots(const char *url, const char **out)
989 if (starts_with_dot_dot_slash(url)) {
991 url += strlen("../");
994 if (starts_with_dot_slash(url)) {
1003 * Check whether a transport is implemented by git-remote-curl.
1005 * If it is, returns 1 and writes the URL that would be passed to
1006 * git-remote-curl to the "out" parameter.
1008 * Otherwise, returns 0 and leaves "out" untouched.
1011 * http::https://example.com/repo.git -> 1, https://example.com/repo.git
1012 * https://example.com/repo.git -> 1, https://example.com/repo.git
1013 * git://example.com/repo.git -> 0
1015 * This is for use in checking for previously exploitable bugs that
1016 * required a submodule URL to be passed to git-remote-curl.
1018 static int url_to_curl_url(const char *url, const char **out)
1021 * We don't need to check for case-aliases, "http.exe", and so
1022 * on because in the default configuration, is_transport_allowed
1023 * prevents URLs with those schemes from being cloned
1026 if (skip_prefix(url, "http::", out) ||
1027 skip_prefix(url, "https::", out) ||
1028 skip_prefix(url, "ftp::", out) ||
1029 skip_prefix(url, "ftps::", out))
1031 if (starts_with(url, "http://") ||
1032 starts_with(url, "https://") ||
1033 starts_with(url, "ftp://") ||
1034 starts_with(url, "ftps://")) {
1041 static int check_submodule_url(const char *url)
1043 const char *curl_url;
1045 if (looks_like_command_line_option(url))
1048 if (submodule_url_is_relative(url)) {
1054 * This could be appended to an http URL and url-decoded;
1055 * check for malicious characters.
1057 decoded = url_decode(url);
1058 has_nl = !!strchr(decoded, '\n');
1065 * URLs which escape their root via "../" can overwrite
1066 * the host field and previous components, resolving to
1067 * URLs like https::example.com/submodule.git and
1068 * https:///example.com/submodule.git that were
1069 * susceptible to CVE-2020-11008.
1071 if (count_leading_dotdots(url, &next) > 0 &&
1072 (*next == ':' || *next == '/'))
1076 else if (url_to_curl_url(url, &curl_url)) {
1077 struct credential c = CREDENTIAL_INIT;
1079 if (credential_from_url_gently(&c, curl_url, 1) ||
1082 credential_clear(&c);
1089 struct fsck_gitmodules_data {
1091 struct fsck_options *options;
1095 static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
1097 struct fsck_gitmodules_data *data = vdata;
1098 const char *subsection, *key;
1102 if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 ||
1106 name = xmemdupz(subsection, subsection_len);
1107 if (check_submodule_name(name) < 0)
1108 data->ret |= report(data->options, data->obj,
1109 FSCK_MSG_GITMODULES_NAME,
1110 "disallowed submodule name: %s",
1112 if (!strcmp(key, "url") && value &&
1113 check_submodule_url(value) < 0)
1114 data->ret |= report(data->options, data->obj,
1115 FSCK_MSG_GITMODULES_URL,
1116 "disallowed submodule url: %s",
1118 if (!strcmp(key, "path") && value &&
1119 looks_like_command_line_option(value))
1120 data->ret |= report(data->options, data->obj,
1121 FSCK_MSG_GITMODULES_PATH,
1122 "disallowed submodule path: %s",
1124 if (!strcmp(key, "update") && value &&
1125 parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
1126 data->ret |= report(data->options, data->obj,
1127 FSCK_MSG_GITMODULES_UPDATE,
1128 "disallowed submodule update setting: %s",
1135 static int fsck_blob(struct blob *blob, const char *buf,
1136 unsigned long size, struct fsck_options *options)
1138 struct fsck_gitmodules_data data;
1140 if (!oidset_contains(&gitmodules_found, &blob->object.oid))
1142 oidset_insert(&gitmodules_done, &blob->object.oid);
1146 * A missing buffer here is a sign that the caller found the
1147 * blob too gigantic to load into memory. Let's just consider
1150 return report(options, &blob->object,
1151 FSCK_MSG_GITMODULES_PARSE,
1152 ".gitmodules too large to parse");
1155 data.obj = &blob->object;
1156 data.options = options;
1158 if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB,
1159 ".gitmodules", buf, size, &data))
1160 data.ret |= report(options, &blob->object,
1161 FSCK_MSG_GITMODULES_PARSE,
1162 "could not parse gitmodules blob");
1167 int fsck_object(struct object *obj, void *data, unsigned long size,
1168 struct fsck_options *options)
1171 return report(options, obj, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck");
1173 if (obj->type == OBJ_BLOB)
1174 return fsck_blob((struct blob *)obj, data, size, options);
1175 if (obj->type == OBJ_TREE)
1176 return fsck_tree((struct tree *) obj, options);
1177 if (obj->type == OBJ_COMMIT)
1178 return fsck_commit((struct commit *) obj, (const char *) data,
1180 if (obj->type == OBJ_TAG)
1181 return fsck_tag((struct tag *) obj, (const char *) data,
1184 return report(options, obj, FSCK_MSG_UNKNOWN_TYPE, "unknown type '%d' (internal fsck error)",
1188 int fsck_error_function(struct fsck_options *o,
1189 struct object *obj, int msg_type, const char *message)
1191 if (msg_type == FSCK_WARN) {
1192 warning("object %s: %s", describe_object(o, obj), message);
1195 error("object %s: %s", describe_object(o, obj), message);
1199 int fsck_finish(struct fsck_options *options)
1202 struct oidset_iter iter;
1203 const struct object_id *oid;
1205 oidset_iter_init(&gitmodules_found, &iter);
1206 while ((oid = oidset_iter_next(&iter))) {
1208 enum object_type type;
1212 if (oidset_contains(&gitmodules_done, oid))
1215 blob = lookup_blob(oid);
1217 ret |= report(options, &blob->object,
1218 FSCK_MSG_GITMODULES_BLOB,
1219 "non-blob found at .gitmodules");
1223 buf = read_sha1_file(oid->hash, &type, &size);
1225 if (is_promisor_object(&blob->object.oid))
1227 ret |= report(options, &blob->object,
1228 FSCK_MSG_GITMODULES_MISSING,
1229 "unable to read .gitmodules blob");
1233 if (type == OBJ_BLOB)
1234 ret |= fsck_blob(blob, buf, size, options);
1236 ret |= report(options, &blob->object,
1237 FSCK_MSG_GITMODULES_BLOB,
1238 "non-blob found at .gitmodules");
1243 oidset_clear(&gitmodules_found);
1244 oidset_clear(&gitmodules_done);
projects / platform / upstream / git.git / blob