Imported Upstream version 2.17.5
[platform/upstream/git.git] / fsck.c
1 #include "cache.h"
2 #include "object.h"
3 #include "blob.h"
4 #include "tree.h"
5 #include "tree-walk.h"
6 #include "commit.h"
7 #include "tag.h"
8 #include "fsck.h"
9 #include "refs.h"
10 #include "url.h"
11 #include "utf8.h"
12 #include "sha1-array.h"
13 #include "decorate.h"
14 #include "oidset.h"
15 #include "packfile.h"
16 #include "submodule-config.h"
17 #include "config.h"
18 #include "credential.h"
19
20 static struct oidset gitmodules_found = OIDSET_INIT;
21 static struct oidset gitmodules_done = OIDSET_INIT;
22
23 #define FSCK_FATAL -1
24 #define FSCK_INFO -2
25
26 #define FOREACH_MSG_ID(FUNC) \
27         /* fatal errors */ \
28         FUNC(NUL_IN_HEADER, FATAL) \
29         FUNC(UNTERMINATED_HEADER, FATAL) \
30         /* errors */ \
31         FUNC(BAD_DATE, ERROR) \
32         FUNC(BAD_DATE_OVERFLOW, ERROR) \
33         FUNC(BAD_EMAIL, ERROR) \
34         FUNC(BAD_NAME, ERROR) \
35         FUNC(BAD_OBJECT_SHA1, ERROR) \
36         FUNC(BAD_PARENT_SHA1, ERROR) \
37         FUNC(BAD_TAG_OBJECT, ERROR) \
38         FUNC(BAD_TIMEZONE, ERROR) \
39         FUNC(BAD_TREE, ERROR) \
40         FUNC(BAD_TREE_SHA1, ERROR) \
41         FUNC(BAD_TYPE, ERROR) \
42         FUNC(DUPLICATE_ENTRIES, ERROR) \
43         FUNC(MISSING_AUTHOR, ERROR) \
44         FUNC(MISSING_COMMITTER, ERROR) \
45         FUNC(MISSING_EMAIL, ERROR) \
46         FUNC(MISSING_GRAFT, ERROR) \
47         FUNC(MISSING_NAME_BEFORE_EMAIL, ERROR) \
48         FUNC(MISSING_OBJECT, ERROR) \
49         FUNC(MISSING_PARENT, ERROR) \
50         FUNC(MISSING_SPACE_BEFORE_DATE, ERROR) \
51         FUNC(MISSING_SPACE_BEFORE_EMAIL, ERROR) \
52         FUNC(MISSING_TAG, ERROR) \
53         FUNC(MISSING_TAG_ENTRY, ERROR) \
54         FUNC(MISSING_TAG_OBJECT, ERROR) \
55         FUNC(MISSING_TREE, ERROR) \
56         FUNC(MISSING_TREE_OBJECT, ERROR) \
57         FUNC(MISSING_TYPE, ERROR) \
58         FUNC(MISSING_TYPE_ENTRY, ERROR) \
59         FUNC(MULTIPLE_AUTHORS, ERROR) \
60         FUNC(TAG_OBJECT_NOT_TAG, ERROR) \
61         FUNC(TREE_NOT_SORTED, ERROR) \
62         FUNC(UNKNOWN_TYPE, ERROR) \
63         FUNC(ZERO_PADDED_DATE, ERROR) \
64         FUNC(GITMODULES_MISSING, ERROR) \
65         FUNC(GITMODULES_BLOB, ERROR) \
66         FUNC(GITMODULES_PARSE, ERROR) \
67         FUNC(GITMODULES_NAME, ERROR) \
68         FUNC(GITMODULES_SYMLINK, ERROR) \
69         FUNC(GITMODULES_URL, ERROR) \
70         FUNC(GITMODULES_PATH, ERROR) \
71         FUNC(GITMODULES_UPDATE, ERROR) \
72         /* warnings */ \
73         FUNC(BAD_FILEMODE, WARN) \
74         FUNC(EMPTY_NAME, WARN) \
75         FUNC(FULL_PATHNAME, WARN) \
76         FUNC(HAS_DOT, WARN) \
77         FUNC(HAS_DOTDOT, WARN) \
78         FUNC(HAS_DOTGIT, WARN) \
79         FUNC(NULL_SHA1, WARN) \
80         FUNC(ZERO_PADDED_FILEMODE, WARN) \
81         FUNC(NUL_IN_COMMIT, WARN) \
82         /* infos (reported as warnings, but ignored by default) */ \
83         FUNC(BAD_TAG_NAME, INFO) \
84         FUNC(MISSING_TAGGER_ENTRY, INFO)
85
86 #define MSG_ID(id, msg_type) FSCK_MSG_##id,
87 enum fsck_msg_id {
88         FOREACH_MSG_ID(MSG_ID)
89         FSCK_MSG_MAX
90 };
91 #undef MSG_ID
92
93 #define STR(x) #x
94 #define MSG_ID(id, msg_type) { STR(id), NULL, FSCK_##msg_type },
95 static struct {
96         const char *id_string;
97         const char *downcased;
98         int msg_type;
99 } msg_id_info[FSCK_MSG_MAX + 1] = {
100         FOREACH_MSG_ID(MSG_ID)
101         { NULL, NULL, -1 }
102 };
103 #undef MSG_ID
104
105 static int parse_msg_id(const char *text)
106 {
107         int i;
108
109         if (!msg_id_info[0].downcased) {
110                 /* convert id_string to lower case, without underscores. */
111                 for (i = 0; i < FSCK_MSG_MAX; i++) {
112                         const char *p = msg_id_info[i].id_string;
113                         int len = strlen(p);
114                         char *q = xmalloc(len);
115
116                         msg_id_info[i].downcased = q;
117                         while (*p)
118                                 if (*p == '_')
119                                         p++;
120                                 else
121                                         *(q)++ = tolower(*(p)++);
122                         *q = '\0';
123                 }
124         }
125
126         for (i = 0; i < FSCK_MSG_MAX; i++)
127                 if (!strcmp(text, msg_id_info[i].downcased))
128                         return i;
129
130         return -1;
131 }
132
133 static int fsck_msg_type(enum fsck_msg_id msg_id,
134         struct fsck_options *options)
135 {
136         int msg_type;
137
138         assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX);
139
140         if (options->msg_type)
141                 msg_type = options->msg_type[msg_id];
142         else {
143                 msg_type = msg_id_info[msg_id].msg_type;
144                 if (options->strict && msg_type == FSCK_WARN)
145                         msg_type = FSCK_ERROR;
146         }
147
148         return msg_type;
149 }
150
151 static void init_skiplist(struct fsck_options *options, const char *path)
152 {
153         static struct oid_array skiplist = OID_ARRAY_INIT;
154         int sorted, fd;
155         char buffer[GIT_MAX_HEXSZ + 1];
156         struct object_id oid;
157
158         if (options->skiplist)
159                 sorted = options->skiplist->sorted;
160         else {
161                 sorted = 1;
162                 options->skiplist = &skiplist;
163         }
164
165         fd = open(path, O_RDONLY);
166         if (fd < 0)
167                 die("Could not open skip list: %s", path);
168         for (;;) {
169                 const char *p;
170                 int result = read_in_full(fd, buffer, sizeof(buffer));
171                 if (result < 0)
172                         die_errno("Could not read '%s'", path);
173                 if (!result)
174                         break;
175                 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n')
176                         die("Invalid SHA-1: %s", buffer);
177                 oid_array_append(&skiplist, &oid);
178                 if (sorted && skiplist.nr > 1 &&
179                                 oidcmp(&skiplist.oid[skiplist.nr - 2],
180                                        &oid) > 0)
181                         sorted = 0;
182         }
183         close(fd);
184
185         if (sorted)
186                 skiplist.sorted = 1;
187 }
188
189 static int parse_msg_type(const char *str)
190 {
191         if (!strcmp(str, "error"))
192                 return FSCK_ERROR;
193         else if (!strcmp(str, "warn"))
194                 return FSCK_WARN;
195         else if (!strcmp(str, "ignore"))
196                 return FSCK_IGNORE;
197         else
198                 die("Unknown fsck message type: '%s'", str);
199 }
200
201 int is_valid_msg_type(const char *msg_id, const char *msg_type)
202 {
203         if (parse_msg_id(msg_id) < 0)
204                 return 0;
205         parse_msg_type(msg_type);
206         return 1;
207 }
208
209 void fsck_set_msg_type(struct fsck_options *options,
210                 const char *msg_id, const char *msg_type)
211 {
212         int id = parse_msg_id(msg_id), type;
213
214         if (id < 0)
215                 die("Unhandled message id: %s", msg_id);
216         type = parse_msg_type(msg_type);
217
218         if (type != FSCK_ERROR && msg_id_info[id].msg_type == FSCK_FATAL)
219                 die("Cannot demote %s to %s", msg_id, msg_type);
220
221         if (!options->msg_type) {
222                 int i;
223                 int *msg_type;
224                 ALLOC_ARRAY(msg_type, FSCK_MSG_MAX);
225                 for (i = 0; i < FSCK_MSG_MAX; i++)
226                         msg_type[i] = fsck_msg_type(i, options);
227                 options->msg_type = msg_type;
228         }
229
230         options->msg_type[id] = type;
231 }
232
233 void fsck_set_msg_types(struct fsck_options *options, const char *values)
234 {
235         char *buf = xstrdup(values), *to_free = buf;
236         int done = 0;
237
238         while (!done) {
239                 int len = strcspn(buf, " ,|"), equal;
240
241                 done = !buf[len];
242                 if (!len) {
243                         buf++;
244                         continue;
245                 }
246                 buf[len] = '\0';
247
248                 for (equal = 0;
249                      equal < len && buf[equal] != '=' && buf[equal] != ':';
250                      equal++)
251                         buf[equal] = tolower(buf[equal]);
252                 buf[equal] = '\0';
253
254                 if (!strcmp(buf, "skiplist")) {
255                         if (equal == len)
256                                 die("skiplist requires a path");
257                         init_skiplist(options, buf + equal + 1);
258                         buf += len + 1;
259                         continue;
260                 }
261
262                 if (equal == len)
263                         die("Missing '=': '%s'", buf);
264
265                 fsck_set_msg_type(options, buf, buf + equal + 1);
266                 buf += len + 1;
267         }
268         free(to_free);
269 }
270
271 static void append_msg_id(struct strbuf *sb, const char *msg_id)
272 {
273         for (;;) {
274                 char c = *(msg_id)++;
275
276                 if (!c)
277                         break;
278                 if (c != '_')
279                         strbuf_addch(sb, tolower(c));
280                 else {
281                         assert(*msg_id);
282                         strbuf_addch(sb, *(msg_id)++);
283                 }
284         }
285
286         strbuf_addstr(sb, ": ");
287 }
288
289 __attribute__((format (printf, 4, 5)))
290 static int report(struct fsck_options *options, struct object *object,
291         enum fsck_msg_id id, const char *fmt, ...)
292 {
293         va_list ap;
294         struct strbuf sb = STRBUF_INIT;
295         int msg_type = fsck_msg_type(id, options), result;
296
297         if (msg_type == FSCK_IGNORE)
298                 return 0;
299
300         if (options->skiplist && object &&
301                         oid_array_lookup(options->skiplist, &object->oid) >= 0)
302                 return 0;
303
304         if (msg_type == FSCK_FATAL)
305                 msg_type = FSCK_ERROR;
306         else if (msg_type == FSCK_INFO)
307                 msg_type = FSCK_WARN;
308
309         append_msg_id(&sb, msg_id_info[id].id_string);
310
311         va_start(ap, fmt);
312         strbuf_vaddf(&sb, fmt, ap);
313         result = options->error_func(options, object, msg_type, sb.buf);
314         strbuf_release(&sb);
315         va_end(ap);
316
317         return result;
318 }
319
320 static char *get_object_name(struct fsck_options *options, struct object *obj)
321 {
322         if (!options->object_names)
323                 return NULL;
324         return lookup_decoration(options->object_names, obj);
325 }
326
327 static void put_object_name(struct fsck_options *options, struct object *obj,
328         const char *fmt, ...)
329 {
330         va_list ap;
331         struct strbuf buf = STRBUF_INIT;
332         char *existing;
333
334         if (!options->object_names)
335                 return;
336         existing = lookup_decoration(options->object_names, obj);
337         if (existing)
338                 return;
339         va_start(ap, fmt);
340         strbuf_vaddf(&buf, fmt, ap);
341         add_decoration(options->object_names, obj, strbuf_detach(&buf, NULL));
342         va_end(ap);
343 }
344
345 static const char *describe_object(struct fsck_options *o, struct object *obj)
346 {
347         static struct strbuf buf = STRBUF_INIT;
348         char *name;
349
350         strbuf_reset(&buf);
351         strbuf_addstr(&buf, oid_to_hex(&obj->oid));
352         if (o->object_names && (name = lookup_decoration(o->object_names, obj)))
353                 strbuf_addf(&buf, " (%s)", name);
354
355         return buf.buf;
356 }
357
358 static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options)
359 {
360         struct tree_desc desc;
361         struct name_entry entry;
362         int res = 0;
363         const char *name;
364
365         if (parse_tree(tree))
366                 return -1;
367
368         name = get_object_name(options, &tree->object);
369         if (init_tree_desc_gently(&desc, tree->buffer, tree->size))
370                 return -1;
371         while (tree_entry_gently(&desc, &entry)) {
372                 struct object *obj;
373                 int result;
374
375                 if (S_ISGITLINK(entry.mode))
376                         continue;
377
378                 if (S_ISDIR(entry.mode)) {
379                         obj = (struct object *)lookup_tree(entry.oid);
380                         if (name && obj)
381                                 put_object_name(options, obj, "%s%s/", name,
382                                         entry.path);
383                         result = options->walk(obj, OBJ_TREE, data, options);
384                 }
385                 else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) {
386                         obj = (struct object *)lookup_blob(entry.oid);
387                         if (name && obj)
388                                 put_object_name(options, obj, "%s%s", name,
389                                         entry.path);
390                         result = options->walk(obj, OBJ_BLOB, data, options);
391                 }
392                 else {
393                         result = error("in tree %s: entry %s has bad mode %.6o",
394                                         describe_object(options, &tree->object), entry.path, entry.mode);
395                 }
396                 if (result < 0)
397                         return result;
398                 if (!res)
399                         res = result;
400         }
401         return res;
402 }
403
404 static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options)
405 {
406         int counter = 0, generation = 0, name_prefix_len = 0;
407         struct commit_list *parents;
408         int res;
409         int result;
410         const char *name;
411
412         if (parse_commit(commit))
413                 return -1;
414
415         name = get_object_name(options, &commit->object);
416         if (name)
417                 put_object_name(options, &commit->tree->object, "%s:", name);
418
419         result = options->walk((struct object *)commit->tree, OBJ_TREE, data, options);
420         if (result < 0)
421                 return result;
422         res = result;
423
424         parents = commit->parents;
425         if (name && parents) {
426                 int len = strlen(name), power;
427
428                 if (len && name[len - 1] == '^') {
429                         generation = 1;
430                         name_prefix_len = len - 1;
431                 }
432                 else { /* parse ~<generation> suffix */
433                         for (generation = 0, power = 1;
434                              len && isdigit(name[len - 1]);
435                              power *= 10)
436                                 generation += power * (name[--len] - '0');
437                         if (power > 1 && len && name[len - 1] == '~')
438                                 name_prefix_len = len - 1;
439                 }
440         }
441
442         while (parents) {
443                 if (name) {
444                         struct object *obj = &parents->item->object;
445
446                         if (++counter > 1)
447                                 put_object_name(options, obj, "%s^%d",
448                                         name, counter);
449                         else if (generation > 0)
450                                 put_object_name(options, obj, "%.*s~%d",
451                                         name_prefix_len, name, generation + 1);
452                         else
453                                 put_object_name(options, obj, "%s^", name);
454                 }
455                 result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options);
456                 if (result < 0)
457                         return result;
458                 if (!res)
459                         res = result;
460                 parents = parents->next;
461         }
462         return res;
463 }
464
465 static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options)
466 {
467         char *name = get_object_name(options, &tag->object);
468
469         if (parse_tag(tag))
470                 return -1;
471         if (name)
472                 put_object_name(options, tag->tagged, "%s", name);
473         return options->walk(tag->tagged, OBJ_ANY, data, options);
474 }
475
476 int fsck_walk(struct object *obj, void *data, struct fsck_options *options)
477 {
478         if (!obj)
479                 return -1;
480
481         if (obj->type == OBJ_NONE)
482                 parse_object(&obj->oid);
483
484         switch (obj->type) {
485         case OBJ_BLOB:
486                 return 0;
487         case OBJ_TREE:
488                 return fsck_walk_tree((struct tree *)obj, data, options);
489         case OBJ_COMMIT:
490                 return fsck_walk_commit((struct commit *)obj, data, options);
491         case OBJ_TAG:
492                 return fsck_walk_tag((struct tag *)obj, data, options);
493         default:
494                 error("Unknown object type for %s", describe_object(options, obj));
495                 return -1;
496         }
497 }
498
499 /*
500  * The entries in a tree are ordered in the _path_ order,
501  * which means that a directory entry is ordered by adding
502  * a slash to the end of it.
503  *
504  * So a directory called "a" is ordered _after_ a file
505  * called "a.c", because "a/" sorts after "a.c".
506  */
507 #define TREE_UNORDERED (-1)
508 #define TREE_HAS_DUPS  (-2)
509
510 static int verify_ordered(unsigned mode1, const char *name1, unsigned mode2, const char *name2)
511 {
512         int len1 = strlen(name1);
513         int len2 = strlen(name2);
514         int len = len1 < len2 ? len1 : len2;
515         unsigned char c1, c2;
516         int cmp;
517
518         cmp = memcmp(name1, name2, len);
519         if (cmp < 0)
520                 return 0;
521         if (cmp > 0)
522                 return TREE_UNORDERED;
523
524         /*
525          * Ok, the first <len> characters are the same.
526          * Now we need to order the next one, but turn
527          * a '\0' into a '/' for a directory entry.
528          */
529         c1 = name1[len];
530         c2 = name2[len];
531         if (!c1 && !c2)
532                 /*
533                  * git-write-tree used to write out a nonsense tree that has
534                  * entries with the same name, one blob and one tree.  Make
535                  * sure we do not have duplicate entries.
536                  */
537                 return TREE_HAS_DUPS;
538         if (!c1 && S_ISDIR(mode1))
539                 c1 = '/';
540         if (!c2 && S_ISDIR(mode2))
541                 c2 = '/';
542         return c1 < c2 ? 0 : TREE_UNORDERED;
543 }
544
545 static int fsck_tree(struct tree *item, struct fsck_options *options)
546 {
547         int retval = 0;
548         int has_null_sha1 = 0;
549         int has_full_path = 0;
550         int has_empty_name = 0;
551         int has_dot = 0;
552         int has_dotdot = 0;
553         int has_dotgit = 0;
554         int has_zero_pad = 0;
555         int has_bad_modes = 0;
556         int has_dup_entries = 0;
557         int not_properly_sorted = 0;
558         struct tree_desc desc;
559         unsigned o_mode;
560         const char *o_name;
561
562         if (init_tree_desc_gently(&desc, item->buffer, item->size)) {
563                 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
564                 return retval;
565         }
566
567         o_mode = 0;
568         o_name = NULL;
569
570         while (desc.size) {
571                 unsigned mode;
572                 const char *name, *backslash;
573                 const struct object_id *oid;
574
575                 oid = tree_entry_extract(&desc, &name, &mode);
576
577                 has_null_sha1 |= is_null_oid(oid);
578                 has_full_path |= !!strchr(name, '/');
579                 has_empty_name |= !*name;
580                 has_dot |= !strcmp(name, ".");
581                 has_dotdot |= !strcmp(name, "..");
582                 has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name);
583                 has_zero_pad |= *(char *)desc.buffer == '0';
584
585                 if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) {
586                         if (!S_ISLNK(mode))
587                                 oidset_insert(&gitmodules_found, oid);
588                         else
589                                 retval += report(options, &item->object,
590                                                  FSCK_MSG_GITMODULES_SYMLINK,
591                                                  ".gitmodules is a symbolic link");
592                 }
593
594                 if ((backslash = strchr(name, '\\'))) {
595                         while (backslash) {
596                                 backslash++;
597                                 has_dotgit |= is_ntfs_dotgit(backslash);
598                                 if (is_ntfs_dotgitmodules(backslash)) {
599                                         if (!S_ISLNK(mode))
600                                                 oidset_insert(&gitmodules_found, oid);
601                                         else
602                                                 retval += report(options, &item->object,
603                                                                  FSCK_MSG_GITMODULES_SYMLINK,
604                                                                  ".gitmodules is a symbolic link");
605                                 }
606                                 backslash = strchr(backslash, '\\');
607                         }
608                 }
609
610                 if (update_tree_entry_gently(&desc)) {
611                         retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
612                         break;
613                 }
614
615                 switch (mode) {
616                 /*
617                  * Standard modes..
618                  */
619                 case S_IFREG | 0755:
620                 case S_IFREG | 0644:
621                 case S_IFLNK:
622                 case S_IFDIR:
623                 case S_IFGITLINK:
624                         break;
625                 /*
626                  * This is nonstandard, but we had a few of these
627                  * early on when we honored the full set of mode
628                  * bits..
629                  */
630                 case S_IFREG | 0664:
631                         if (!options->strict)
632                                 break;
633                         /* fallthrough */
634                 default:
635                         has_bad_modes = 1;
636                 }
637
638                 if (o_name) {
639                         switch (verify_ordered(o_mode, o_name, mode, name)) {
640                         case TREE_UNORDERED:
641                                 not_properly_sorted = 1;
642                                 break;
643                         case TREE_HAS_DUPS:
644                                 has_dup_entries = 1;
645                                 break;
646                         default:
647                                 break;
648                         }
649                 }
650
651                 o_mode = mode;
652                 o_name = name;
653         }
654
655         if (has_null_sha1)
656                 retval += report(options, &item->object, FSCK_MSG_NULL_SHA1, "contains entries pointing to null sha1");
657         if (has_full_path)
658                 retval += report(options, &item->object, FSCK_MSG_FULL_PATHNAME, "contains full pathnames");
659         if (has_empty_name)
660                 retval += report(options, &item->object, FSCK_MSG_EMPTY_NAME, "contains empty pathname");
661         if (has_dot)
662                 retval += report(options, &item->object, FSCK_MSG_HAS_DOT, "contains '.'");
663         if (has_dotdot)
664                 retval += report(options, &item->object, FSCK_MSG_HAS_DOTDOT, "contains '..'");
665         if (has_dotgit)
666                 retval += report(options, &item->object, FSCK_MSG_HAS_DOTGIT, "contains '.git'");
667         if (has_zero_pad)
668                 retval += report(options, &item->object, FSCK_MSG_ZERO_PADDED_FILEMODE, "contains zero-padded file modes");
669         if (has_bad_modes)
670                 retval += report(options, &item->object, FSCK_MSG_BAD_FILEMODE, "contains bad file modes");
671         if (has_dup_entries)
672                 retval += report(options, &item->object, FSCK_MSG_DUPLICATE_ENTRIES, "contains duplicate file entries");
673         if (not_properly_sorted)
674                 retval += report(options, &item->object, FSCK_MSG_TREE_NOT_SORTED, "not properly sorted");
675         return retval;
676 }
677
678 static int verify_headers(const void *data, unsigned long size,
679                           struct object *obj, struct fsck_options *options)
680 {
681         const char *buffer = (const char *)data;
682         unsigned long i;
683
684         for (i = 0; i < size; i++) {
685                 switch (buffer[i]) {
686                 case '\0':
687                         return report(options, obj,
688                                 FSCK_MSG_NUL_IN_HEADER,
689                                 "unterminated header: NUL at offset %ld", i);
690                 case '\n':
691                         if (i + 1 < size && buffer[i + 1] == '\n')
692                                 return 0;
693                 }
694         }
695
696         /*
697          * We did not find double-LF that separates the header
698          * and the body.  Not having a body is not a crime but
699          * we do want to see the terminating LF for the last header
700          * line.
701          */
702         if (size && buffer[size - 1] == '\n')
703                 return 0;
704
705         return report(options, obj,
706                 FSCK_MSG_UNTERMINATED_HEADER, "unterminated header");
707 }
708
709 static int fsck_ident(const char **ident, struct object *obj, struct fsck_options *options)
710 {
711         const char *p = *ident;
712         char *end;
713
714         *ident = strchrnul(*ident, '\n');
715         if (**ident == '\n')
716                 (*ident)++;
717
718         if (*p == '<')
719                 return report(options, obj, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
720         p += strcspn(p, "<>\n");
721         if (*p == '>')
722                 return report(options, obj, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name");
723         if (*p != '<')
724                 return report(options, obj, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email");
725         if (p[-1] != ' ')
726                 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
727         p++;
728         p += strcspn(p, "<>\n");
729         if (*p != '>')
730                 return report(options, obj, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email");
731         p++;
732         if (*p != ' ')
733                 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date");
734         p++;
735         if (*p == '0' && p[1] != ' ')
736                 return report(options, obj, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date");
737         if (date_overflows(parse_timestamp(p, &end, 10)))
738                 return report(options, obj, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow");
739         if ((end == p || *end != ' '))
740                 return report(options, obj, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date");
741         p = end + 1;
742         if ((*p != '+' && *p != '-') ||
743             !isdigit(p[1]) ||
744             !isdigit(p[2]) ||
745             !isdigit(p[3]) ||
746             !isdigit(p[4]) ||
747             (p[5] != '\n'))
748                 return report(options, obj, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone");
749         p += 6;
750         return 0;
751 }
752
753 static int fsck_commit_buffer(struct commit *commit, const char *buffer,
754         unsigned long size, struct fsck_options *options)
755 {
756         unsigned char tree_sha1[20], sha1[20];
757         struct commit_graft *graft;
758         unsigned parent_count, parent_line_count = 0, author_count;
759         int err;
760         const char *buffer_begin = buffer;
761
762         if (verify_headers(buffer, size, &commit->object, options))
763                 return -1;
764
765         if (!skip_prefix(buffer, "tree ", &buffer))
766                 return report(options, &commit->object, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line");
767         if (get_sha1_hex(buffer, tree_sha1) || buffer[40] != '\n') {
768                 err = report(options, &commit->object, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1");
769                 if (err)
770                         return err;
771         }
772         buffer += 41;
773         while (skip_prefix(buffer, "parent ", &buffer)) {
774                 if (get_sha1_hex(buffer, sha1) || buffer[40] != '\n') {
775                         err = report(options, &commit->object, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
776                         if (err)
777                                 return err;
778                 }
779                 buffer += 41;
780                 parent_line_count++;
781         }
782         graft = lookup_commit_graft(&commit->object.oid);
783         parent_count = commit_list_count(commit->parents);
784         if (graft) {
785                 if (graft->nr_parent == -1 && !parent_count)
786                         ; /* shallow commit */
787                 else if (graft->nr_parent != parent_count) {
788                         err = report(options, &commit->object, FSCK_MSG_MISSING_GRAFT, "graft objects missing");
789                         if (err)
790                                 return err;
791                 }
792         } else {
793                 if (parent_count != parent_line_count) {
794                         err = report(options, &commit->object, FSCK_MSG_MISSING_PARENT, "parent objects missing");
795                         if (err)
796                                 return err;
797                 }
798         }
799         author_count = 0;
800         while (skip_prefix(buffer, "author ", &buffer)) {
801                 author_count++;
802                 err = fsck_ident(&buffer, &commit->object, options);
803                 if (err)
804                         return err;
805         }
806         if (author_count < 1)
807                 err = report(options, &commit->object, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line");
808         else if (author_count > 1)
809                 err = report(options, &commit->object, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
810         if (err)
811                 return err;
812         if (!skip_prefix(buffer, "committer ", &buffer))
813                 return report(options, &commit->object, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
814         err = fsck_ident(&buffer, &commit->object, options);
815         if (err)
816                 return err;
817         if (!commit->tree) {
818                 err = report(options, &commit->object, FSCK_MSG_BAD_TREE, "could not load commit's tree %s", sha1_to_hex(tree_sha1));
819                 if (err)
820                         return err;
821         }
822         if (memchr(buffer_begin, '\0', size)) {
823                 err = report(options, &commit->object, FSCK_MSG_NUL_IN_COMMIT,
824                              "NUL byte in the commit object body");
825                 if (err)
826                         return err;
827         }
828         return 0;
829 }
830
831 static int fsck_commit(struct commit *commit, const char *data,
832         unsigned long size, struct fsck_options *options)
833 {
834         const char *buffer = data ?  data : get_commit_buffer(commit, &size);
835         int ret = fsck_commit_buffer(commit, buffer, size, options);
836         if (!data)
837                 unuse_commit_buffer(commit, buffer);
838         return ret;
839 }
840
841 static int fsck_tag_buffer(struct tag *tag, const char *data,
842         unsigned long size, struct fsck_options *options)
843 {
844         unsigned char sha1[20];
845         int ret = 0;
846         const char *buffer;
847         char *to_free = NULL, *eol;
848         struct strbuf sb = STRBUF_INIT;
849
850         if (data)
851                 buffer = data;
852         else {
853                 enum object_type type;
854
855                 buffer = to_free =
856                         read_sha1_file(tag->object.oid.hash, &type, &size);
857                 if (!buffer)
858                         return report(options, &tag->object,
859                                 FSCK_MSG_MISSING_TAG_OBJECT,
860                                 "cannot read tag object");
861
862                 if (type != OBJ_TAG) {
863                         ret = report(options, &tag->object,
864                                 FSCK_MSG_TAG_OBJECT_NOT_TAG,
865                                 "expected tag got %s",
866                             type_name(type));
867                         goto done;
868                 }
869         }
870
871         ret = verify_headers(buffer, size, &tag->object, options);
872         if (ret)
873                 goto done;
874
875         if (!skip_prefix(buffer, "object ", &buffer)) {
876                 ret = report(options, &tag->object, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line");
877                 goto done;
878         }
879         if (get_sha1_hex(buffer, sha1) || buffer[40] != '\n') {
880                 ret = report(options, &tag->object, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1");
881                 if (ret)
882                         goto done;
883         }
884         buffer += 41;
885
886         if (!skip_prefix(buffer, "type ", &buffer)) {
887                 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line");
888                 goto done;
889         }
890         eol = strchr(buffer, '\n');
891         if (!eol) {
892                 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line");
893                 goto done;
894         }
895         if (type_from_string_gently(buffer, eol - buffer, 1) < 0)
896                 ret = report(options, &tag->object, FSCK_MSG_BAD_TYPE, "invalid 'type' value");
897         if (ret)
898                 goto done;
899         buffer = eol + 1;
900
901         if (!skip_prefix(buffer, "tag ", &buffer)) {
902                 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line");
903                 goto done;
904         }
905         eol = strchr(buffer, '\n');
906         if (!eol) {
907                 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line");
908                 goto done;
909         }
910         strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer);
911         if (check_refname_format(sb.buf, 0)) {
912                 ret = report(options, &tag->object, FSCK_MSG_BAD_TAG_NAME,
913                            "invalid 'tag' name: %.*s",
914                            (int)(eol - buffer), buffer);
915                 if (ret)
916                         goto done;
917         }
918         buffer = eol + 1;
919
920         if (!skip_prefix(buffer, "tagger ", &buffer)) {
921                 /* early tags do not contain 'tagger' lines; warn only */
922                 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line");
923                 if (ret)
924                         goto done;
925         }
926         else
927                 ret = fsck_ident(&buffer, &tag->object, options);
928
929 done:
930         strbuf_release(&sb);
931         free(to_free);
932         return ret;
933 }
934
935 static int fsck_tag(struct tag *tag, const char *data,
936         unsigned long size, struct fsck_options *options)
937 {
938         struct object *tagged = tag->tagged;
939
940         if (!tagged)
941                 return report(options, &tag->object, FSCK_MSG_BAD_TAG_OBJECT, "could not load tagged object");
942
943         return fsck_tag_buffer(tag, data, size, options);
944 }
945
946 /*
947  * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
948  * relying on the platform-dependent is_dir_sep helper.
949  *
950  * This is for use in checking whether a submodule URL is interpreted as
951  * relative to the current directory on any platform, since \ is a
952  * directory separator on Windows but not on other platforms.
953  */
954 static int starts_with_dot_slash(const char *str)
955 {
956         return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
957 }
958
959 /*
960  * Like starts_with_dot_slash, this is a variant of submodule--helper's
961  * helper of the same name with the twist that it accepts backslash as a
962  * directory separator even on non-Windows platforms.
963  */
964 static int starts_with_dot_dot_slash(const char *str)
965 {
966         return str[0] == '.' && starts_with_dot_slash(str + 1);
967 }
968
969 static int submodule_url_is_relative(const char *url)
970 {
971         return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
972 }
973
974 /*
975  * Count directory components that a relative submodule URL should chop
976  * from the remote_url it is to be resolved against.
977  *
978  * In other words, this counts "../" components at the start of a
979  * submodule URL.
980  *
981  * Returns the number of directory components to chop and writes a
982  * pointer to the next character of url after all leading "./" and
983  * "../" components to out.
984  */
985 static int count_leading_dotdots(const char *url, const char **out)
986 {
987         int result = 0;
988         while (1) {
989                 if (starts_with_dot_dot_slash(url)) {
990                         result++;
991                         url += strlen("../");
992                         continue;
993                 }
994                 if (starts_with_dot_slash(url)) {
995                         url += strlen("./");
996                         continue;
997                 }
998                 *out = url;
999                 return result;
1000         }
1001 }
1002 /*
1003  * Check whether a transport is implemented by git-remote-curl.
1004  *
1005  * If it is, returns 1 and writes the URL that would be passed to
1006  * git-remote-curl to the "out" parameter.
1007  *
1008  * Otherwise, returns 0 and leaves "out" untouched.
1009  *
1010  * Examples:
1011  *   http::https://example.com/repo.git -> 1, https://example.com/repo.git
1012  *   https://example.com/repo.git -> 1, https://example.com/repo.git
1013  *   git://example.com/repo.git -> 0
1014  *
1015  * This is for use in checking for previously exploitable bugs that
1016  * required a submodule URL to be passed to git-remote-curl.
1017  */
1018 static int url_to_curl_url(const char *url, const char **out)
1019 {
1020         /*
1021          * We don't need to check for case-aliases, "http.exe", and so
1022          * on because in the default configuration, is_transport_allowed
1023          * prevents URLs with those schemes from being cloned
1024          * automatically.
1025          */
1026         if (skip_prefix(url, "http::", out) ||
1027             skip_prefix(url, "https::", out) ||
1028             skip_prefix(url, "ftp::", out) ||
1029             skip_prefix(url, "ftps::", out))
1030                 return 1;
1031         if (starts_with(url, "http://") ||
1032             starts_with(url, "https://") ||
1033             starts_with(url, "ftp://") ||
1034             starts_with(url, "ftps://")) {
1035                 *out = url;
1036                 return 1;
1037         }
1038         return 0;
1039 }
1040
1041 static int check_submodule_url(const char *url)
1042 {
1043         const char *curl_url;
1044
1045         if (looks_like_command_line_option(url))
1046                 return -1;
1047
1048         if (submodule_url_is_relative(url)) {
1049                 char *decoded;
1050                 const char *next;
1051                 int has_nl;
1052
1053                 /*
1054                  * This could be appended to an http URL and url-decoded;
1055                  * check for malicious characters.
1056                  */
1057                 decoded = url_decode(url);
1058                 has_nl = !!strchr(decoded, '\n');
1059
1060                 free(decoded);
1061                 if (has_nl)
1062                         return -1;
1063
1064                 /*
1065                  * URLs which escape their root via "../" can overwrite
1066                  * the host field and previous components, resolving to
1067                  * URLs like https::example.com/submodule.git and
1068                  * https:///example.com/submodule.git that were
1069                  * susceptible to CVE-2020-11008.
1070                  */
1071                 if (count_leading_dotdots(url, &next) > 0 &&
1072                     (*next == ':' || *next == '/'))
1073                         return -1;
1074         }
1075
1076         else if (url_to_curl_url(url, &curl_url)) {
1077                 struct credential c = CREDENTIAL_INIT;
1078                 int ret = 0;
1079                 if (credential_from_url_gently(&c, curl_url, 1) ||
1080                     !*c.host)
1081                         ret = -1;
1082                 credential_clear(&c);
1083                 return ret;
1084         }
1085
1086         return 0;
1087 }
1088
1089 struct fsck_gitmodules_data {
1090         struct object *obj;
1091         struct fsck_options *options;
1092         int ret;
1093 };
1094
1095 static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
1096 {
1097         struct fsck_gitmodules_data *data = vdata;
1098         const char *subsection, *key;
1099         int subsection_len;
1100         char *name;
1101
1102         if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 ||
1103             !subsection)
1104                 return 0;
1105
1106         name = xmemdupz(subsection, subsection_len);
1107         if (check_submodule_name(name) < 0)
1108                 data->ret |= report(data->options, data->obj,
1109                                     FSCK_MSG_GITMODULES_NAME,
1110                                     "disallowed submodule name: %s",
1111                                     name);
1112         if (!strcmp(key, "url") && value &&
1113             check_submodule_url(value) < 0)
1114                 data->ret |= report(data->options, data->obj,
1115                                     FSCK_MSG_GITMODULES_URL,
1116                                     "disallowed submodule url: %s",
1117                                     value);
1118         if (!strcmp(key, "path") && value &&
1119             looks_like_command_line_option(value))
1120                 data->ret |= report(data->options, data->obj,
1121                                     FSCK_MSG_GITMODULES_PATH,
1122                                     "disallowed submodule path: %s",
1123                                     value);
1124         if (!strcmp(key, "update") && value &&
1125             parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
1126                 data->ret |= report(data->options, data->obj,
1127                                     FSCK_MSG_GITMODULES_UPDATE,
1128                                     "disallowed submodule update setting: %s",
1129                                     value);
1130         free(name);
1131
1132         return 0;
1133 }
1134
1135 static int fsck_blob(struct blob *blob, const char *buf,
1136                      unsigned long size, struct fsck_options *options)
1137 {
1138         struct fsck_gitmodules_data data;
1139
1140         if (!oidset_contains(&gitmodules_found, &blob->object.oid))
1141                 return 0;
1142         oidset_insert(&gitmodules_done, &blob->object.oid);
1143
1144         if (!buf) {
1145                 /*
1146                  * A missing buffer here is a sign that the caller found the
1147                  * blob too gigantic to load into memory. Let's just consider
1148                  * that an error.
1149                  */
1150                 return report(options, &blob->object,
1151                               FSCK_MSG_GITMODULES_PARSE,
1152                               ".gitmodules too large to parse");
1153         }
1154
1155         data.obj = &blob->object;
1156         data.options = options;
1157         data.ret = 0;
1158         if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB,
1159                                 ".gitmodules", buf, size, &data))
1160                 data.ret |= report(options, &blob->object,
1161                                    FSCK_MSG_GITMODULES_PARSE,
1162                                    "could not parse gitmodules blob");
1163
1164         return data.ret;
1165 }
1166
1167 int fsck_object(struct object *obj, void *data, unsigned long size,
1168         struct fsck_options *options)
1169 {
1170         if (!obj)
1171                 return report(options, obj, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck");
1172
1173         if (obj->type == OBJ_BLOB)
1174                 return fsck_blob((struct blob *)obj, data, size, options);
1175         if (obj->type == OBJ_TREE)
1176                 return fsck_tree((struct tree *) obj, options);
1177         if (obj->type == OBJ_COMMIT)
1178                 return fsck_commit((struct commit *) obj, (const char *) data,
1179                         size, options);
1180         if (obj->type == OBJ_TAG)
1181                 return fsck_tag((struct tag *) obj, (const char *) data,
1182                         size, options);
1183
1184         return report(options, obj, FSCK_MSG_UNKNOWN_TYPE, "unknown type '%d' (internal fsck error)",
1185                           obj->type);
1186 }
1187
1188 int fsck_error_function(struct fsck_options *o,
1189         struct object *obj, int msg_type, const char *message)
1190 {
1191         if (msg_type == FSCK_WARN) {
1192                 warning("object %s: %s", describe_object(o, obj), message);
1193                 return 0;
1194         }
1195         error("object %s: %s", describe_object(o, obj), message);
1196         return 1;
1197 }
1198
1199 int fsck_finish(struct fsck_options *options)
1200 {
1201         int ret = 0;
1202         struct oidset_iter iter;
1203         const struct object_id *oid;
1204
1205         oidset_iter_init(&gitmodules_found, &iter);
1206         while ((oid = oidset_iter_next(&iter))) {
1207                 struct blob *blob;
1208                 enum object_type type;
1209                 unsigned long size;
1210                 char *buf;
1211
1212                 if (oidset_contains(&gitmodules_done, oid))
1213                         continue;
1214
1215                 blob = lookup_blob(oid);
1216                 if (!blob) {
1217                         ret |= report(options, &blob->object,
1218                                       FSCK_MSG_GITMODULES_BLOB,
1219                                       "non-blob found at .gitmodules");
1220                         continue;
1221                 }
1222
1223                 buf = read_sha1_file(oid->hash, &type, &size);
1224                 if (!buf) {
1225                         if (is_promisor_object(&blob->object.oid))
1226                                 continue;
1227                         ret |= report(options, &blob->object,
1228                                       FSCK_MSG_GITMODULES_MISSING,
1229                                       "unable to read .gitmodules blob");
1230                         continue;
1231                 }
1232
1233                 if (type == OBJ_BLOB)
1234                         ret |= fsck_blob(blob, buf, size, options);
1235                 else
1236                         ret |= report(options, &blob->object,
1237                                       FSCK_MSG_GITMODULES_BLOB,
1238                                       "non-blob found at .gitmodules");
1239                 free(buf);
1240         }
1241
1242
1243         oidset_clear(&gitmodules_found);
1244         oidset_clear(&gitmodules_done);
1245         return ret;
1246 }