Browse Source

Merge branch 'nd/worktree-name-sanitization'

In recent versions of Git, per-worktree refs are exposed in
refs/worktrees/<wtname>/ hierarchy, which means that worktree names
must be a valid refname component.  The code now sanitizes the names
given to worktrees, to make sure these refs are well-formed.

* nd/worktree-name-sanitization:
  worktree add: sanitize worktree names
maint
Junio C Hamano 6 years ago
parent
commit
0d107b1989
  1. 10
      builtin/worktree.c
  2. 110
      refs.c
  3. 6
      refs.h
  4. 5
      t/t2400-worktree-add.sh

10
builtin/worktree.c

@ -275,6 +275,7 @@ static int add_worktree(const char *path, const char *refname,
struct strbuf symref = STRBUF_INIT; struct strbuf symref = STRBUF_INIT;
struct commit *commit = NULL; struct commit *commit = NULL;
int is_branch = 0; int is_branch = 0;
struct strbuf sb_name = STRBUF_INIT;


validate_worktree_add(path, opts); validate_worktree_add(path, opts);


@ -290,7 +291,13 @@ static int add_worktree(const char *path, const char *refname,
die(_("invalid reference: %s"), refname); die(_("invalid reference: %s"), refname);


name = worktree_basename(path, &len); name = worktree_basename(path, &len);
git_path_buf(&sb_repo, "worktrees/%.*s", (int)(path + len - name), name); strbuf_add(&sb, name, path + len - name);
sanitize_refname_component(sb.buf, &sb_name);
if (!sb_name.len)
BUG("How come '%s' becomes empty after sanitization?", sb.buf);
strbuf_reset(&sb);
name = sb_name.buf;
git_path_buf(&sb_repo, "worktrees/%s", name);
len = sb_repo.len; len = sb_repo.len;
if (safe_create_leading_directories_const(sb_repo.buf)) if (safe_create_leading_directories_const(sb_repo.buf))
die_errno(_("could not create leading directories of '%s'"), die_errno(_("could not create leading directories of '%s'"),
@ -418,6 +425,7 @@ done:
strbuf_release(&symref); strbuf_release(&symref);
strbuf_release(&sb_repo); strbuf_release(&sb_repo);
strbuf_release(&sb_git); strbuf_release(&sb_git);
strbuf_release(&sb_name);
return ret; return ret;
} }



110
refs.c

@ -63,7 +63,7 @@ static unsigned char refname_disposition[256] = {
* not legal. It is legal if it is something reasonable to have under * not legal. It is legal if it is something reasonable to have under
* ".git/refs/"; We do not like it if: * ".git/refs/"; We do not like it if:
* *
* - any path component of it begins with ".", or * - it begins with ".", or
* - it has double dots "..", or * - it has double dots "..", or
* - it has ASCII control characters, or * - it has ASCII control characters, or
* - it has ":", "?", "[", "\", "^", "~", SP, or TAB anywhere, or * - it has ":", "?", "[", "\", "^", "~", SP, or TAB anywhere, or
@ -71,31 +71,63 @@ static unsigned char refname_disposition[256] = {
* - it ends with a "/", or * - it ends with a "/", or
* - it ends with ".lock", or * - it ends with ".lock", or
* - it contains a "@{" portion * - it contains a "@{" portion
*
* When sanitized is not NULL, instead of rejecting the input refname
* as an error, try to come up with a usable replacement for the input
* refname in it.
*/ */
static int check_refname_component(const char *refname, int *flags) static int check_refname_component(const char *refname, int *flags,
struct strbuf *sanitized)
{ {
const char *cp; const char *cp;
char last = '\0'; char last = '\0';
size_t component_start = 0; /* garbage - not a reasonable initial value */

if (sanitized)
component_start = sanitized->len;


for (cp = refname; ; cp++) { for (cp = refname; ; cp++) {
int ch = *cp & 255; int ch = *cp & 255;
unsigned char disp = refname_disposition[ch]; unsigned char disp = refname_disposition[ch];

if (sanitized && disp != 1)
strbuf_addch(sanitized, ch);

switch (disp) { switch (disp) {
case 1: case 1:
goto out; goto out;
case 2: case 2:
if (last == '.') if (last == '.') { /* Refname contains "..". */
return -1; /* Refname contains "..". */ if (sanitized)
/* collapse ".." to single "." */
strbuf_setlen(sanitized, sanitized->len - 1);
else
return -1;
}
break; break;
case 3: case 3:
if (last == '@') if (last == '@') { /* Refname contains "@{". */
return -1; /* Refname contains "@{". */ if (sanitized)
sanitized->buf[sanitized->len-1] = '-';
else
return -1;
}
break; break;
case 4: case 4:
return -1; /* forbidden char */
if (sanitized)
sanitized->buf[sanitized->len-1] = '-';
else
return -1;
break;
case 5: case 5:
if (!(*flags & REFNAME_REFSPEC_PATTERN)) if (!(*flags & REFNAME_REFSPEC_PATTERN)) {
return -1; /* refspec can't be a pattern */ /* refspec can't be a pattern */
if (sanitized)
sanitized->buf[sanitized->len-1] = '-';
else
return -1;
}


/* /*
* Unset the pattern flag so that we only accept * Unset the pattern flag so that we only accept
@ -109,26 +141,48 @@ static int check_refname_component(const char *refname, int *flags)
out: out:
if (cp == refname) if (cp == refname)
return 0; /* Component has zero length. */ return 0; /* Component has zero length. */
if (refname[0] == '.')
return -1; /* Component starts with '.'. */ if (refname[0] == '.') { /* Component starts with '.'. */
if (sanitized)
sanitized->buf[component_start] = '-';
else
return -1;
}
if (cp - refname >= LOCK_SUFFIX_LEN && if (cp - refname >= LOCK_SUFFIX_LEN &&
!memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) !memcmp(cp - LOCK_SUFFIX_LEN, LOCK_SUFFIX, LOCK_SUFFIX_LEN)) {
return -1; /* Refname ends with ".lock". */ if (!sanitized)
return -1;
/* Refname ends with ".lock". */
while (strbuf_strip_suffix(sanitized, LOCK_SUFFIX)) {
/* try again in case we have .lock.lock */
}
}
return cp - refname; return cp - refname;
} }


int check_refname_format(const char *refname, int flags) static int check_or_sanitize_refname(const char *refname, int flags,
struct strbuf *sanitized)
{ {
int component_len, component_count = 0; int component_len, component_count = 0;


if (!strcmp(refname, "@")) if (!strcmp(refname, "@")) {
/* Refname is a single character '@'. */ /* Refname is a single character '@'. */
return -1; if (sanitized)
strbuf_addch(sanitized, '-');
else
return -1;
}


while (1) { while (1) {
if (sanitized && sanitized->len)
strbuf_complete(sanitized, '/');

/* We are at the start of a path component. */ /* We are at the start of a path component. */
component_len = check_refname_component(refname, &flags); component_len = check_refname_component(refname, &flags,
if (component_len <= 0) sanitized);
if (sanitized && component_len == 0)
; /* OK, omit empty component */
else if (component_len <= 0)
return -1; return -1;


component_count++; component_count++;
@ -138,13 +192,29 @@ int check_refname_format(const char *refname, int flags)
refname += component_len + 1; refname += component_len + 1;
} }


if (refname[component_len - 1] == '.') if (refname[component_len - 1] == '.') {
return -1; /* Refname ends with '.'. */ /* Refname ends with '.'. */
if (sanitized)
; /* omit ending dot */
else
return -1;
}
if (!(flags & REFNAME_ALLOW_ONELEVEL) && component_count < 2) if (!(flags & REFNAME_ALLOW_ONELEVEL) && component_count < 2)
return -1; /* Refname has only one component. */ return -1; /* Refname has only one component. */
return 0; return 0;
} }


int check_refname_format(const char *refname, int flags)
{
return check_or_sanitize_refname(refname, flags, NULL);
}

void sanitize_refname_component(const char *refname, struct strbuf *out)
{
if (check_or_sanitize_refname(refname, REFNAME_ALLOW_ONELEVEL, out))
BUG("sanitizing refname '%s' check returned error", refname);
}

int refname_is_safe(const char *refname) int refname_is_safe(const char *refname)
{ {
const char *rest; const char *rest;

6
refs.h

@ -463,6 +463,12 @@ int for_each_reflog(each_ref_fn fn, void *cb_data);
*/ */
int check_refname_format(const char *refname, int flags); int check_refname_format(const char *refname, int flags);


/*
* Apply the rules from check_refname_format, but mutate the result until it
* is acceptable, and place the result in "out".
*/
void sanitize_refname_component(const char *refname, struct strbuf *out);

const char *prettify_refname(const char *refname); const char *prettify_refname(const char *refname);


char *refs_shorten_unambiguous_ref(struct ref_store *refs, char *refs_shorten_unambiguous_ref(struct ref_store *refs,

5
t/t2400-worktree-add.sh

@ -570,4 +570,9 @@ test_expect_success '"add" an existing locked but missing worktree' '
git worktree add --force --force --detach gnoo git worktree add --force --force --detach gnoo
' '


test_expect_success FUNNYNAMES 'sanitize generated worktree name' '
git worktree add --detach ". weird*..?.lock.lock" &&
test -d .git/worktrees/---weird-.-
'

test_done test_done

Loading…
Cancel
Save