search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
credential: optionally allow partial URLs in credential_from_url_gently()
[git/debian.git] / fsck.c
blob31b5be05f54ac7a68fd8b477e762d9578fc5eecb
1 #include "cache.h"
2 #include "object.h"
3 #include "blob.h"
4 #include "tree.h"
5 #include "tree-walk.h"
6 #include "commit.h"
7 #include "tag.h"
8 #include "fsck.h"
9 #include "refs.h"
10 #include "url.h"
11 #include "utf8.h"
12 #include "sha1-array.h"
13 #include "decorate.h"
14 #include "oidset.h"
15 #include "packfile.h"
16 #include "submodule-config.h"
17 #include "config.h"
18 #include "credential.h"
19
20 static struct oidset gitmodules_found = OIDSET_INIT;
21 static struct oidset gitmodules_done = OIDSET_INIT;
22
23 #define FSCK_FATAL -1
24 #define FSCK_INFO -2
25
26 #define FOREACH_MSG_ID(FUNC) \
27 /* fatal errors */ \
28 FUNC(NUL_IN_HEADER, FATAL) \
29 FUNC(UNTERMINATED_HEADER, FATAL) \
30 /* errors */ \
31 FUNC(BAD_DATE, ERROR) \
32 FUNC(BAD_DATE_OVERFLOW, ERROR) \
33 FUNC(BAD_EMAIL, ERROR) \
34 FUNC(BAD_NAME, ERROR) \
35 FUNC(BAD_OBJECT_SHA1, ERROR) \
36 FUNC(BAD_PARENT_SHA1, ERROR) \
37 FUNC(BAD_TAG_OBJECT, ERROR) \
38 FUNC(BAD_TIMEZONE, ERROR) \
39 FUNC(BAD_TREE, ERROR) \
40 FUNC(BAD_TREE_SHA1, ERROR) \
41 FUNC(BAD_TYPE, ERROR) \
42 FUNC(DUPLICATE_ENTRIES, ERROR) \
43 FUNC(MISSING_AUTHOR, ERROR) \
44 FUNC(MISSING_COMMITTER, ERROR) \
45 FUNC(MISSING_EMAIL, ERROR) \
46 FUNC(MISSING_GRAFT, ERROR) \
47 FUNC(MISSING_NAME_BEFORE_EMAIL, ERROR) \
48 FUNC(MISSING_OBJECT, ERROR) \
49 FUNC(MISSING_PARENT, ERROR) \
50 FUNC(MISSING_SPACE_BEFORE_DATE, ERROR) \
51 FUNC(MISSING_SPACE_BEFORE_EMAIL, ERROR) \
52 FUNC(MISSING_TAG, ERROR) \
53 FUNC(MISSING_TAG_ENTRY, ERROR) \
54 FUNC(MISSING_TAG_OBJECT, ERROR) \
55 FUNC(MISSING_TREE, ERROR) \
56 FUNC(MISSING_TREE_OBJECT, ERROR) \
57 FUNC(MISSING_TYPE, ERROR) \
58 FUNC(MISSING_TYPE_ENTRY, ERROR) \
59 FUNC(MULTIPLE_AUTHORS, ERROR) \
60 FUNC(TAG_OBJECT_NOT_TAG, ERROR) \
61 FUNC(TREE_NOT_SORTED, ERROR) \
62 FUNC(UNKNOWN_TYPE, ERROR) \
63 FUNC(ZERO_PADDED_DATE, ERROR) \
64 FUNC(GITMODULES_MISSING, ERROR) \
65 FUNC(GITMODULES_BLOB, ERROR) \
66 FUNC(GITMODULES_PARSE, ERROR) \
67 FUNC(GITMODULES_NAME, ERROR) \
68 FUNC(GITMODULES_SYMLINK, ERROR) \
69 FUNC(GITMODULES_URL, ERROR) \
70 FUNC(GITMODULES_PATH, ERROR) \
71 FUNC(GITMODULES_UPDATE, ERROR) \
72 /* warnings */ \
73 FUNC(BAD_FILEMODE, WARN) \
74 FUNC(EMPTY_NAME, WARN) \
75 FUNC(FULL_PATHNAME, WARN) \
76 FUNC(HAS_DOT, WARN) \
77 FUNC(HAS_DOTDOT, WARN) \
78 FUNC(HAS_DOTGIT, WARN) \
79 FUNC(NULL_SHA1, WARN) \
80 FUNC(ZERO_PADDED_FILEMODE, WARN) \
81 FUNC(NUL_IN_COMMIT, WARN) \
82 /* infos (reported as warnings, but ignored by default) */ \
83 FUNC(BAD_TAG_NAME, INFO) \
84 FUNC(MISSING_TAGGER_ENTRY, INFO)
85
86 #define MSG_ID(id, msg_type) FSCK_MSG_##id,
87 enum fsck_msg_id {
88 FOREACH_MSG_ID(MSG_ID)
89 FSCK_MSG_MAX
90 };
91 #undef MSG_ID
92
93 #define STR(x) #x
94 #define MSG_ID(id, msg_type) { STR(id), NULL, FSCK_##msg_type },
95 static struct {
96 const char *id_string;
97 const char *downcased;
98 int msg_type;
99 } msg_id_info[FSCK_MSG_MAX + 1] = {
100 FOREACH_MSG_ID(MSG_ID)
101 { NULL, NULL, -1 }
102 };
103 #undef MSG_ID
104
105 static int parse_msg_id(const char *text)
106 {
107 int i;
108
109 if (!msg_id_info[0].downcased) {
110 /* convert id_string to lower case, without underscores. */
111 for (i = 0; i < FSCK_MSG_MAX; i++) {
112 const char *p = msg_id_info[i].id_string;
113 int len = strlen(p);
114 char *q = xmalloc(len);
115
116 msg_id_info[i].downcased = q;
117 while (*p)
118 if (*p == '_')
119 p++;
120 else
121 *(q)++ = tolower(*(p)++);
122 *q = '\0';
123 }
124 }
125
126 for (i = 0; i < FSCK_MSG_MAX; i++)
127 if (!strcmp(text, msg_id_info[i].downcased))
128 return i;
129
130 return -1;
131 }
132
133 static int fsck_msg_type(enum fsck_msg_id msg_id,
134 struct fsck_options *options)
135 {
136 int msg_type;
137
138 assert(msg_id >= 0 && msg_id < FSCK_MSG_MAX);
139
140 if (options->msg_type)
141 msg_type = options->msg_type[msg_id];
142 else {
143 msg_type = msg_id_info[msg_id].msg_type;
144 if (options->strict && msg_type == FSCK_WARN)
145 msg_type = FSCK_ERROR;
146 }
147
148 return msg_type;
149 }
150
151 static void init_skiplist(struct fsck_options *options, const char *path)
152 {
153 static struct oid_array skiplist = OID_ARRAY_INIT;
154 int sorted, fd;
155 char buffer[GIT_MAX_HEXSZ + 1];
156 struct object_id oid;
157
158 if (options->skiplist)
159 sorted = options->skiplist->sorted;
160 else {
161 sorted = 1;
162 options->skiplist = &skiplist;
163 }
164
165 fd = open(path, O_RDONLY);
166 if (fd < 0)
167 die("Could not open skip list: %s", path);
168 for (;;) {
169 const char *p;
170 int result = read_in_full(fd, buffer, sizeof(buffer));
171 if (result < 0)
172 die_errno("Could not read '%s'", path);
173 if (!result)
174 break;
175 if (parse_oid_hex(buffer, &oid, &p) || *p != '\n')
176 die("Invalid SHA-1: %s", buffer);
177 oid_array_append(&skiplist, &oid);
178 if (sorted && skiplist.nr > 1 &&
179 oidcmp(&skiplist.oid[skiplist.nr - 2],
180 &oid) > 0)
181 sorted = 0;
182 }
183 close(fd);
184
185 if (sorted)
186 skiplist.sorted = 1;
187 }
188
189 static int parse_msg_type(const char *str)
190 {
191 if (!strcmp(str, "error"))
192 return FSCK_ERROR;
193 else if (!strcmp(str, "warn"))
194 return FSCK_WARN;
195 else if (!strcmp(str, "ignore"))
196 return FSCK_IGNORE;
197 else
198 die("Unknown fsck message type: '%s'", str);
199 }
200
201 int is_valid_msg_type(const char *msg_id, const char *msg_type)
202 {
203 if (parse_msg_id(msg_id) < 0)
204 return 0;
205 parse_msg_type(msg_type);
206 return 1;
207 }
208
209 void fsck_set_msg_type(struct fsck_options *options,
210 const char *msg_id, const char *msg_type)
211 {
212 int id = parse_msg_id(msg_id), type;
213
214 if (id < 0)
215 die("Unhandled message id: %s", msg_id);
216 type = parse_msg_type(msg_type);
217
218 if (type != FSCK_ERROR && msg_id_info[id].msg_type == FSCK_FATAL)
219 die("Cannot demote %s to %s", msg_id, msg_type);
220
221 if (!options->msg_type) {
222 int i;
223 int *msg_type;
224 ALLOC_ARRAY(msg_type, FSCK_MSG_MAX);
225 for (i = 0; i < FSCK_MSG_MAX; i++)
226 msg_type[i] = fsck_msg_type(i, options);
227 options->msg_type = msg_type;
228 }
229
230 options->msg_type[id] = type;
231 }
232
233 void fsck_set_msg_types(struct fsck_options *options, const char *values)
234 {
235 char *buf = xstrdup(values), *to_free = buf;
236 int done = 0;
237
238 while (!done) {
239 int len = strcspn(buf, " ,|"), equal;
240
241 done = !buf[len];
242 if (!len) {
243 buf++;
244 continue;
245 }
246 buf[len] = '\0';
247
248 for (equal = 0;
249 equal < len && buf[equal] != '=' && buf[equal] != ':';
250 equal++)
251 buf[equal] = tolower(buf[equal]);
252 buf[equal] = '\0';
253
254 if (!strcmp(buf, "skiplist")) {
255 if (equal == len)
256 die("skiplist requires a path");
257 init_skiplist(options, buf + equal + 1);
258 buf += len + 1;
259 continue;
260 }
261
262 if (equal == len)
263 die("Missing '=': '%s'", buf);
264
265 fsck_set_msg_type(options, buf, buf + equal + 1);
266 buf += len + 1;
267 }
268 free(to_free);
269 }
270
271 static void append_msg_id(struct strbuf *sb, const char *msg_id)
272 {
273 for (;;) {
274 char c = *(msg_id)++;
275
276 if (!c)
277 break;
278 if (c != '_')
279 strbuf_addch(sb, tolower(c));
280 else {
281 assert(*msg_id);
282 strbuf_addch(sb, *(msg_id)++);
283 }
284 }
285
286 strbuf_addstr(sb, ": ");
287 }
288
289 __attribute__((format (printf, 4, 5)))
290 static int report(struct fsck_options *options, struct object *object,
291 enum fsck_msg_id id, const char *fmt, ...)
292 {
293 va_list ap;
294 struct strbuf sb = STRBUF_INIT;
295 int msg_type = fsck_msg_type(id, options), result;
296
297 if (msg_type == FSCK_IGNORE)
298 return 0;
299
300 if (options->skiplist && object &&
301 oid_array_lookup(options->skiplist, &object->oid) >= 0)
302 return 0;
303
304 if (msg_type == FSCK_FATAL)
305 msg_type = FSCK_ERROR;
306 else if (msg_type == FSCK_INFO)
307 msg_type = FSCK_WARN;
308
309 append_msg_id(&sb, msg_id_info[id].id_string);
310
311 va_start(ap, fmt);
312 strbuf_vaddf(&sb, fmt, ap);
313 result = options->error_func(options, object, msg_type, sb.buf);
314 strbuf_release(&sb);
315 va_end(ap);
316
317 return result;
318 }
319
320 static char *get_object_name(struct fsck_options *options, struct object *obj)
321 {
322 if (!options->object_names)
323 return NULL;
324 return lookup_decoration(options->object_names, obj);
325 }
326
327 static void put_object_name(struct fsck_options *options, struct object *obj,
328 const char *fmt, ...)
329 {
330 va_list ap;
331 struct strbuf buf = STRBUF_INIT;
332 char *existing;
333
334 if (!options->object_names)
335 return;
336 existing = lookup_decoration(options->object_names, obj);
337 if (existing)
338 return;
339 va_start(ap, fmt);
340 strbuf_vaddf(&buf, fmt, ap);
341 add_decoration(options->object_names, obj, strbuf_detach(&buf, NULL));
342 va_end(ap);
343 }
344
345 static const char *describe_object(struct fsck_options *o, struct object *obj)
346 {
347 static struct strbuf buf = STRBUF_INIT;
348 char *name;
349
350 strbuf_reset(&buf);
351 strbuf_addstr(&buf, oid_to_hex(&obj->oid));
352 if (o->object_names && (name = lookup_decoration(o->object_names, obj)))
353 strbuf_addf(&buf, " (%s)", name);
354
355 return buf.buf;
356 }
357
358 static int fsck_walk_tree(struct tree *tree, void *data, struct fsck_options *options)
359 {
360 struct tree_desc desc;
361 struct name_entry entry;
362 int res = 0;
363 const char *name;
364
365 if (parse_tree(tree))
366 return -1;
367
368 name = get_object_name(options, &tree->object);
369 if (init_tree_desc_gently(&desc, tree->buffer, tree->size))
370 return -1;
371 while (tree_entry_gently(&desc, &entry)) {
372 struct object *obj;
373 int result;
374
375 if (S_ISGITLINK(entry.mode))
376 continue;
377
378 if (S_ISDIR(entry.mode)) {
379 obj = (struct object *)lookup_tree(entry.oid);
380 if (name && obj)
381 put_object_name(options, obj, "%s%s/", name,
382 entry.path);
383 result = options->walk(obj, OBJ_TREE, data, options);
384 }
385 else if (S_ISREG(entry.mode) || S_ISLNK(entry.mode)) {
386 obj = (struct object *)lookup_blob(entry.oid);
387 if (name && obj)
388 put_object_name(options, obj, "%s%s", name,
389 entry.path);
390 result = options->walk(obj, OBJ_BLOB, data, options);
391 }
392 else {
393 result = error("in tree %s: entry %s has bad mode %.6o",
394 describe_object(options, &tree->object), entry.path, entry.mode);
395 }
396 if (result < 0)
397 return result;
398 if (!res)
399 res = result;
400 }
401 return res;
402 }
403
404 static int fsck_walk_commit(struct commit *commit, void *data, struct fsck_options *options)
405 {
406 int counter = 0, generation = 0, name_prefix_len = 0;
407 struct commit_list *parents;
408 int res;
409 int result;
410 const char *name;
411
412 if (parse_commit(commit))
413 return -1;
414
415 name = get_object_name(options, &commit->object);
416 if (name)
417 put_object_name(options, &commit->tree->object, "%s:", name);
418
419 result = options->walk((struct object *)commit->tree, OBJ_TREE, data, options);
420 if (result < 0)
421 return result;
422 res = result;
423
424 parents = commit->parents;
425 if (name && parents) {
426 int len = strlen(name), power;
427
428 if (len && name[len - 1] == '^') {
429 generation = 1;
430 name_prefix_len = len - 1;
431 }
432 else { /* parse ~<generation> suffix */
433 for (generation = 0, power = 1;
434 len && isdigit(name[len - 1]);
435 power *= 10)
436 generation += power * (name[--len] - '0');
437 if (power > 1 && len && name[len - 1] == '~')
438 name_prefix_len = len - 1;
439 }
440 }
441
442 while (parents) {
443 if (name) {
444 struct object *obj = &parents->item->object;
445
446 if (++counter > 1)
447 put_object_name(options, obj, "%s^%d",
448 name, counter);
449 else if (generation > 0)
450 put_object_name(options, obj, "%.*s~%d",
451 name_prefix_len, name, generation + 1);
452 else
453 put_object_name(options, obj, "%s^", name);
454 }
455 result = options->walk((struct object *)parents->item, OBJ_COMMIT, data, options);
456 if (result < 0)
457 return result;
458 if (!res)
459 res = result;
460 parents = parents->next;
461 }
462 return res;
463 }
464
465 static int fsck_walk_tag(struct tag *tag, void *data, struct fsck_options *options)
466 {
467 char *name = get_object_name(options, &tag->object);
468
469 if (parse_tag(tag))
470 return -1;
471 if (name)
472 put_object_name(options, tag->tagged, "%s", name);
473 return options->walk(tag->tagged, OBJ_ANY, data, options);
474 }
475
476 int fsck_walk(struct object *obj, void *data, struct fsck_options *options)
477 {
478 if (!obj)
479 return -1;
480
481 if (obj->type == OBJ_NONE)
482 parse_object(&obj->oid);
483
484 switch (obj->type) {
485 case OBJ_BLOB:
486 return 0;
487 case OBJ_TREE:
488 return fsck_walk_tree((struct tree *)obj, data, options);
489 case OBJ_COMMIT:
490 return fsck_walk_commit((struct commit *)obj, data, options);
491 case OBJ_TAG:
492 return fsck_walk_tag((struct tag *)obj, data, options);
493 default:
494 error("Unknown object type for %s", describe_object(options, obj));
495 return -1;
496 }
497 }
498
499 /*
500 * The entries in a tree are ordered in the _path_ order,
501 * which means that a directory entry is ordered by adding
502 * a slash to the end of it.
503 *
504 * So a directory called "a" is ordered _after_ a file
505 * called "a.c", because "a/" sorts after "a.c".
506 */
507 #define TREE_UNORDERED (-1)
508 #define TREE_HAS_DUPS (-2)
509
510 static int verify_ordered(unsigned mode1, const char *name1, unsigned mode2, const char *name2)
511 {
512 int len1 = strlen(name1);
513 int len2 = strlen(name2);
514 int len = len1 < len2 ? len1 : len2;
515 unsigned char c1, c2;
516 int cmp;
517
518 cmp = memcmp(name1, name2, len);
519 if (cmp < 0)
520 return 0;
521 if (cmp > 0)
522 return TREE_UNORDERED;
523
524 /*
525 * Ok, the first <len> characters are the same.
526 * Now we need to order the next one, but turn
527 * a '\0' into a '/' for a directory entry.
528 */
529 c1 = name1[len];
530 c2 = name2[len];
531 if (!c1 && !c2)
532 /*
533 * git-write-tree used to write out a nonsense tree that has
534 * entries with the same name, one blob and one tree. Make
535 * sure we do not have duplicate entries.
536 */
537 return TREE_HAS_DUPS;
538 if (!c1 && S_ISDIR(mode1))
539 c1 = '/';
540 if (!c2 && S_ISDIR(mode2))
541 c2 = '/';
542 return c1 < c2 ? 0 : TREE_UNORDERED;
543 }
544
545 static int fsck_tree(struct tree *item, struct fsck_options *options)
546 {
547 int retval = 0;
548 int has_null_sha1 = 0;
549 int has_full_path = 0;
550 int has_empty_name = 0;
551 int has_dot = 0;
552 int has_dotdot = 0;
553 int has_dotgit = 0;
554 int has_zero_pad = 0;
555 int has_bad_modes = 0;
556 int has_dup_entries = 0;
557 int not_properly_sorted = 0;
558 struct tree_desc desc;
559 unsigned o_mode;
560 const char *o_name;
561
562 if (init_tree_desc_gently(&desc, item->buffer, item->size)) {
563 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
564 return retval;
565 }
566
567 o_mode = 0;
568 o_name = NULL;
569
570 while (desc.size) {
571 unsigned mode;
572 const char *name, *backslash;
573 const struct object_id *oid;
574
575 oid = tree_entry_extract(&desc, &name, &mode);
576
577 has_null_sha1 |= is_null_oid(oid);
578 has_full_path |= !!strchr(name, '/');
579 has_empty_name |= !*name;
580 has_dot |= !strcmp(name, ".");
581 has_dotdot |= !strcmp(name, "..");
582 has_dotgit |= is_hfs_dotgit(name) || is_ntfs_dotgit(name);
583 has_zero_pad |= *(char *)desc.buffer == '0';
584
585 if (is_hfs_dotgitmodules(name) || is_ntfs_dotgitmodules(name)) {
586 if (!S_ISLNK(mode))
587 oidset_insert(&gitmodules_found, oid);
588 else
589 retval += report(options, &item->object,
590 FSCK_MSG_GITMODULES_SYMLINK,
591 ".gitmodules is a symbolic link");
592 }
593
594 if ((backslash = strchr(name, '\\'))) {
595 while (backslash) {
596 backslash++;
597 has_dotgit |= is_ntfs_dotgit(backslash);
598 if (is_ntfs_dotgitmodules(backslash)) {
599 if (!S_ISLNK(mode))
600 oidset_insert(&gitmodules_found, oid);
601 else
602 retval += report(options, &item->object,
603 FSCK_MSG_GITMODULES_SYMLINK,
604 ".gitmodules is a symbolic link");
605 }
606 backslash = strchr(backslash, '\\');
607 }
608 }
609
610 if (update_tree_entry_gently(&desc)) {
611 retval += report(options, &item->object, FSCK_MSG_BAD_TREE, "cannot be parsed as a tree");
612 break;
613 }
614
615 switch (mode) {
616 /*
617 * Standard modes..
618 */
619 case S_IFREG | 0755:
620 case S_IFREG | 0644:
621 case S_IFLNK:
622 case S_IFDIR:
623 case S_IFGITLINK:
624 break;
625 /*
626 * This is nonstandard, but we had a few of these
627 * early on when we honored the full set of mode
628 * bits..
629 */
630 case S_IFREG | 0664:
631 if (!options->strict)
632 break;
633 /* fallthrough */
634 default:
635 has_bad_modes = 1;
636 }
637
638 if (o_name) {
639 switch (verify_ordered(o_mode, o_name, mode, name)) {
640 case TREE_UNORDERED:
641 not_properly_sorted = 1;
642 break;
643 case TREE_HAS_DUPS:
644 has_dup_entries = 1;
645 break;
646 default:
647 break;
648 }
649 }
650
651 o_mode = mode;
652 o_name = name;
653 }
654
655 if (has_null_sha1)
656 retval += report(options, &item->object, FSCK_MSG_NULL_SHA1, "contains entries pointing to null sha1");
657 if (has_full_path)
658 retval += report(options, &item->object, FSCK_MSG_FULL_PATHNAME, "contains full pathnames");
659 if (has_empty_name)
660 retval += report(options, &item->object, FSCK_MSG_EMPTY_NAME, "contains empty pathname");
661 if (has_dot)
662 retval += report(options, &item->object, FSCK_MSG_HAS_DOT, "contains '.'");
663 if (has_dotdot)
664 retval += report(options, &item->object, FSCK_MSG_HAS_DOTDOT, "contains '..'");
665 if (has_dotgit)
666 retval += report(options, &item->object, FSCK_MSG_HAS_DOTGIT, "contains '.git'");
667 if (has_zero_pad)
668 retval += report(options, &item->object, FSCK_MSG_ZERO_PADDED_FILEMODE, "contains zero-padded file modes");
669 if (has_bad_modes)
670 retval += report(options, &item->object, FSCK_MSG_BAD_FILEMODE, "contains bad file modes");
671 if (has_dup_entries)
672 retval += report(options, &item->object, FSCK_MSG_DUPLICATE_ENTRIES, "contains duplicate file entries");
673 if (not_properly_sorted)
674 retval += report(options, &item->object, FSCK_MSG_TREE_NOT_SORTED, "not properly sorted");
675 return retval;
676 }
677
678 static int verify_headers(const void *data, unsigned long size,
679 struct object *obj, struct fsck_options *options)
680 {
681 const char *buffer = (const char *)data;
682 unsigned long i;
683
684 for (i = 0; i < size; i++) {
685 switch (buffer[i]) {
686 case '\0':
687 return report(options, obj,
688 FSCK_MSG_NUL_IN_HEADER,
689 "unterminated header: NUL at offset %ld", i);
690 case '\n':
691 if (i + 1 < size && buffer[i + 1] == '\n')
692 return 0;
693 }
694 }
695
696 /*
697 * We did not find double-LF that separates the header
698 * and the body. Not having a body is not a crime but
699 * we do want to see the terminating LF for the last header
700 * line.
701 */
702 if (size && buffer[size - 1] == '\n')
703 return 0;
704
705 return report(options, obj,
706 FSCK_MSG_UNTERMINATED_HEADER, "unterminated header");
707 }
708
709 static int fsck_ident(const char **ident, struct object *obj, struct fsck_options *options)
710 {
711 const char *p = *ident;
712 char *end;
713
714 *ident = strchrnul(*ident, '\n');
715 if (**ident == '\n')
716 (*ident)++;
717
718 if (*p == '<')
719 return report(options, obj, FSCK_MSG_MISSING_NAME_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
720 p += strcspn(p, "<>\n");
721 if (*p == '>')
722 return report(options, obj, FSCK_MSG_BAD_NAME, "invalid author/committer line - bad name");
723 if (*p != '<')
724 return report(options, obj, FSCK_MSG_MISSING_EMAIL, "invalid author/committer line - missing email");
725 if (p[-1] != ' ')
726 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_EMAIL, "invalid author/committer line - missing space before email");
727 p++;
728 p += strcspn(p, "<>\n");
729 if (*p != '>')
730 return report(options, obj, FSCK_MSG_BAD_EMAIL, "invalid author/committer line - bad email");
731 p++;
732 if (*p != ' ')
733 return report(options, obj, FSCK_MSG_MISSING_SPACE_BEFORE_DATE, "invalid author/committer line - missing space before date");
734 p++;
735 if (*p == '0' && p[1] != ' ')
736 return report(options, obj, FSCK_MSG_ZERO_PADDED_DATE, "invalid author/committer line - zero-padded date");
737 if (date_overflows(parse_timestamp(p, &end, 10)))
738 return report(options, obj, FSCK_MSG_BAD_DATE_OVERFLOW, "invalid author/committer line - date causes integer overflow");
739 if ((end == p || *end != ' '))
740 return report(options, obj, FSCK_MSG_BAD_DATE, "invalid author/committer line - bad date");
741 p = end + 1;
742 if ((*p != '+' && *p != '-') ||
743 !isdigit(p[1]) ||
744 !isdigit(p[2]) ||
745 !isdigit(p[3]) ||
746 !isdigit(p[4]) ||
747 (p[5] != '\n'))
748 return report(options, obj, FSCK_MSG_BAD_TIMEZONE, "invalid author/committer line - bad time zone");
749 p += 6;
750 return 0;
751 }
752
753 static int fsck_commit_buffer(struct commit *commit, const char *buffer,
754 unsigned long size, struct fsck_options *options)
755 {
756 unsigned char tree_sha1[20], sha1[20];
757 struct commit_graft *graft;
758 unsigned parent_count, parent_line_count = 0, author_count;
759 int err;
760 const char *buffer_begin = buffer;
761
762 if (verify_headers(buffer, size, &commit->object, options))
763 return -1;
764
765 if (!skip_prefix(buffer, "tree ", &buffer))
766 return report(options, &commit->object, FSCK_MSG_MISSING_TREE, "invalid format - expected 'tree' line");
767 if (get_sha1_hex(buffer, tree_sha1) || buffer[40] != '\n') {
768 err = report(options, &commit->object, FSCK_MSG_BAD_TREE_SHA1, "invalid 'tree' line format - bad sha1");
769 if (err)
770 return err;
771 }
772 buffer += 41;
773 while (skip_prefix(buffer, "parent ", &buffer)) {
774 if (get_sha1_hex(buffer, sha1) || buffer[40] != '\n') {
775 err = report(options, &commit->object, FSCK_MSG_BAD_PARENT_SHA1, "invalid 'parent' line format - bad sha1");
776 if (err)
777 return err;
778 }
779 buffer += 41;
780 parent_line_count++;
781 }
782 graft = lookup_commit_graft(&commit->object.oid);
783 parent_count = commit_list_count(commit->parents);
784 if (graft) {
785 if (graft->nr_parent == -1 && !parent_count)
786 ; /* shallow commit */
787 else if (graft->nr_parent != parent_count) {
788 err = report(options, &commit->object, FSCK_MSG_MISSING_GRAFT, "graft objects missing");
789 if (err)
790 return err;
791 }
792 } else {
793 if (parent_count != parent_line_count) {
794 err = report(options, &commit->object, FSCK_MSG_MISSING_PARENT, "parent objects missing");
795 if (err)
796 return err;
797 }
798 }
799 author_count = 0;
800 while (skip_prefix(buffer, "author ", &buffer)) {
801 author_count++;
802 err = fsck_ident(&buffer, &commit->object, options);
803 if (err)
804 return err;
805 }
806 if (author_count < 1)
807 err = report(options, &commit->object, FSCK_MSG_MISSING_AUTHOR, "invalid format - expected 'author' line");
808 else if (author_count > 1)
809 err = report(options, &commit->object, FSCK_MSG_MULTIPLE_AUTHORS, "invalid format - multiple 'author' lines");
810 if (err)
811 return err;
812 if (!skip_prefix(buffer, "committer ", &buffer))
813 return report(options, &commit->object, FSCK_MSG_MISSING_COMMITTER, "invalid format - expected 'committer' line");
814 err = fsck_ident(&buffer, &commit->object, options);
815 if (err)
816 return err;
817 if (!commit->tree) {
818 err = report(options, &commit->object, FSCK_MSG_BAD_TREE, "could not load commit's tree %s", sha1_to_hex(tree_sha1));
819 if (err)
820 return err;
821 }
822 if (memchr(buffer_begin, '\0', size)) {
823 err = report(options, &commit->object, FSCK_MSG_NUL_IN_COMMIT,
824 "NUL byte in the commit object body");
825 if (err)
826 return err;
827 }
828 return 0;
829 }
830
831 static int fsck_commit(struct commit *commit, const char *data,
832 unsigned long size, struct fsck_options *options)
833 {
834 const char *buffer = data ? data : get_commit_buffer(commit, &size);
835 int ret = fsck_commit_buffer(commit, buffer, size, options);
836 if (!data)
837 unuse_commit_buffer(commit, buffer);
838 return ret;
839 }
840
841 static int fsck_tag_buffer(struct tag *tag, const char *data,
842 unsigned long size, struct fsck_options *options)
843 {
844 unsigned char sha1[20];
845 int ret = 0;
846 const char *buffer;
847 char *to_free = NULL, *eol;
848 struct strbuf sb = STRBUF_INIT;
849
850 if (data)
851 buffer = data;
852 else {
853 enum object_type type;
854
855 buffer = to_free =
856 read_sha1_file(tag->object.oid.hash, &type, &size);
857 if (!buffer)
858 return report(options, &tag->object,
859 FSCK_MSG_MISSING_TAG_OBJECT,
860 "cannot read tag object");
861
862 if (type != OBJ_TAG) {
863 ret = report(options, &tag->object,
864 FSCK_MSG_TAG_OBJECT_NOT_TAG,
865 "expected tag got %s",
866 type_name(type));
867 goto done;
868 }
869 }
870
871 ret = verify_headers(buffer, size, &tag->object, options);
872 if (ret)
873 goto done;
874
875 if (!skip_prefix(buffer, "object ", &buffer)) {
876 ret = report(options, &tag->object, FSCK_MSG_MISSING_OBJECT, "invalid format - expected 'object' line");
877 goto done;
878 }
879 if (get_sha1_hex(buffer, sha1) || buffer[40] != '\n') {
880 ret = report(options, &tag->object, FSCK_MSG_BAD_OBJECT_SHA1, "invalid 'object' line format - bad sha1");
881 if (ret)
882 goto done;
883 }
884 buffer += 41;
885
886 if (!skip_prefix(buffer, "type ", &buffer)) {
887 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE_ENTRY, "invalid format - expected 'type' line");
888 goto done;
889 }
890 eol = strchr(buffer, '\n');
891 if (!eol) {
892 ret = report(options, &tag->object, FSCK_MSG_MISSING_TYPE, "invalid format - unexpected end after 'type' line");
893 goto done;
894 }
895 if (type_from_string_gently(buffer, eol - buffer, 1) < 0)
896 ret = report(options, &tag->object, FSCK_MSG_BAD_TYPE, "invalid 'type' value");
897 if (ret)
898 goto done;
899 buffer = eol + 1;
900
901 if (!skip_prefix(buffer, "tag ", &buffer)) {
902 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG_ENTRY, "invalid format - expected 'tag' line");
903 goto done;
904 }
905 eol = strchr(buffer, '\n');
906 if (!eol) {
907 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAG, "invalid format - unexpected end after 'type' line");
908 goto done;
909 }
910 strbuf_addf(&sb, "refs/tags/%.*s", (int)(eol - buffer), buffer);
911 if (check_refname_format(sb.buf, 0)) {
912 ret = report(options, &tag->object, FSCK_MSG_BAD_TAG_NAME,
913 "invalid 'tag' name: %.*s",
914 (int)(eol - buffer), buffer);
915 if (ret)
916 goto done;
917 }
918 buffer = eol + 1;
919
920 if (!skip_prefix(buffer, "tagger ", &buffer)) {
921 /* early tags do not contain 'tagger' lines; warn only */
922 ret = report(options, &tag->object, FSCK_MSG_MISSING_TAGGER_ENTRY, "invalid format - expected 'tagger' line");
923 if (ret)
924 goto done;
925 }
926 else
927 ret = fsck_ident(&buffer, &tag->object, options);
928
929 done:
930 strbuf_release(&sb);
931 free(to_free);
932 return ret;
933 }
934
935 static int fsck_tag(struct tag *tag, const char *data,
936 unsigned long size, struct fsck_options *options)
937 {
938 struct object *tagged = tag->tagged;
939
940 if (!tagged)
941 return report(options, &tag->object, FSCK_MSG_BAD_TAG_OBJECT, "could not load tagged object");
942
943 return fsck_tag_buffer(tag, data, size, options);
944 }
945
946 /*
947 * Like builtin/submodule--helper.c's starts_with_dot_slash, but without
948 * relying on the platform-dependent is_dir_sep helper.
949 *
950 * This is for use in checking whether a submodule URL is interpreted as
951 * relative to the current directory on any platform, since \ is a
952 * directory separator on Windows but not on other platforms.
953 */
954 static int starts_with_dot_slash(const char *str)
955 {
956 return str[0] == '.' && (str[1] == '/' || str[1] == '\\');
957 }
958
959 /*
960 * Like starts_with_dot_slash, this is a variant of submodule--helper's
961 * helper of the same name with the twist that it accepts backslash as a
962 * directory separator even on non-Windows platforms.
963 */
964 static int starts_with_dot_dot_slash(const char *str)
965 {
966 return str[0] == '.' && starts_with_dot_slash(str + 1);
967 }
968
969 static int submodule_url_is_relative(const char *url)
970 {
971 return starts_with_dot_slash(url) || starts_with_dot_dot_slash(url);
972 }
973
974 /*
975 * Count directory components that a relative submodule URL should chop
976 * from the remote_url it is to be resolved against.
977 *
978 * In other words, this counts "../" components at the start of a
979 * submodule URL.
980 *
981 * Returns the number of directory components to chop and writes a
982 * pointer to the next character of url after all leading "./" and
983 * "../" components to out.
984 */
985 static int count_leading_dotdots(const char *url, const char **out)
986 {
987 int result = 0;
988 while (1) {
989 if (starts_with_dot_dot_slash(url)) {
990 result++;
991 url += strlen("../");
992 continue;
993 }
994 if (starts_with_dot_slash(url)) {
995 url += strlen("./");
996 continue;
997 }
998 *out = url;
999 return result;
1000 }
1001 }
1002 /*
1003 * Check whether a transport is implemented by git-remote-curl.
1004 *
1005 * If it is, returns 1 and writes the URL that would be passed to
1006 * git-remote-curl to the "out" parameter.
1007 *
1008 * Otherwise, returns 0 and leaves "out" untouched.
1009 *
1010 * Examples:
1011 * http::https://example.com/repo.git -> 1, https://example.com/repo.git
1012 * https://example.com/repo.git -> 1, https://example.com/repo.git
1013 * git://example.com/repo.git -> 0
1014 *
1015 * This is for use in checking for previously exploitable bugs that
1016 * required a submodule URL to be passed to git-remote-curl.
1017 */
1018 static int url_to_curl_url(const char *url, const char **out)
1019 {
1020 /*
1021 * We don't need to check for case-aliases, "http.exe", and so
1022 * on because in the default configuration, is_transport_allowed
1023 * prevents URLs with those schemes from being cloned
1024 * automatically.
1025 */
1026 if (skip_prefix(url, "http::", out) ||
1027 skip_prefix(url, "https::", out) ||
1028 skip_prefix(url, "ftp::", out) ||
1029 skip_prefix(url, "ftps::", out))
1030 return 1;
1031 if (starts_with(url, "http://") ||
1032 starts_with(url, "https://") ||
1033 starts_with(url, "ftp://") ||
1034 starts_with(url, "ftps://")) {
1035 *out = url;
1036 return 1;
1037 }
1038 return 0;
1039 }
1040
1041 static int check_submodule_url(const char *url)
1042 {
1043 const char *curl_url;
1044
1045 if (looks_like_command_line_option(url))
1046 return -1;
1047
1048 if (submodule_url_is_relative(url)) {
1049 char *decoded;
1050 const char *next;
1051 int has_nl;
1052
1053 /*
1054 * This could be appended to an http URL and url-decoded;
1055 * check for malicious characters.
1056 */
1057 decoded = url_decode(url);
1058 has_nl = !!strchr(decoded, '\n');
1059
1060 free(decoded);
1061 if (has_nl)
1062 return -1;
1063
1064 /*
1065 * URLs which escape their root via "../" can overwrite
1066 * the host field and previous components, resolving to
1067 * URLs like https::example.com/submodule.git and
1068 * https:///example.com/submodule.git that were
1069 * susceptible to CVE-2020-11008.
1070 */
1071 if (count_leading_dotdots(url, &next) > 0 &&
1072 (*next == ':' || *next == '/'))
1073 return -1;
1074 }
1075
1076 else if (url_to_curl_url(url, &curl_url)) {
1077 struct credential c = CREDENTIAL_INIT;
1078 int ret = 0;
1079 if (credential_from_url_gently(&c, curl_url, 1) ||
1080 !*c.host)
1081 ret = -1;
1082 credential_clear(&c);
1083 return ret;
1084 }
1085
1086 return 0;
1087 }
1088
1089 struct fsck_gitmodules_data {
1090 struct object *obj;
1091 struct fsck_options *options;
1092 int ret;
1093 };
1094
1095 static int fsck_gitmodules_fn(const char *var, const char *value, void *vdata)
1096 {
1097 struct fsck_gitmodules_data *data = vdata;
1098 const char *subsection, *key;
1099 int subsection_len;
1100 char *name;
1101
1102 if (parse_config_key(var, "submodule", &subsection, &subsection_len, &key) < 0 ||
1103 !subsection)
1104 return 0;
1105
1106 name = xmemdupz(subsection, subsection_len);
1107 if (check_submodule_name(name) < 0)
1108 data->ret |= report(data->options, data->obj,
1109 FSCK_MSG_GITMODULES_NAME,
1110 "disallowed submodule name: %s",
1111 name);
1112 if (!strcmp(key, "url") && value &&
1113 check_submodule_url(value) < 0)
1114 data->ret |= report(data->options, data->obj,
1115 FSCK_MSG_GITMODULES_URL,
1116 "disallowed submodule url: %s",
1117 value);
1118 if (!strcmp(key, "path") && value &&
1119 looks_like_command_line_option(value))
1120 data->ret |= report(data->options, data->obj,
1121 FSCK_MSG_GITMODULES_PATH,
1122 "disallowed submodule path: %s",
1123 value);
1124 if (!strcmp(key, "update") && value &&
1125 parse_submodule_update_type(value) == SM_UPDATE_COMMAND)
1126 data->ret |= report(data->options, data->obj,
1127 FSCK_MSG_GITMODULES_UPDATE,
1128 "disallowed submodule update setting: %s",
1129 value);
1130 free(name);
1131
1132 return 0;
1133 }
1134
1135 static int fsck_blob(struct blob *blob, const char *buf,
1136 unsigned long size, struct fsck_options *options)
1137 {
1138 struct fsck_gitmodules_data data;
1139
1140 if (!oidset_contains(&gitmodules_found, &blob->object.oid))
1141 return 0;
1142 oidset_insert(&gitmodules_done, &blob->object.oid);
1143
1144 if (!buf) {
1145 /*
1146 * A missing buffer here is a sign that the caller found the
1147 * blob too gigantic to load into memory. Let's just consider
1148 * that an error.
1149 */
1150 return report(options, &blob->object,
1151 FSCK_MSG_GITMODULES_PARSE,
1152 ".gitmodules too large to parse");
1153 }
1154
1155 data.obj = &blob->object;
1156 data.options = options;
1157 data.ret = 0;
1158 if (git_config_from_mem(fsck_gitmodules_fn, CONFIG_ORIGIN_BLOB,
1159 ".gitmodules", buf, size, &data))
1160 data.ret |= report(options, &blob->object,
1161 FSCK_MSG_GITMODULES_PARSE,
1162 "could not parse gitmodules blob");
1163
1164 return data.ret;
1165 }
1166
1167 int fsck_object(struct object *obj, void *data, unsigned long size,
1168 struct fsck_options *options)
1169 {
1170 if (!obj)
1171 return report(options, obj, FSCK_MSG_BAD_OBJECT_SHA1, "no valid object to fsck");
1172
1173 if (obj->type == OBJ_BLOB)
1174 return fsck_blob((struct blob *)obj, data, size, options);
1175 if (obj->type == OBJ_TREE)
1176 return fsck_tree((struct tree *) obj, options);
1177 if (obj->type == OBJ_COMMIT)
1178 return fsck_commit((struct commit *) obj, (const char *) data,
1179 size, options);
1180 if (obj->type == OBJ_TAG)
1181 return fsck_tag((struct tag *) obj, (const char *) data,
1182 size, options);
1183
1184 return report(options, obj, FSCK_MSG_UNKNOWN_TYPE, "unknown type '%d' (internal fsck error)",
1185 obj->type);
1186 }
1187
1188 int fsck_error_function(struct fsck_options *o,
1189 struct object *obj, int msg_type, const char *message)
1190 {
1191 if (msg_type == FSCK_WARN) {
1192 warning("object %s: %s", describe_object(o, obj), message);
1193 return 0;
1194 }
1195 error("object %s: %s", describe_object(o, obj), message);
1196 return 1;
1197 }
1198
1199 int fsck_finish(struct fsck_options *options)
1200 {
1201 int ret = 0;
1202 struct oidset_iter iter;
1203 const struct object_id *oid;
1204
1205 oidset_iter_init(&gitmodules_found, &iter);
1206 while ((oid = oidset_iter_next(&iter))) {
1207 struct blob *blob;
1208 enum object_type type;
1209 unsigned long size;
1210 char *buf;
1211
1212 if (oidset_contains(&gitmodules_done, oid))
1213 continue;
1214
1215 blob = lookup_blob(oid);
1216 if (!blob) {
1217 ret |= report(options, &blob->object,
1218 FSCK_MSG_GITMODULES_BLOB,
1219 "non-blob found at .gitmodules");
1220 continue;
1221 }
1222
1223 buf = read_sha1_file(oid->hash, &type, &size);
1224 if (!buf) {
1225 if (is_promisor_object(&blob->object.oid))
1226 continue;
1227 ret |= report(options, &blob->object,
1228 FSCK_MSG_GITMODULES_MISSING,
1229 "unable to read .gitmodules blob");
1230 continue;
1231 }
1232
1233 if (type == OBJ_BLOB)
1234 ret |= fsck_blob(blob, buf, size, options);
1235 else
1236 ret |= report(options, &blob->object,
1237 FSCK_MSG_GITMODULES_BLOB,
1238 "non-blob found at .gitmodules");
1239 free(buf);
1240 }
1241
1242
1243 oidset_clear(&gitmodules_found);
1244 oidset_clear(&gitmodules_done);
1245 return ret;
1246 }
git for Debian