fix!: validate all components pushed onto the stack when creating leading paths.

This way, everyone using the stack with the purpose of
altering the working tree will run additional checks to prevent callers
from sneaking in forbidden paths.

Note that these checks don't run otherwise, so one has to be careful
to not forget to run these checks whenever needed.

Author: Byron

Cargo.lock

@@ -63,14 +63,12 @@ impl Stack {
     /// The path is also expected to be normalized, and should not contain extra separators, and must not contain `..`
     /// or have leading or trailing slashes (or additionally backslashes on Windows).
     pub fn make_relative_path_current(&mut self, relative: &Path, delegate: &mut dyn Delegate) -> std::io::Result<()> {
-        if relative.as_os_str().is_empty() {
+        if self.valid_components != 0 && relative.as_os_str().is_empty() {
             return Err(std::io::Error::new(
                 std::io::ErrorKind::Other,
                 "empty inputs are not allowed",
             ));
         }
-        // TODO: prevent leading or trailing slashes, on Windows also backslashes.
-        //       prevent leading backslashes on Windows as they are strange
         if self.valid_components == 0 {
             delegate.push_directory(self)?;
         }

gix-fs/src/stack.rs

@@ -157,6 +157,20 @@ fn path_join_handling() {
     );
 }
 
+#[test]
+fn empty_paths_are_noop_if_no_path_was_pushed_before() {
+    let root = PathBuf::from(".");
+    let mut s = Stack::new(root.clone());
+
+    let mut r = Record::default();
+    s.make_relative_path_current("".as_ref(), &mut r).unwrap();
+    assert_eq!(
+        s.current_relative().to_string_lossy(),
+        "",
+        "it's fine to push an empty path to get a value for the stack root, once"
+    );
+}
+
 #[test]
 fn relative_components_are_invalid() {
     let root = PathBuf::from(".");

gix-fs/tests/stack/mod.rs

@@ -16,9 +16,9 @@ doctest = false
 [features]
 default = ["attributes"]
 ## Instantiate stacks that can access `.gitattributes` information.
-attributes = ["dep:gix-attributes"]
+attributes = ["dep:gix-attributes", "dep:gix-validate"]
 ## Data structures implement `serde::Serialize` and `serde::Deserialize`.
-serde = [ "dep:serde", "bstr/serde", "gix-index/serde", "gix-hash/serde", "gix-object/serde", "gix-attributes?/serde", "gix-ignore/serde" ]
+serde = ["dep:serde", "bstr/serde", "gix-index/serde", "gix-hash/serde", "gix-object/serde", "gix-attributes?/serde", "gix-ignore/serde"]
 
 [dependencies]
 gix-index = { version = "^0.32.1", path = "../gix-index" }
@@ -28,10 +28,11 @@ gix-object = { version = "^0.42.0", path = "../gix-object" }
 gix-glob = { version = "^0.16.2", path = "../gix-glob" }
 gix-path = { version = "^0.10.7", path = "../gix-path" }
 gix-attributes = { version = "^0.22.2", path = "../gix-attributes", optional = true }
+gix-validate = { version = "^0.8.4", path = "../gix-validate", optional = true }
 gix-ignore = { version = "^0.11.2", path = "../gix-ignore" }
 gix-features = { version = "^0.38.1", path = "../gix-features" }
 
-serde = { version = "1.0.114", optional = true, default-features = false, features = ["derive"]}
+serde = { version = "1.0.114", optional = true, default-features = false, features = ["derive"] }
 bstr = { version = "1.3.0", default-features = false }
 
 document-features = { version = "0.2.0", optional = true }

gix-worktree/Cargo.toml

@@ -19,6 +19,9 @@ pub use gix_glob as glob;
 pub use gix_ignore as ignore;
 /// Provides types needed for using [`Stack::at_path()`] and [`Stack::at_entry()`].
 pub use gix_object as object;
+/// Provides types needed for using [`stack::State::for_checkout()`].
+#[cfg(feature = "attributes")]
+pub use gix_validate as validate;
 
 /// A cache for efficiently executing operations on directories and files which are encountered in sorted order.
 /// That way, these operations can be re-used for subsequent invocations in the same directory.

gix-worktree/src/lib.rs

@@ -88,14 +88,18 @@ impl<'a, 'find> gix_fs::stack::Delegate for StackDelegate<'a, 'find> {
             #[cfg(feature = "attributes")]
             State::CreateDirectoryAndAttributesStack {
                 unlink_on_collision,
+                validate,
                 attributes: _,
-            } => create_leading_directory(
-                is_last_component,
-                stack,
-                self.is_dir,
-                &mut self.statistics.delegate.num_mkdir_calls,
-                *unlink_on_collision,
-            )?,
+            } => {
+                validate_last_component(stack, *validate)?;
+                create_leading_directory(
+                    is_last_component,
+                    stack,
+                    self.is_dir,
+                    &mut self.statistics.delegate.num_mkdir_calls,
+                    *unlink_on_collision,
+                )?
+            }
             #[cfg(feature = "attributes")]
             State::AttributesAndIgnoreStack { .. } | State::AttributesStack(_) => {}
             State::IgnoreStack(_) => {}
@@ -122,6 +126,29 @@ impl<'a, 'find> gix_fs::stack::Delegate for StackDelegate<'a, 'find> {
     }
 }
 
+#[cfg(feature = "attributes")]
+fn validate_last_component(stack: &gix_fs::Stack, opts: gix_validate::path::component::Options) -> std::io::Result<()> {
+    // TODO: add mode-information
+    let Some(last_component) = stack.current_relative().components().rev().next() else {
+        return Ok(());
+    };
+    let last_component =
+        gix_path::try_into_bstr(std::borrow::Cow::Borrowed(last_component.as_os_str().as_ref())).map_err(|_err| {
+            std::io::Error::new(
+                std::io::ErrorKind::Other,
+                format!(
+                    "Path component {last_component:?} of path \"{}\" contained invalid UTF-8 and could not be validated",
+                    stack.current_relative().display()
+                ),
+            )
+        })?;
+
+    if let Err(err) = gix_validate::path::component(last_component.as_ref(), None, opts) {
+        return Err(std::io::Error::new(std::io::ErrorKind::Other, err));
+    }
+    Ok(())
+}
+
 #[cfg(feature = "attributes")]
 fn create_leading_directory(
     is_last_component: bool,

gix-worktree/src/stack/delegate.rs

@@ -28,6 +28,8 @@ pub enum State {
     CreateDirectoryAndAttributesStack {
         /// If there is a symlink or a file in our path, try to unlink it before creating the directory.
         unlink_on_collision: bool,
+        /// Options to control how newly created path components should be validated.
+        validate: gix_validate::path::component::Options,
         /// State to handle attribute information
         attributes: state::Attributes,
     },
@@ -135,18 +137,22 @@ impl Stack {
     /// All effects are similar to [`at_path()`][Self::at_path()].
     ///
     /// If `relative` ends with `/` and `is_dir` is `None`, it is automatically assumed to be a directory.
-    ///
-    /// ### Panics
-    ///
-    /// on illformed UTF8 in `relative`
     pub fn at_entry<'r>(
         &mut self,
         relative: impl Into<&'r BStr>,
         is_dir: Option<bool>,
         objects: &dyn gix_object::Find,
     ) -> std::io::Result<Platform<'_>> {
         let relative = relative.into();
-        let relative_path = gix_path::from_bstr(relative);
+        let relative_path = gix_path::try_from_bstr(relative).map_err(|_err| {
+            std::io::Error::new(
+                std::io::ErrorKind::Other,
+                format!(
+                    "The path \"{}\" contained invalid UTF-8 and could not be turned into a path",
+                    relative
+                ),
+            )
+        })?;
 
         self.at_path(
             relative_path,

gix-worktree/src/stack/mod.rs

@@ -60,9 +60,14 @@ pub mod ignore;
 impl State {
     /// Configure a state to be suitable for checking out files, which only needs access to attribute files read from the index.
     #[cfg(feature = "attributes")]
-    pub fn for_checkout(unlink_on_collision: bool, attributes: Attributes) -> Self {
+    pub fn for_checkout(
+        unlink_on_collision: bool,
+        validate: gix_validate::path::component::Options,
+        attributes: Attributes,
+    ) -> Self {
         State::CreateDirectoryAndAttributesStack {
             unlink_on_collision,
+            validate,
             attributes,
         }
     }

gix-worktree/src/stack/state/mod.rs

@@ -17,6 +17,7 @@ fn baseline() -> crate::Result {
     let mut collection = gix_attributes::search::MetadataCollection::default();
     let state = gix_worktree::stack::State::for_checkout(
         false,
+        Default::default(),
         state::Attributes::new(
             gix_attributes::Search::new_globals([base.join("user.attributes")], &mut buf, &mut collection)?,
             Some(git_dir.join("info").join("attributes")),

gix-worktree/tests/worktree/stack/attributes.rs

@@ -8,7 +8,7 @@ fn root_is_assumed_to_exist_and_files_in_root_do_not_create_directory() -> crate
     let dir = tempdir()?;
     let mut cache = Stack::new(
         dir.path().join("non-existing-root"),
-        stack::State::for_checkout(false, Default::default()),
+        stack::State::for_checkout(false, Default::default(), Default::default()),
         Default::default(),
         Vec::new(),
         Default::default(),
@@ -54,6 +54,23 @@ fn existing_directories_are_fine() -> crate::Result {
     Ok(())
 }
 
+#[test]
+fn validation_to_each_component() -> crate::Result {
+    let (mut cache, tmp) = new_cache();
+
+    let err = cache
+        .at_path("valid/.gIt", Some(false), &gix_object::find::Never)
+        .unwrap_err();
+    assert_eq!(
+        cache.statistics().delegate.num_mkdir_calls,
+        1,
+        "the valid directory was created"
+    );
+    assert!(tmp.path().join("valid").is_dir(), "it was actually created");
+    assert_eq!(err.to_string(), "The .git name may never be used");
+    Ok(())
+}
+
 #[test]
 fn symlinks_or_files_in_path_are_forbidden_or_unlinked_when_forced() -> crate::Result {
     let (mut cache, tmp) = new_cache();
@@ -110,7 +127,7 @@ fn new_cache() -> (Stack, TempDir) {
     let dir = tempdir().unwrap();
     let cache = Stack::new(
         dir.path(),
-        stack::State::for_checkout(false, Default::default()),
+        stack::State::for_checkout(false, Default::default(), Default::default()),
         Default::default(),
         Vec::new(),
         Default::default(),