fix: prevent very long path from using unbounded time in realpath().

Byron · Byron · commit 8d4bf403aecb · 2024-01-18T20:54:06.000+01:00
It's possible to inject such paths using urls which can then end up
being canonicalized, causing very long runtimes with excessively long
paths due to `is_symlink` calls which will be slow.

Now the amount of components is limited to 4096/2, which should be
a worst-case path at the border of realistic.

If this limitation becomes too arbitrary, one could consider making
this cut-off value configurable.
diff --git a/gix-path/src/realpath.rs b/gix-path/src/realpath.rs
@@ -4,6 +4,8 @@
 pub enum Error {
     #[error("The maximum allowed number {} of symlinks in path is exceeded", .max_symlinks)]
     MaxSymlinksExceeded { max_symlinks: u8 },
+    #[error("Cannot resolve symlinks in path with more than {max_symlink_checks} components (takes too long)")]
+    ExcessiveComponentCount { max_symlink_checks: usize },
     #[error(transparent)]
     ReadLink(std::io::Error),
     #[error(transparent)]
@@ -57,6 +59,8 @@ pub(crate) mod function {
         let mut num_symlinks = 0;
         let mut path_backing: PathBuf;
         let mut components = path.components();
+        const MAX_SYMLINK_CHECKS: usize = 2048;
+        let mut symlink_checks = 0;
         while let Some(component) = components.next() {
             match component {
                 part @ (RootDir | Prefix(_)) => real_path.push(part),
@@ -68,6 +72,7 @@ pub(crate) mod function {
                 }
                 Normal(part) => {
                     real_path.push(part);
+                    symlink_checks += 1;
                     if real_path.is_symlink() {
                         num_symlinks += 1;
                         if num_symlinks > max_symlinks {
@@ -83,6 +88,11 @@ pub(crate) mod function {
                         path_backing = link_destination;
                         components = path_backing.components();
                     }
+                    if symlink_checks > MAX_SYMLINK_CHECKS {
+                        return Err(Error::ExcessiveComponentCount {
+                            max_symlink_checks: MAX_SYMLINK_CHECKS,
+                        });
+                    }
                 }
             }
         }
diff --git a/gix-path/tests/fixtures/fuzzed/54k-path-components.path b/gix-path/tests/fixtures/fuzzed/54k-path-components.path
diff --git a/gix-path/tests/realpath/mod.rs b/gix-path/tests/realpath/mod.rs
@@ -1,8 +1,31 @@
-use std::path::Path;
+use std::path::{Path, PathBuf};
+use std::time::Duration;
 
-use gix_path::{realpath::Error, realpath_opts};
+use bstr::ByteVec;
 use tempfile::tempdir;
 
+use gix_path::{realpath::Error, realpath_opts};
+
+#[test]
+fn fuzzed_timeout() -> crate::Result {
+    let path = PathBuf::from(std::fs::read("tests/fixtures/fuzzed/54k-path-components.path")?.into_string()?);
+    assert_eq!(path.components().count(), 54862);
+    let start = std::time::Instant::now();
+    assert!(matches!(
+        gix_path::realpath_opts(&path, Path::new("/cwd"), gix_path::realpath::MAX_SYMLINKS).unwrap_err(),
+        gix_path::realpath::Error::ExcessiveComponentCount {
+            max_symlink_checks: 2048
+        }
+    ));
+    assert!(
+        start.elapsed() < Duration::from_millis(500),
+        "took too long: {:.02} , we can't take too much time for this, and should keep the amount of work reasonable\
+        as paths can be part of URls which sometimes are canonicalized",
+        start.elapsed().as_secs_f32()
+    );
+    Ok(())
+}
+
 #[test]
 fn assorted() -> crate::Result {
     let cwd = tempdir()?;
