feat: defend against CON device names and more if gitoxide.core.protectWindows is enabled.

Byron · Byron · commit a67d82dce434 · 2024-05-19T10:49:29.000+02:00
Note that trailing `.` are forbidden for some reason, but trailing ` ` (space) is forbidden
as it's just ignored when creating directories or files, allowing them to be clobbered
and merged silently.
diff --git a/gix-validate/src/path.rs b/gix-validate/src/path.rs
@@ -13,6 +13,10 @@ pub mod component {
         PathSeparator,
         #[error("Window path prefixes are not allowed")]
         WindowsPathPrefix,
+        #[error("Windows device-names may have side-effects and are not allowed")]
+        WindowsReservedName,
+        #[error("Trailing spaces or dots and the following characters are forbidden in Windows paths, along with non-printable ones: <>:\"|?*")]
+        WindowsIllegalCharacter,
         #[error("The .git name may never be used")]
         DotGitDir,
         #[error("The .gitmodules file must not be a symlink")]
@@ -101,6 +105,12 @@ pub fn component(
         if is_symlink(mode) && is_dot_ntfs(input, "gitmodules", "gi7eba") {
             return Err(component::Error::SymlinkedGitModules);
         }
+
+        if protect_windows {
+            if let Some(err) = check_win_devices_and_illegal_characters(input) {
+                return Err(err);
+            }
+        }
     }
 
     if !(protect_hfs | protect_ntfs) {
@@ -114,6 +124,44 @@ pub fn component(
     Ok(input)
 }
 
+fn check_win_devices_and_illegal_characters(input: &BStr) -> Option<component::Error> {
+    let in3 = input.get(..3)?;
+    if in3.eq_ignore_ascii_case(b"aux") && is_done_windows(input.get(3..)) {
+        return Some(component::Error::WindowsReservedName);
+    }
+    if in3.eq_ignore_ascii_case(b"nul") && is_done_windows(input.get(3..)) {
+        return Some(component::Error::WindowsReservedName);
+    }
+    if in3.eq_ignore_ascii_case(b"prn") && is_done_windows(input.get(3..)) {
+        return Some(component::Error::WindowsReservedName);
+    }
+    if in3.eq_ignore_ascii_case(b"com")
+        && input.get(3).map_or(false, |n| *n >= b'1' && *n <= b'9')
+        && is_done_windows(input.get(4..))
+    {
+        return Some(component::Error::WindowsReservedName);
+    }
+    if in3.eq_ignore_ascii_case(b"lpt")
+        && input.get(3).map_or(false, |n| n.is_ascii_digit())
+        && is_done_windows(input.get(4..))
+    {
+        return Some(component::Error::WindowsReservedName);
+    }
+    if in3.eq_ignore_ascii_case(b"con")
+        && ((input.get(3..6).map_or(false, |n| n.eq_ignore_ascii_case(b"in$")) && is_done_windows(input.get(6..)))
+            || (input.get(3..7).map_or(false, |n| n.eq_ignore_ascii_case(b"out$")) && is_done_windows(input.get(7..))))
+    {
+        return Some(component::Error::WindowsReservedName);
+    }
+    if input.iter().find(|b| **b < 0x20 || b":<>\"|?*".contains(b)).is_some() {
+        return Some(component::Error::WindowsIllegalCharacter);
+    }
+    if input.ends_with(b".") || input.ends_with(b" ") {
+        return Some(component::Error::WindowsIllegalCharacter);
+    }
+    None
+}
+
 fn is_symlink(mode: Option<component::Mode>) -> bool {
     mode.map_or(false, |m| m == component::Mode::Symlink)
 }
@@ -244,3 +292,10 @@ fn is_done_ntfs(input: Option<&[u8]>) -> bool {
     }
     true
 }
+
+fn is_done_windows(input: Option<&[u8]>) -> bool {
+    let Some(input) = input else { return true };
+    let skip = input.bytes().take_while(|b| *b == b' ').count();
+    let Some(next) = input.get(skip) else { return true };
+    !(*next != b'.' && *next != b':')
+}
diff --git a/gix-validate/tests/path/mod.rs b/gix-validate/tests/path/mod.rs
@@ -60,6 +60,12 @@ mod component {
         mktest!(not_dot_git_shorter_ntfs_8_3_disabled, b"git~1", NO_OPTS);
         mktest!(not_dot_git_longer_hfs, ".g\u{200c}itu".as_bytes());
         mktest!(not_dot_git_shorter_hfs, ".g\u{200c}i".as_bytes());
+        mktest!(com_0_lower, b"com0");
+        mktest!(com_without_number_0_lower, b"comm");
+        mktest!(conout_without_dollar_with_extension, b"conout.c");
+        mktest!(conin_without_dollar_with_extension, b"conin.c");
+        mktest!(conin_without_dollar, b"conin");
+        mktest!(not_nul, b"null");
         mktest!(
             not_dot_gitmodules_shorter_hfs,
             ".gitm\u{200c}odule".as_bytes(),
@@ -158,6 +164,16 @@ mod component {
             Symlink,
             ALL_OPTS
         );
+        mktest!(
+            not_gitmodules_trailing_space,
+            b".gitmodules x ",
+            Error::WindowsIllegalCharacter
+        );
+        mktest!(
+            not_gitmodules_trailing_stream,
+            b".gitmodules,:$DATA",
+            Error::WindowsIllegalCharacter
+        );
         mktest!(path_separator_slash_between, b"a/b", Error::PathSeparator);
         mktest!(path_separator_slash_leading, b"/a", Error::PathSeparator);
         mktest!(path_separator_slash_trailing, b"a/", Error::PathSeparator);
@@ -167,6 +183,29 @@ mod component {
         mktest!(path_separator_backslash_between, b"a\\b", Error::PathSeparator);
         mktest!(path_separator_backslash_leading, b"\\a", Error::PathSeparator);
         mktest!(path_separator_backslash_trailing, b"a\\", Error::PathSeparator);
+        mktest!(aux_mixed, b"Aux", Error::WindowsReservedName);
+        mktest!(aux_with_extension, b"aux.c", Error::WindowsReservedName);
+        mktest!(com_lower, b"com1", Error::WindowsReservedName);
+        mktest!(com_upper_with_extension, b"COM9.c", Error::WindowsReservedName);
+        mktest!(trailing_space, b"win32 ", Error::WindowsIllegalCharacter);
+        mktest!(trailing_dot, b"win32.", Error::WindowsIllegalCharacter);
+        mktest!(trailing_dot_dot, b"win32 . .", Error::WindowsIllegalCharacter);
+        mktest!(colon_inbetween, b"colon:separates", Error::WindowsIllegalCharacter);
+        mktest!(left_arrow, b"arrow<left", Error::WindowsIllegalCharacter);
+        mktest!(right_arrow, b"arrow>right", Error::WindowsIllegalCharacter);
+        mktest!(apostrophe, b"a\"b", Error::WindowsIllegalCharacter);
+        mktest!(pipe, b"a|b", Error::WindowsIllegalCharacter);
+        mktest!(questionmark, b"a?b", Error::WindowsIllegalCharacter);
+        mktest!(asterisk, b"a*b", Error::WindowsIllegalCharacter);
+        mktest!(lpt_mixed_with_number, b"LPt8", Error::WindowsReservedName);
+        mktest!(nul_mixed, b"NuL", Error::WindowsReservedName);
+        mktest!(prn_mixed_with_extension, b"PrN.abc", Error::WindowsReservedName);
+        mktest!(
+            conout_mixed_with_extension,
+            b"ConOut$  .xyz",
+            Error::WindowsReservedName
+        );
+        mktest!(conin_mixed, b"conIn$  ", Error::WindowsReservedName);
         mktest!(drive_letters, b"c:", Error::WindowsPathPrefix, ALL_OPTS);
         mktest!(
             virtual_drive_letters,
@@ -244,7 +283,6 @@ mod component {
                 "..gitmodules",
                 "gitmodules",
                 ".gitmodule",
-                ".gitmodules x ",
                 ".gitmodules .x",
                 "GI7EBA~",
                 "GI7EBA~0",
@@ -255,7 +293,6 @@ mod component {
                 "GI7EB~1",
                 "GI7EB~01",
                 "GI7EB~1X",
-                ".gitmodules,:$DATA",
             ] {
                 gix_validate::path::component(valid.into(), Some(Symlink), ALL_OPTS)
                     .unwrap_or_else(|_| panic!("{valid:?} should have been valid"));
