add symlink checking for gix status

The motivation for this is git/git@f62ce3d .

Author: Byron

gix-status/src/index_as_worktree/function.rs

@@ -72,9 +72,9 @@ where
                     State {
                         buf: Vec::new(),
                         odb_buf: Vec::new(),
+                        path_stack: crate::SymlinkCheck::new(worktree.to_owned()),
                         timestamp,
                         path_backing,
-                        worktree,
                         options,
                     },
                     compare,
@@ -104,9 +104,8 @@ struct State<'a, 'b> {
     buf: Vec<u8>,
     odb_buf: Vec<u8>,
     timestamp: FileTime,
-    // path_cache: fs::Cache TODO path cache
+    path_stack: crate::SymlinkCheck,
     path_backing: &'b [u8],
-    worktree: &'a Path,
     options: &'a Options,
 }
 
@@ -195,12 +194,13 @@ impl<'index> State<'_, 'index> {
         E: std::error::Error + Send + Sync + 'static,
         Find: for<'a> FnMut(&gix_hash::oid, &'a mut Vec<u8>) -> Result<gix_object::BlobRef<'a>, E>,
     {
-        // TODO fs cache
         let worktree_path = gix_path::try_from_bstr(git_path).map_err(|_| Error::IllformedUtf8)?;
-        let worktree_path = self.worktree.join(worktree_path);
+        let worktree_path = match self.path_stack.verified_path(worktree_path.as_ref()) {
+            Ok(path) => path,
+            Err(err) if err.kind() == std::io::ErrorKind::NotFound => return Ok(Some(Change::Removed)),
+            Err(err) => return Err(Error::Io(err)),
+        };
         let metadata = match worktree_path.symlink_metadata() {
-            // TODO: check if any parent directory is a symlink
-            //       we need to use fs::Cache for that
             Ok(metadata) if metadata.is_dir() => {
                 // index entries are normally only for files/symlinks
                 // if a file turned into a directory it was removed
@@ -256,7 +256,7 @@ impl<'index> State<'_, 'index> {
 
         let read_file = WorktreeBlob {
             buf: &mut self.buf,
-            path: &worktree_path,
+            path: worktree_path,
             entry,
             options: self.options,
         };

gix-status/src/lib.rs

@@ -31,3 +31,13 @@ pub trait Pathspec {
     /// `is_dir` is `true` if `relative_path` is a directory.
     fn is_included(&mut self, relative_path: &BStr, is_dir: Option<bool>) -> bool;
 }
+
+/// A stack that validates we are not going through a symlink in a way that is read-only.
+///
+/// It can efficiently validate paths when these are queried in sort-order, which leads to each component
+/// to only be checked once.
+pub struct SymlinkCheck {
+    inner: gix_fs::Stack,
+}
+
+mod stack;

gix-status/src/stack.rs

@@ -0,0 +1,59 @@
+use crate::SymlinkCheck;
+use gix_fs::Stack;
+use std::path::{Path, PathBuf};
+
+impl SymlinkCheck {
+    /// Create a new stack that starts operating at `root`.
+    pub fn new(root: PathBuf) -> Self {
+        Self {
+            inner: gix_fs::Stack::new(root),
+        }
+    }
+
+    /// Return a valid filesystem path located in our root by appending `relative_path`, which is guaranteed to
+    /// not pass through a symbolic link. That way the caller can be sure to not be misled by an attacker that
+    /// tries to make us reach outside of the repository.
+    ///
+    /// Note that the file pointed to by `relative_path` may still be a symbolic link, or not exist at all,
+    /// and that an error may also be produced if directories on the path leading to the leaf
+    /// component of `relative_path` are missing.
+    ///
+    /// ### Note
+    ///
+    /// On windows, no verification is performed, instead only the combined path is provided as usual.
+    pub fn verified_path(&mut self, relative_path: &Path) -> std::io::Result<&Path> {
+        self.inner.make_relative_path_current(relative_path, &mut Delegate)?;
+        Ok(self.inner.current())
+    }
+}
+
+struct Delegate;
+
+impl gix_fs::stack::Delegate for Delegate {
+    fn push_directory(&mut self, _stack: &Stack) -> std::io::Result<()> {
+        Ok(())
+    }
+
+    fn push(&mut self, is_last_component: bool, stack: &Stack) -> std::io::Result<()> {
+        #[cfg(windows)]
+        {
+            Ok(())
+        }
+        #[cfg(not(windows))]
+        {
+            if is_last_component {
+                return Ok(());
+            }
+
+            if stack.current().symlink_metadata()?.is_symlink() {
+                return Err(std::io::Error::new(
+                    std::io::ErrorKind::Other,
+                    "Cannot step through symlink to perform an lstat",
+                ));
+            }
+            Ok(())
+        }
+    }
+
+    fn pop_directory(&mut self) {}
+}

gix-status/tests/fixtures/generated-archives/.gitignore

@@ -1,2 +1,3 @@
 status_unchanged.tar.xz
 status_changed.tar.xz
+symlink_stack.tar.xz

gix-status/tests/fixtures/symlink_stack.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+set -eu -o pipefail
+
+mkdir base;
+(cd base
+  touch file
+  mkdir dir
+  touch dir/file-in-dir
+  (cd dir
+    ln -s file-in-dir filelink
+    mkdir subdir
+    ln -s subdir dirlink
+  )
+
+  ln -s file root-filelink
+  ln -s dir root-dirlink
+)
+
+ln -s base symlink-base
+

gix-status/tests/stack/mod.rs

@@ -0,0 +1,107 @@
+fn stack() -> gix_status::SymlinkCheck {
+    stack_in("base")
+}
+
+fn stack_in(dir: &str) -> gix_status::SymlinkCheck {
+    gix_status::SymlinkCheck::new(
+        gix_testtools::scripted_fixture_read_only_standalone("symlink_stack.sh")
+            .expect("valid script")
+            .join(dir),
+    )
+}
+
+#[test]
+fn paths_not_going_through_symlink_directories_are_ok_and_point_to_correct_item() -> crate::Result {
+    for root in ["base", "symlink-base"] {
+        let mut stack = stack_in(root);
+        for (rela_path, expectation) in [
+            ("root-filelink", is_symlink as fn(&std::fs::Metadata) -> bool),
+            ("root-dirlink", is_symlinked_dir),
+            ("file", is_file),
+            ("dir/file-in-dir", is_file),
+            ("dir", is_dir),
+            ("dir/subdir", is_dir),
+            ("dir/filelink", is_symlink),
+            ("dir/dirlink", is_symlinked_dir),
+        ] {
+            assert!(
+                expectation(&stack.verified_path(rela_path.as_ref())?.symlink_metadata()?),
+                "{rela_path:?} expectation failed"
+            );
+        }
+    }
+    Ok(())
+}
+
+#[test]
+fn leaf_file_does_not_have_to_exist() -> crate::Result {
+    assert!(!stack().verified_path("dir/does-not-exist".as_ref())?.exists());
+    Ok(())
+}
+
+#[test]
+#[cfg(not(windows))]
+fn intermediate_directories_have_to_exist_or_not_found_error() -> crate::Result {
+    assert_eq!(
+        stack()
+            .verified_path("nonexisting-dir/file".as_ref())
+            .unwrap_err()
+            .kind(),
+        std::io::ErrorKind::NotFound
+    );
+    Ok(())
+}
+
+#[test]
+#[cfg(windows)]
+fn intermediate_directories_do_not_have_exist_for_success() -> crate::Result {
+    assert!(stack().verified_path("nonexisting-dir/file".as_ref()).is_ok());
+    Ok(())
+}
+
+#[test]
+#[cfg_attr(
+    windows,
+    ignore = "on windows, symlinks appear to be files or dirs, is_symlink() doesn't work"
+)]
+fn paths_leading_through_symlinks_are_rejected() {
+    let mut stack = stack();
+    assert_eq!(
+        stack
+            .verified_path("root-dirlink/file-in-dir".as_ref())
+            .unwrap_err()
+            .kind(),
+        std::io::ErrorKind::Other,
+        "root-dirlink is a symlink to a directory"
+    );
+
+    assert_eq!(
+        stack.verified_path("dir/dirlink/nothing".as_ref()).unwrap_err().kind(),
+        std::io::ErrorKind::Other,
+        "root-dirlink is a symlink to a directory"
+    );
+}
+
+fn is_symlink(m: &std::fs::Metadata) -> bool {
+    if cfg!(windows) {
+        // On windows, symlinks can't be seen, at least not through std
+        m.is_file()
+    } else {
+        m.is_symlink()
+    }
+}
+
+fn is_symlinked_dir(m: &std::fs::Metadata) -> bool {
+    if cfg!(windows) {
+        // On windows, symlinks can't be seen, at least not through std
+        m.is_dir()
+    } else {
+        m.is_symlink()
+    }
+}
+fn is_file(m: &std::fs::Metadata) -> bool {
+    m.is_file()
+}
+fn is_dir(m: &std::fs::Metadata) -> bool {
+    m.is_dir()
+}

gix-status/tests/worktree.rs

@@ -1,2 +1,6 @@
+pub use gix_testtools::Result;
+
 mod status;
 use status::*;
+
+mod stack;