fix: ToNormalPathComponent now also validates the component if it's not a Path.

Byron · Byron · commit a7578038151b · 2025-04-20T22:12:15.000+02:00
Previously it was possible for strings or BString/BStr to contain non-normal
components, now there is much more validation.
diff --git a/gix-fs/src/stack.rs b/gix-fs/src/stack.rs
@@ -50,30 +50,43 @@ fn component_to_os_str<'a>(
 
 impl ToNormalPathComponents for &BStr {
     fn to_normal_path_components(&self) -> impl Iterator<Item = Result<&OsStr, to_normal_path_components::Error>> {
-        self.split(|b| *b == b'/').filter_map(bytes_component_to_os_str)
+        self.split(|b| *b == b'/')
+            .filter_map(|c| bytes_component_to_os_str(c, self))
     }
 }
 
 impl ToNormalPathComponents for &str {
     fn to_normal_path_components(&self) -> impl Iterator<Item = Result<&OsStr, to_normal_path_components::Error>> {
-        self.split('/').filter_map(|c| bytes_component_to_os_str(c.as_bytes()))
+        self.split('/')
+            .filter_map(|c| bytes_component_to_os_str(c.as_bytes(), (*self).into()))
     }
 }
 
 impl ToNormalPathComponents for &BString {
     fn to_normal_path_components(&self) -> impl Iterator<Item = Result<&OsStr, to_normal_path_components::Error>> {
-        self.split(|b| *b == b'/').filter_map(bytes_component_to_os_str)
+        self.split(|b| *b == b'/')
+            .filter_map(|c| bytes_component_to_os_str(c, self.as_bstr()))
     }
 }
 
-fn bytes_component_to_os_str(component: &[u8]) -> Option<Result<&OsStr, to_normal_path_components::Error>> {
+fn bytes_component_to_os_str<'a>(
+    component: &'a [u8],
+    path: &BStr,
+) -> Option<Result<&'a OsStr, to_normal_path_components::Error>> {
     if component.is_empty() {
         return None;
     }
-    gix_path::try_from_byte_slice(component.as_bstr())
+    let component = match gix_path::try_from_byte_slice(component.as_bstr())
         .map_err(|_| to_normal_path_components::Error::IllegalUtf8)
-        .map(Path::as_os_str)
-        .into()
+    {
+        Ok(c) => c,
+        Err(err) => return Some(Err(err)),
+    };
+    let component = component.components().next()?;
+    Some(component_to_os_str(
+        component,
+        gix_path::try_from_byte_slice(path.as_ref()).ok()?,
+    ))
 }
 
 /// Access
diff --git a/gix-fs/tests/fs/stack.rs b/gix-fs/tests/fs/stack.rs
@@ -246,6 +246,19 @@ fn absolute_paths_are_invalid() -> crate::Result {
         r#"Input path "/" contains relative or absolute components"#,
         "a leading slash is always considered absolute"
     );
+    s.make_relative_path_current("/", &mut r)?;
+    assert_eq!(
+        s.current(),
+        s.root(),
+        "as string this is a no-op as it's just split by /"
+    );
+
+    let err = s.make_relative_path_current("../breakout", &mut r).unwrap_err();
+    assert_eq!(
+        err.to_string(),
+        r#"Input path "../breakout" contains relative or absolute components"#,
+        "otherwise breakout attempts are detected"
+    );
     s.make_relative_path_current(p("a/"), &mut r)?;
     assert_eq!(
         s.current(),
