feat(tvix/castore/import): only allow normal components in entry paths

Explicitly document and add a debug assertion for that. It's up to callers to ensure this doesn't happen. Change-Id: Ib5d154809c2ad2920258e239993d0b790d846dc8 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11487 Reviewed-by: Connor Brewster <cbrewster@hey.com> Autosubmit: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
2024-04-20 16:03:41 +03:00 · 2024-04-20 16:03:41 +03:00 · f34e0fa342
commit f34e0fa342
parent e9db0449e7
1 changed files with 10 additions and 1 deletions
--- a/tvix/castore/src/import/mod.rs
+++ b/tvix/castore/src/import/mod.rs
@ -40,7 +40,8 @@ pub mod fs;
 /// The stream must have the following invariants:
 /// - All children entries must come before their parents.
 /// - The last entry must be the root node which must have a single path component.
-/// - Every entry should have a unique path.
+/// - Every entry should have a unique path, and only consist of normal components.
+///   This means, no windows path prefixes, absolute paths, `.` or `..`.
 ///
 /// Internally we maintain a [HashMap] of [PathBuf] to partially populated [Directory] at that
 /// path. Once we receive an [IngestionEntry] for the directory itself, we remove it from the
@ -65,6 +66,14 @@ where
            // we break the loop manually.
            .expect("Tvix bug: unexpected end of stream")?;

+        debug_assert!(
+            entry
+                .path()
+                .components()
+                .all(|x| matches!(x, std::path::Component::Normal(_))),
+            "path may only contain normal components"
+        );
+
        let name = entry
            .path()
            .file_name()