git-annex/doc/todo/terminal_escapes_in_filenames.mdwn

    touch $(echo -e "\e[31mfoo\e[0m")
    git-annex add
    git-annex whereis

That displays "foo" in red twice. Compare with behavior of git commands that
display that filename, which display it escaped.

git-annex should probably do the same, when displaying filenames that it's
working on or in messages.

`git-annex find` is an interesting case because it's expected to be
pipeable, and so should have raw filenames. Note that `find` actually
escapes such filenames when outputting to a terminal, but not a pipe.

git porcelain also accepts the escaped form of files as input, necessary for
round-tripping though. git-annex currently does not. (git plumbing doesn't
either)

While terminals mostly protect against escape sequences doing very bad
things, there are security holes in terminals still being found.

Of course, such files in git repos can also be exploited by other commands
eg `echo *`. 

So this does not seem like a security hole in git-annex, but it would be
useful defense in depth against terminal security holes, and also good to
behave more like git.

--[[Joey]]

> Git.Filename.encode is implemented, and only needs to be used.
> Note that core.quotePath controls whether git quotes unicode characters
> (by default it does), so once this gets implemented, some users may want
> to set that config to false. --[[Joey]]

> Update: Messages now handles quoting of filenames, and also filtering
> out any escape sequences in other things that get displayed (like Keys..)
> 
> Still need to deal with `git-annex find` and `git-annex info $file` 
> and anything else that outputs without using Messages.
> (Eg need to do `git-annex metadata`, `git-annex config --get` and `git-annex schedule` and `git-annex wanted`
> and `git-annex required` and `git-annex group`)

----

Also: 
It's possible that keys can also contain an escape sequence, eg in the
extension of a SHA-E key. So commands like `git-annex lookupkey` 
and `git-annex find` that output keys might need to handle
that, when outputting to a terminal?

Also: git-annex initremote with autoenable may be able to cause a remote
with a malicious name to be set up?

Also: Any place that an exception is thrown with an attacker-controlled value.
`giveup` has been made to filter out control characters, but that leaves
other exceptions, including ones thrown by libraries. Catch all exceptions
at top-level (of program and/or worker threads) and filter out control
characters?
todo 2023-04-05 23:37:21 +00:00			`touch $(echo -e "\e[31mfoo\e[0m")`
			`git-annex add`
expand 2023-04-07 17:13:16 +00:00			`git-annex whereis`
todo 2023-04-05 23:37:21 +00:00
			`That displays "foo" in red twice. Compare with behavior of git commands that`
			`display that filename, which display it escaped.`

expand 2023-04-07 17:13:16 +00:00			`git-annex should probably do the same, when displaying filenames that it's`
			`working on or in messages.`

			`git-annex find` is an interesting case because it's expected to be
			pipeable, and so should have raw filenames. Note that `find` actually
			`escapes such filenames when outputting to a terminal, but not a pipe.`

todo 2023-04-05 23:37:21 +00:00			`git porcelain also accepts the escaped form of files as input, necessary for`
			`round-tripping though. git-annex currently does not. (git plumbing doesn't`
			`either)`

			`While terminals mostly protect against escape sequences doing very bad`
			`things, there are security holes in terminals still being found.`

			`Of course, such files in git repos can also be exploited by other commands`
			eg `echo *`.

			`So this does not seem like a security hole in git-annex, but it would be`
			`useful defense in depth against terminal security holes, and also good to`
			`behave more like git.`

			`--[[Joey]]`
full emulation of git filename escaping Not yet used, but the plan is to make git-annex use this when displaying filenames similar to how git does. Sponsored-by: Lawrence Brogan on Patreon 2023-04-07 21:12:55 +00:00
			`> Git.Filename.encode is implemented, and only needs to be used.`
			`> Note that core.quotePath controls whether git quotes unicode characters`
			`> (by default it does), so once this gets implemented, some users may want`
			`> to set that config to false. --[[Joey]]`
git style quoting for ActionItemOther Added StringContainingQuotedPath, which is used for ActionItemOther. In the process, checked every ActionItemOther for those containing filenames, and made them use quoting. Sponsored-by: Graham Spencer on Patreon 2023-04-08 19:48:32 +00:00
filter out control characters in all other Messages This does, as a side effect, make long notes in json output not be indented. The indentation is only needed to offset them underneath the display of the file they apply to, so that's ok. Sponsored-by: Brock Spratlen on Patreon 2023-04-10 21:03:41 +00:00			`> Update: Messages now handles quoting of filenames, and also filtering`
			`> out any escape sequences in other things that get displayed (like Keys..)`
			`>`
			> Still need to deal with `git-annex find` and `git-annex info $file`
			`> and anything else that outputs without using Messages.`
			> (Eg need to do `git-annex metadata`, `git-annex config --get` and `git-annex schedule` and `git-annex wanted`
			> and `git-annex required` and `git-annex group`)
git style quoting for ActionItemOther Added StringContainingQuotedPath, which is used for ActionItemOther. In the process, checked every ActionItemOther for those containing filenames, and made them use quoting. Sponsored-by: Graham Spencer on Patreon 2023-04-08 19:48:32 +00:00
			`----`

			`Also:`
			`It's possible that keys can also contain an escape sequence, eg in the`
			extension of a SHA-E key. So commands like `git-annex lookupkey`
			and `git-annex find` that output keys might need to handle
			`that, when outputting to a terminal?`

			`Also: git-annex initremote with autoenable may be able to cause a remote`
			`with a malicious name to be set up?`
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00
			`Also: Any place that an exception is thrown with an attacker-controlled value.`
eliminate showStart showStartOther These were not handling control characters and are redundant. Sponsored-by: Jack Hill on Patreon 2023-04-10 20:07:54 +00:00			`giveup` has been made to filter out control characters, but that leaves
filter out control characters in error messages giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon 2023-04-10 17:38:14 +00:00			`other exceptions, including ones thrown by libraries. Catch all exceptions`
			`at top-level (of program and/or worker threads) and filter out control`
			`characters?`