filter out control characters in error messages

giveup changed to filter out control characters. (It is too low level to make it use StringContainingQuotedPath.) error still does not, but it should only be used for internal errors, where the message is not attacker-controlled. Changed a lot of existing error to giveup when it is not strictly an internal error. Of course, other exceptions can still be thrown, either by code in git-annex, or a library, that include some attacker-controlled value. This does not guard against those. Sponsored-by: Noam Kremen on Patreon
2023-04-10 13:38:14 -04:00 · 2023-04-10 13:38:14 -04:00 · cd544e548b
commit cd544e548b
parent 063c00e4f7
69 changed files with 142 additions and 103 deletions
--- a/Git/CatFile.hs
+++ b/Git/CatFile.hs
@ -120,7 +120,7 @@ catObjectDetails h object = query (catFileProcess h) object newlinefallback $ \f
 			content <- readObjectContent from r
 			return $ Just (content, sha, objtype)
 		Just DNE -> return Nothing
-		Nothing -> error $ "unknown response from git cat-file " ++ show (header, object)
+		Nothing -> giveup $ "unknown response from git cat-file " ++ show (header, object)
  where
 	-- Slow fallback path for filenames containing newlines.
 	newlinefallback = queryObjectType object (catFileGitRepo h) >>= \case
@ -144,7 +144,7 @@ readObjectContent h (ParsedResp _ _ size) = do
 	eatchar expected = do
 		c <- hGetChar h
 		when (c /= expected) $
-			error $ "missing " ++ (show expected) ++ " from git cat-file"
+			giveup $ "missing " ++ (show expected) ++ " from git cat-file"
 readObjectContent _ DNE = error "internal"

 {- Gets the size and type of an object, without reading its content. -}
--- a/Git/CheckAttr.hs
+++ b/Git/CheckAttr.hs
@ -54,7 +54,7 @@ checkAttrs (h, attrs, currdir) want file = do
 	getvals l (x:xs) = case map snd $ filter (\(attr, _) -> attr == x) l of
 			["unspecified"] -> "" : getvals l xs
 			[v] -> v : getvals l xs
-			_ -> error $ "unable to determine " ++ x ++ " attribute of " ++ fromRawFilePath file
+			_ -> giveup $ "unable to determine " ++ x ++ " attribute of " ++ fromRawFilePath file

 	send to = B.hPutStr to $ file' `B.snoc` 0
 	receive c from = do
--- a/Git/Construct.hs
+++ b/Git/Construct.hs
@ -86,7 +86,7 @@ fromAbsPath :: RawFilePath -> IO Repo
 fromAbsPath dir
 	| absoluteGitPath dir = fromPath dir
 	| otherwise =
-		error $ "internal error, " ++ show dir ++ " is not absolute"
+		giveup $ "internal error, " ++ show dir ++ " is not absolute"

 {- Construct a Repo for a remote's url.
 -
--- a/Git/DiffTree.hs
+++ b/Git/DiffTree.hs
@ -113,8 +113,8 @@ parseDiffRaw l = go l
 	go [] = []
 	go (info:f:rest) = case A.parse (parserDiffRaw (L.toStrict f)) info of
 		A.Done _ r -> r : go rest
-		A.Fail _ _ err -> error $ "diff-tree parse error: " ++ err
-	go (s:[]) = error $ "diff-tree parse error near \"" ++ decodeBL s ++ "\""
+		A.Fail _ _ err -> giveup $ "diff-tree parse error: " ++ err
+	go (s:[]) = giveup $ "diff-tree parse error near \"" ++ decodeBL s ++ "\""

 -- :<srcmode> SP <dstmode> SP <srcsha> SP <dstsha> SP <status>
 --
--- a/Git/PktLine.hs
+++ b/Git/PktLine.hs
@ -31,6 +31,7 @@ import Text.Printf

 import Utility.PartialPrelude
 import Utility.FileSystemEncoding
+import Utility.Exception

 {- This is a variable length binary string, but its size is limited to
 - maxPktLineLength. Its serialization includes a 4 byte hexadecimal
@ -96,7 +97,7 @@ encodePktLine b
 stringPktLine :: String -> PktLine
 stringPktLine s
 	| length s > maxPktLineLength =
-		error "textPktLine called with too-long value"
+		giveup "textPktLine called with too-long value"
 	| otherwise = PktLine (encodeBS s <> "\n")

 {- Sends a PktLine to a Handle, and flushes it so that it will be
--- a/Git/Sha.hs
+++ b/Git/Sha.hs
@ -20,7 +20,7 @@ import Data.Char
 getSha :: String -> IO S.ByteString -> IO Sha
 getSha subcommand a = maybe bad return =<< extractSha <$> a
  where
-	bad = error $ "failed to read sha from git " ++ subcommand
+	bad = giveup $ "failed to read sha from git " ++ subcommand

 {- Extracts the Sha from a ByteString. 
 -
--- a/Git/Tree.hs
+++ b/Git/Tree.hs
@ -62,7 +62,7 @@ data TreeContent
 getTree :: LsTree.LsTreeRecursive -> Ref -> Repo -> IO Tree
 getTree recursive r repo = do
 	(l, cleanup) <- lsTreeWithObjects recursive r repo
-	let !t = either (\e -> error ("ls-tree parse error:" ++ e)) id
+	let !t = either (\e -> giveup ("ls-tree parse error:" ++ e)) id
 		(extractTree l)
 	void cleanup
 	return t
@ -254,7 +254,7 @@ adjustTree adjusttreeitem addtreeitems resolveaddconflict removefiles r repo =
 					Just (TreeItem f m s) -> 
 						let commit = TreeCommit f m s
 						in go h wasmodified (commit:c) depth intree is
-			_ -> error ("unexpected object type \"" ++ decodeBS (LsTree.typeobj i) ++ "\"")
+			_ -> giveup ("unexpected object type \"" ++ decodeBS (LsTree.typeobj i) ++ "\"")
 		| otherwise = return (c, wasmodified, i:is)

 	adjustlist h depth ishere underhere l = do
--- a/Git/UnionMerge.hs
+++ b/Git/UnionMerge.hs
@ -78,7 +78,7 @@ doMerge hashhandle ch differ repo streamer = do
 	go [] = noop
 	go (info:file:rest) = mergeFile info file hashhandle ch >>=
 		maybe (go rest) (\l -> streamer l >> go rest)
-	go (_:[]) = error $ "parse error " ++ show differ
+	go (_:[]) = giveup $ "parse error " ++ show differ

 {- Given an info line from a git raw diff, and the filename, generates
 - a line suitable for update-index that union merges the two sides of the