From f34e0fa34281f89f673337ce73f21b2957b41a6f Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sat, 20 Apr 2024 16:03:41 +0300
Subject: feat(tvix/castore/import): only allow normal components in entry
 paths

Explicitly document and add a debug assertion for that.

It's up to callers to ensure this doesn't happen.

Change-Id: Ib5d154809c2ad2920258e239993d0b790d846dc8
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11487
Reviewed-by: Connor Brewster <cbrewster@hey.com>
Autosubmit: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
---
 tvix/castore/src/import/mod.rs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'tvix/castore/src/import/mod.rs')

diff --git a/tvix/castore/src/import/mod.rs b/tvix/castore/src/import/mod.rs
index d2b1ee9ff7..ff27c0fcfd 100644
--- a/tvix/castore/src/import/mod.rs
+++ b/tvix/castore/src/import/mod.rs
@@ -40,7 +40,8 @@ pub mod fs;
 /// The stream must have the following invariants:
 /// - All children entries must come before their parents.
 /// - The last entry must be the root node which must have a single path component.
-/// - Every entry should have a unique path.
+/// - Every entry should have a unique path, and only consist of normal components.
+///   This means, no windows path prefixes, absolute paths, `.` or `..`.
 ///
 /// Internally we maintain a [HashMap] of [PathBuf] to partially populated [Directory] at that
 /// path. Once we receive an [IngestionEntry] for the directory itself, we remove it from the
@@ -65,6 +66,14 @@ where
             // we break the loop manually.
             .expect("Tvix bug: unexpected end of stream")?;
 
+        debug_assert!(
+            entry
+                .path()
+                .components()
+                .all(|x| matches!(x, std::path::Component::Normal(_))),
+            "path may only contain normal components"
+        );
+
         let name = entry
             .path()
             .file_name()
-- 
cgit 1.4.1