Skip to content

Windows: reject absolute and malformed paths in git tree writes#902

Merged
pjbgf merged 2 commits intomainfrom
pjbgf/empty-names
Apr 10, 2026
Merged

Windows: reject absolute and malformed paths in git tree writes#902
pjbgf merged 2 commits intomainfrom
pjbgf/empty-names

Conversation

@pjbgf
Copy link
Copy Markdown
Member

@pjbgf pjbgf commented Apr 9, 2026
edited
Loading

On Windows, absolute paths (e.g., /C:/Users/...) could leak into ApplyTreeChanges, producing empty-named tree entries when split on "/". Add normalizeGitTreePath to validate tree paths are relative with no empty segments, and normalizeRepoRelativeTreePath to convert absolute paths to repo-relative before tree construction.

Fixes #886.

Note

Cursor Bugbot is generating a summary for commit d88f401. Configure here.

@pjbgf pjbgf requested a review from a team as a code owner April 9, 2026 15:21
Copilot AI review requested due to automatic review settings April 9, 2026 15:21
@pjbgf pjbgf changed the title fix: reject absolute and malformed paths in git tree writes Windows: reject absolute and malformed paths in git tree writes Apr 9, 2026
@pjbgf pjbgf force-pushed the pjbgf/empty-names branch from d88f401 to a7c7de9 Compare April 9, 2026 15:22
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens git-tree construction in the checkpoint/shadow-branch write path by ensuring only valid, repo-relative tree paths are used, preventing malformed entries (notably on Windows when absolute paths leak in).

Changes:

  • Added normalizeGitTreePath and integrated it into ApplyTreeChanges and BuildTreeFromEntries to reject absolute paths and invalid segments (empty, ., ..).
  • Added normalizeRepoRelativeTreePath to convert absolute in-repo filesystem paths back to repo-relative tree paths before building changes.
  • Added tests to ensure invalid paths are skipped and no empty-named tree entries are produced.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File Description
cmd/entire/cli/checkpoint/temporary.go Normalizes modified/deleted paths to repo-relative tree paths before applying tree surgery; normalizes metadata dir path passed into tree construction.
cmd/entire/cli/checkpoint/parse_tree.go Adds path normalization/validation and applies it inside ApplyTreeChanges; adds helpers to detect absolute paths and log skips.
cmd/entire/cli/checkpoint/parse_tree_test.go Adds coverage asserting invalid paths are skipped and tree entries never have empty names.
cmd/entire/cli/checkpoint/checkpoint_test.go Adds end-to-end-ish coverage for WriteTemporary path normalization (absolute in-repo -> relative) and invalid path skipping.

gtrrz-victor
gtrrz-victor previously approved these changes Apr 9, 2026
View reviewed changes
@pjbgf pjbgf force-pushed the pjbgf/empty-names branch 3 times, most recently from a6a59b5 to 09f9d9a Compare April 10, 2026 08:43
@pjbgf pjbgf enabled auto-merge April 10, 2026 08:44
@pjbgf pjbgf force-pushed the pjbgf/empty-names branch from e614a3b to ab25329 Compare April 10, 2026 09:19
pjbgf added 2 commits April 10, 2026 10:40
@pjbgf
fix: reject absolute and malformed paths in git tree writes
b004316 
On Windows, absolute paths (e.g., /C:/Users/...) could leak into
ApplyTreeChanges, producing empty-named tree entries when split on "/".
Add normalizeGitTreePath to validate tree paths are relative with no
empty segments, and normalizeRepoRelativeTreePath to convert absolute
paths to repo-relative before tree construction.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Paulo Gomes <paulo@entire.io>
@pjbgf
fix: route logInvalidGitTreePath through logging.Warn instead of slog…
c8c88db 
….Warn

Thread context.Context through logInvalidGitTreePath, ApplyTreeChanges,
and BuildTreeFromEntries so the warning uses the project's logging
package, keeping operational logs consistent with the rest of the
codebase (written to .entire/logs/ rather than stderr).

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Paulo Gomes <paulo@entire.io>
Entire-Checkpoint: aa5afbf6c998
@pjbgf pjbgf force-pushed the pjbgf/empty-names branch from ab25329 to c8c88db Compare April 10, 2026 09:40
@pjbgf pjbgf merged commit 1fdce8c into main Apr 10, 2026
9 checks passed
@pjbgf pjbgf deleted the pjbgf/empty-names branch April 10, 2026 09:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@gtrrz-victor gtrrz-victor gtrrz-victor approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Shadow branches contain corrupted tree objects with empty filenames on Windows

3 participants

@pjbgf @gtrrz-victor