disallow repository path equal to source root (#2801)

Author: Vladimir Kotal

opengrok-indexer/src/main/java/org/opengrok/indexer/history/HistoryGuru.java

@@ -414,6 +414,9 @@ private Collection<RepositoryInfo> addRepositories(File[] files,
                 } catch (IllegalAccessException iae) {
                     LOGGER.log(Level.WARNING, "Could not create repository for '"
                             + file + "', missing access rights.", iae);
+                } catch (ForbiddenSymlinkException e) {
+                    LOGGER.log(Level.WARNING, "Could not create repository for '"
+                            + file + "', path traversal issues.", e);
                 }
                 if (repository == null) {
                     // Not a repository, search its sub-dirs.

opengrok-indexer/src/main/java/org/opengrok/indexer/history/RepositoryFactory.java

@@ -33,6 +33,7 @@
 
 import org.opengrok.indexer.configuration.RuntimeEnvironment;
 import org.opengrok.indexer.logger.LoggerFactory;
+import org.opengrok.indexer.util.ForbiddenSymlinkException;
 
 /**
  * This is a factory class for the different repositories.
@@ -80,7 +81,7 @@ public static List<Class<? extends Repository>> getRepositoryClasses() {
     }
 
     public static Repository getRepository(File file)
-        throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException{
+            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException, IOException, ForbiddenSymlinkException {
         return getRepository(file, false);
     }
 
@@ -101,15 +102,25 @@ public static Repository getRepository(File file)
      * @throws IllegalAccessException in case no permissions to repository file
      * @throws NoSuchMethodException in case we cannot create the repository object
      * @throws InvocationTargetException in case we cannot create the repository object
+     * @throws IOException when resolving repository path
+     * @throws ForbiddenSymlinkException when resolving repository path
      */
     public static Repository getRepository(File file, boolean interactive)
-            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException {
+            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException, IOException, ForbiddenSymlinkException {
         RuntimeEnvironment env = RuntimeEnvironment.getInstance();
         Repository repo = null;
 
         for (Repository rep : repositories) {
             if (rep.isRepositoryFor(file, interactive)) {
                 repo = rep.getClass().getDeclaredConstructor().newInstance();
+
+                if (env.isProjectsEnabled() && env.getPathRelativeToSourceRoot(file).equals(File.separator)) {
+                    LOGGER.log(Level.WARNING, "{0} was detected as {1} repository however with directory " +
+                            "matching source root. This is invalid because projects are enabled. Ignoring this " +
+                            "repository.",
+                            new Object[]{file, rep.getType()});
+                    return null;
+                }
                 repo.setDirectoryName(file);
 
                 if (!repo.isWorking()) {
@@ -181,9 +192,11 @@ public static Repository getRepository(File file, boolean interactive)
      * @throws IllegalAccessException in case no permissions to repository
      * @throws NoSuchMethodException in case we cannot create the repository object
      * @throws InvocationTargetException in case we cannot create the repository object
+     * @throws IOException when resolving repository path
+     * @throws ForbiddenSymlinkException when resolving repository path
      */
     public static Repository getRepository(RepositoryInfo info, boolean interactive)
-            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException {
+            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException, IOException, ForbiddenSymlinkException {
         return getRepository(new File(info.getDirectoryName()), interactive);
     }
 

opengrok-indexer/src/test/java/org/opengrok/indexer/history/RepositoryFactoryTest.java

@@ -23,11 +23,18 @@
 package org.opengrok.indexer.history;
 
 import java.io.File;
+import java.io.IOException;
 import java.lang.reflect.InvocationTargetException;
 import org.junit.AfterClass;
 import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertNull;
+
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.opengrok.indexer.condition.ConditionalRun;
+import org.opengrok.indexer.condition.RepositoryInstalled;
+import org.opengrok.indexer.configuration.RuntimeEnvironment;
+import org.opengrok.indexer.util.ForbiddenSymlinkException;
 import org.opengrok.indexer.util.TestRepository;
 
 /**
@@ -51,16 +58,31 @@ public static void tearDown() {
             repository = null;
         }
     }
-    
+
+    @ConditionalRun(RepositoryInstalled.MercurialInstalled.class)
+    @Test
+    public void testRepositoryMatchingSourceRoot() throws IllegalAccessException, InvocationTargetException,
+            ForbiddenSymlinkException, InstantiationException, NoSuchMethodException, IOException {
+
+        File root = new File(repository.getSourceRoot(), "mercurial");
+        RuntimeEnvironment env = RuntimeEnvironment.getInstance();
+        env.setSourceRoot(root.getAbsolutePath());
+        env.setProjectsEnabled(true);
+        assertNull(RepositoryFactory.getRepository(root));
+    }
+
     /*
-     * There is no conditonal run based on whether given repository is installed because
+     * There is no conditional run based on whether given repository is installed because
      * this test is not supposed to have working Mercurial anyway.
      */
-    private void testNotWorkingRepository(String repoPath, String propName) 
-            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException {
-        
+    private void testNotWorkingRepository(String repoPath, String propName)
+            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException,
+            IOException, ForbiddenSymlinkException {
+
+        RuntimeEnvironment env = RuntimeEnvironment.getInstance();
         String origPropValue = System.setProperty(propName, "/foo/bar/nonexistent");
         File root = new File(repository.getSourceRoot(), repoPath);
+        env.setSourceRoot(repository.getSourceRoot());
         Repository repo = RepositoryFactory.getRepository(root);
         if (origPropValue != null) {
             System.setProperty(propName, origPropValue);
@@ -69,14 +91,16 @@ private void testNotWorkingRepository(String repoPath, String propName)
     }
 
     @Test
-    public void testNotWorkingMercurialRepository() 
-            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException {
+    public void testNotWorkingMercurialRepository()
+            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException,
+            IOException, ForbiddenSymlinkException {
         testNotWorkingRepository("mercurial", MercurialRepository.CMD_PROPERTY_KEY);
     }
 
     @Test
-    public void testNotWorkingBitkeeperRepository() 
-            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException {
+    public void testNotWorkingBitkeeperRepository()
+            throws InstantiationException, IllegalAccessException, NoSuchMethodException, InvocationTargetException,
+            IOException, ForbiddenSymlinkException {
         testNotWorkingRepository("bitkeeper", BitKeeperRepository.CMD_PROPERTY_KEY);
     }
 }

opengrok-indexer/src/test/java/org/opengrok/indexer/util/TestRepository.java

@@ -126,8 +126,8 @@ public void removeDummyFile(String project) {
      * @param filename a required instance
      * @param in a required instance
      * @param project an optional project name
-     * @return
-     * @throws IOException
+     * @return file object
+     * @throws IOException I/O exception
      */
     public File addAdhocFile(String filename, InputStream in, String project)
             throws IOException {