Windows: reject absolute and malformed paths in git tree writes#902
Open
Windows: reject absolute and malformed paths in git tree writes#902
Conversation
pjbgf
changed the title
On Windows, absolute paths (e.g., /C:/Users/...) could leak into ApplyTreeChanges, producing empty-named tree entries when split on "/". Add normalizeGitTreePath to validate tree paths are relative with no empty segments, and normalizeRepoRelativeTreePath to convert absolute paths to repo-relative before tree construction. Assisted-by: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Paulo Gomes <paulo@entire.io>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens git-tree construction in the checkpoint/shadow-branch write path by ensuring only valid, repo-relative tree paths are used, preventing malformed entries (notably on Windows when absolute paths leak in).
Changes:
- Added
normalizeGitTreePathand integrated it intoApplyTreeChangesandBuildTreeFromEntriesto reject absolute paths and invalid segments (empty,.,..). - Added
normalizeRepoRelativeTreePathto convert absolute in-repo filesystem paths back to repo-relative tree paths before building changes. - Added tests to ensure invalid paths are skipped and no empty-named tree entries are produced.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
cmd/entire/cli/checkpoint/temporary.go |
Normalizes modified/deleted paths to repo-relative tree paths before applying tree surgery; normalizes metadata dir path passed into tree construction. |
cmd/entire/cli/checkpoint/parse_tree.go |
Adds path normalization/validation and applies it inside ApplyTreeChanges; adds helpers to detect absolute paths and log skips. |
cmd/entire/cli/checkpoint/parse_tree_test.go |
Adds coverage asserting invalid paths are skipped and tree entries never have empty names. |
cmd/entire/cli/checkpoint/checkpoint_test.go |
Adds end-to-end-ish coverage for WriteTemporary path normalization (absolute in-repo -> relative) and invalid path skipping. |
Comment on lines
+368
to
+374
| func logInvalidGitTreePath(operation, path string, err error) { | ||
| slog.Warn("skipping invalid git tree path", | ||
| slog.String("operation", operation), | ||
| slog.String("path", path), | ||
| slog.String("error", err.Error()), | ||
| ) | ||
| } |
There was a problem hiding this comment.
logInvalidGitTreePath logs via slog.Warn, which bypasses the repo’s cli/logging package (and can end up on stderr rather than in .entire/logs/). Consider routing this through logging.Warn (e.g., with context.Background() or by threading a ctx into callers) to keep operational logs consistent with the rest of the codebase (see cmd/entire/cli/checkpoint/committed.go where warnings go through logging.Warn).
gtrrz-victor
approved these changes
Apr 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
On Windows, absolute paths (e.g.,
/C:/Users/...) could leak into ApplyTreeChanges, producing empty-named tree entries when split on "/". Add normalizeGitTreePath to validate tree paths are relative with no empty segments, and normalizeRepoRelativeTreePath to convert absolute paths to repo-relative before tree construction.Fixes #886.
Note
Cursor Bugbot is generating a summary for commit d88f401. Configure here.