fsck: warn about symlink pointing inside a gitdir

In the wake of fixing a vulnerability where `git clone` mistakenly
followed a symbolic link that it had just written while checking out
files, writing into a gitdir, let's add some defense-in-depth by
teaching `git fsck` to report symbolic links stored in its trees that
point inside `.git/`.

Even though the Git project never made any promises about the exact
shape of the `.git/` directory's contents, there are likely repositories
out there containing symbolic links that point inside the gitdir. For
that reason, let's only report these as warnings, not as errors.
Security-conscious users are encouraged to configure
`fsck.symlinkPointsToGitDir = error`.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>

fsck.c

@@ -636,6 +636,8 @@ static int fsck_tree(const struct object_id *tree_oid,
 				retval += report(options, tree_oid, OBJ_TREE,
 						 FSCK_MSG_MAILMAP_SYMLINK,
 						 ".mailmap is a symlink");
+			oidset_insert(&options->symlink_targets_found,
+				      entry_oid);
 		}
 
 		if ((backslash = strchr(name, '\\'))) {
@@ -1228,6 +1230,56 @@ static int fsck_blob(const struct object_id *oid, const char *buf,
 		}
 	}
 
+	if (oidset_contains(&options->symlink_targets_found, oid)) {
+		const char *ptr = buf;
+		const struct object_id *reported = NULL;
+
+		oidset_insert(&options->symlink_targets_done, oid);
+
+		if (!buf || size > PATH_MAX) {
+			/*
+			 * A missing buffer here is a sign that the caller found the
+			 * blob too gigantic to load into memory. Let's just consider
+			 * that an error.
+			 */
+			return report(options, oid, OBJ_BLOB,
+					FSCK_MSG_SYMLINK_TARGET_LENGTH,
+					"symlink target too long");
+		}
+
+		while (!reported && ptr) {
+			const char *p = ptr;
+			char c, *slash = strchrnul(ptr, '/');
+			char *backslash = memchr(ptr, '\\', slash - ptr);
+
+			c = *slash;
+			*slash = '\0';
+
+			while (!reported && backslash) {
+				*backslash = '\0';
+				if (is_ntfs_dotgit(p))
+					ret |= report(options, reported = oid, OBJ_BLOB,
+						      FSCK_MSG_SYMLINK_POINTS_TO_GIT_DIR,
+						      "symlink target points to git dir");
+				*backslash = '\\';
+				p = backslash + 1;
+				backslash = memchr(p, '\\', slash - p);
+			}
+			if (!reported && is_ntfs_dotgit(p))
+				ret |= report(options, reported = oid, OBJ_BLOB,
+					      FSCK_MSG_SYMLINK_POINTS_TO_GIT_DIR,
+					      "symlink target points to git dir");
+
+			if (!reported && is_hfs_dotgit(ptr))
+				ret |= report(options, reported = oid, OBJ_BLOB,
+					      FSCK_MSG_SYMLINK_POINTS_TO_GIT_DIR,
+					      "symlink target points to git dir");
+
+			*slash = c;
+			ptr = c ? slash + 1 : NULL;
+		}
+	}
+
 	return ret;
 }
 
@@ -1319,6 +1371,10 @@ int fsck_finish(struct fsck_options *options)
 			  FSCK_MSG_GITATTRIBUTES_MISSING, FSCK_MSG_GITATTRIBUTES_BLOB,
 			  options, ".gitattributes");
 
+	ret |= fsck_blobs(&options->symlink_targets_found, &options->symlink_targets_done,
+			  FSCK_MSG_SYMLINK_TARGET_MISSING, FSCK_MSG_SYMLINK_TARGET_BLOB,
+			  options, "<symlink-target>");
+
 	return ret;
 }