Fix directory traversal for patterns outside workdirectory (#2004)

Fix directory traversal for patterns referring to paths outside of current working directory or any of it child directories. Note that on Windows the (relative) patterns may not refer to a path outside of the current working directory. Closes #2002
pinterest · May 9, 2023 · 9256b8e · 9256b8e
1 parent bc39250
commit 9256b8e
Show file tree

Hide file tree

Showing 3 changed files with 94 additions and 15 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ This project adheres to [Semantic Versioning](https://semver.org/).
 * Fix indentation of multiline parameter list in function literal `indent` ([#1976](https://github.com/pinterest/ktlint/issues/1976))
 * Restrict indentation of closing quotes to `ktlint_official` code style to keep formatting of other code styles consistent with `0.48.x` and before `indent` ([#1971](https://github.com/pinterest/ktlint/issues/1971))
 * Clean-up unwanted logging dependencies ([#1998](https://github.com/pinterest/ktlint/issues/1998))
+* Fix directory traversal for patterns referring to paths outside of current working directory or any of it child directories ([#2002](https://github.com/pinterest/ktlint/issues/2002))
 
 ### Changed
 * Separated Baseline functionality out of `ktlint-cli` into separate `ktlint-baseline` module for API consumers

diff --git a/ktlint-cli/src/main/kotlin/com/pinterest/ktlint/cli/internal/FileUtils.kt b/ktlint-cli/src/main/kotlin/com/pinterest/ktlint/cli/internal/FileUtils.kt
@@ -14,7 +14,6 @@ import java.nio.file.SimpleFileVisitor
 import java.nio.file.attribute.BasicFileAttributes
 import java.util.Deque
 import java.util.LinkedList
-import kotlin.io.path.Path
 import kotlin.io.path.absolutePathString
 import kotlin.io.path.isDirectory
 import kotlin.io.path.pathString
@@ -66,7 +65,7 @@ internal fun FileSystem.fileSequence(
             .filter { it.startsWith(NEGATION_PREFIX) }
             .map { getPathMatcher(it.removePrefix(NEGATION_PREFIX)) }
 
-    val pathMatchers =
+    val includeGlobs =
         globs
             .filterNot { it.startsWith(NEGATION_PREFIX) }
             .let { includeMatchers ->
@@ -81,23 +80,27 @@ internal fun FileSystem.fileSequence(
                 } else {
                     includeMatchers
                 }
-            }.map { getPathMatcher(it) }
-
-    LOGGER.debug {
-        """
-        Start walkFileTree for rootDir: '$rootDir'
-           include:
-        ${pathMatchers.map {
-            "      - $it"
-        }}
-           exclude:
-        ${negatedPathMatchers.map { "      - $it" }}
-        """.trimIndent()
+            }
+    var commonRootDir = rootDir
+    patterns.forEach { pattern ->
+        try {
+            val patternDir =
+                rootDir
+                    .resolve(pattern)
+                    .normalize()
+            commonRootDir = commonRootDir.findCommonParentDir(patternDir)
+        } catch (e: InvalidPathException) {
+            // Windows throws an exception when you pass a glob to Path#resolve.
+        }
     }
+
+    val pathMatchers = includeGlobs.map { getPathMatcher(it) }
+
+    LOGGER.debug { "Start walkFileTree from directory: '$commonRootDir'" }
     val duration =
         measureTimeMillis {
             Files.walkFileTree(
-                rootDir,
+                commonRootDir,
                 object : SimpleFileVisitor<Path>() {
                     override fun visitFile(
                         filePath: Path,
@@ -148,6 +151,16 @@ internal fun FileSystem.fileSequence(
     return result.asSequence()
 }
 
+private fun Path.findCommonParentDir(path: Path): Path =
+    when {
+        path.startsWith(this) ->
+            this
+        startsWith(path) ->
+            path
+        else ->
+            this@findCommonParentDir.findCommonParentDir(path.parent)
+    }
+
 private fun FileSystem.expand(
     patterns: List<String>,
     rootDir: Path,

diff --git a/ktlint-cli/src/test/kotlin/com/pinterest/ktlint/cli/internal/FileUtilsTest.kt b/ktlint-cli/src/test/kotlin/com/pinterest/ktlint/cli/internal/FileUtilsTest.kt
@@ -13,6 +13,7 @@ import org.junit.jupiter.api.condition.OS
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.ValueSource
 import java.nio.file.Path
+import kotlin.io.path.absolutePathString
 
 private val LOGGER = KotlinLogging.logger {}.initKtLintKLogger()
 
@@ -35,6 +36,7 @@ internal class FileUtilsTest {
     private val ktFile2InProjectSubDirectory = "project1/src/main/kotlin/example/Two.kt"
     private val ktsFileInProjectSubDirectory = "project1/src/scripts/Script.kts"
     private val javaFileInProjectSubDirectory = "project1/src/main/java/One.java"
+    private val someFileInOtherProjectRootDirectory = "other-project/SomeFile.txt"
 
     @BeforeEach
     internal fun setUp() {
@@ -52,6 +54,7 @@ internal class FileUtilsTest {
             createFile(ktFile1InProjectSubDirectory)
             createFile(ktFile2InProjectSubDirectory)
             createFile(javaFileInProjectSubDirectory)
+            createFile(someFileInOtherProjectRootDirectory)
         }
     }
 
@@ -414,6 +417,68 @@ internal class FileUtilsTest {
             )
     }
 
+    @DisabledOnOs(OS.WINDOWS)
+    @Test
+    fun `Issue 2002 - On non-Windows OS, find files in a sibling directory based on a relative path to the working directory`() {
+        val foundFiles =
+            getFiles(
+                patterns = listOf("../project1"),
+                rootDir = ktlintTestFileSystem.resolve(someFileInOtherProjectRootDirectory).parent.toAbsolutePath(),
+            )
+
+        assertThat(foundFiles)
+            .containsExactlyInAnyOrder(
+                ktFileInProjectRootDirectory,
+                ktsFileInProjectRootDirectory,
+                ktFile1InProjectSubDirectory,
+                ktFile2InProjectSubDirectory,
+                ktsFileInProjectSubDirectory,
+            ).doesNotContain(
+                ktFileRootDirectory,
+                ktsFileRootDirectory,
+            )
+    }
+
+    @DisabledOnOs(OS.WINDOWS)
+    @Test
+    fun `Issue 2002 - On non-Windows OS, find files in a sibling directory based on a relative glob`() {
+        val foundFiles =
+            getFiles(
+                patterns = listOf("../project1/**/*.kt"),
+                rootDir = ktlintTestFileSystem.resolve("other-project"),
+            )
+
+        assertThat(foundFiles)
+            .containsExactlyInAnyOrder(
+                ktFileInProjectRootDirectory,
+                ktFile1InProjectSubDirectory,
+                ktFile2InProjectSubDirectory,
+            ).doesNotContain(
+                ktFileRootDirectory,
+            )
+    }
+
+    @Test
+    fun `Issue 2002 - Find files in a sibling directory based on an absolute path`() {
+        val foundFiles =
+            getFiles(
+                patterns = listOf(ktlintTestFileSystem.resolve(ktFileInProjectRootDirectory).parent.absolutePathString()),
+                rootDir = ktlintTestFileSystem.resolve(someFileInOtherProjectRootDirectory).parent.toAbsolutePath(),
+            )
+
+        assertThat(foundFiles)
+            .containsExactlyInAnyOrder(
+                ktFileInProjectRootDirectory,
+                ktsFileInProjectRootDirectory,
+                ktFile1InProjectSubDirectory,
+                ktFile2InProjectSubDirectory,
+                ktsFileInProjectSubDirectory,
+            ).doesNotContain(
+                ktFileRootDirectory,
+                ktsFileRootDirectory,
+            )
+    }
+
     private fun KtlintTestFileSystem.createFile(fileName: String) =
         writeFile(
             relativeDirectoryToRoot = fileName.substringBeforeLast("/", ""),