Test Windows <reserved>.middle.extension filenames

EliahKagan · EliahKagan · commit f5ef10d30e50 · 2025-02-16T13:40:35.000-05:00
When `<reserved>` is a reserved device name on Windows like `NUL`, in addition to filenames where it is followed by an extension being treated specially in the same way (`<reserved>.extension`), filenames where the operation of repeatedly removing extensions would produce `<reserved>` (`<reserved>.middle.extension`, `<reserved>.middle1.middle2.extension`, and so forth) are also treated by Windows like the reserved name. The existing code in `gix-validate`, and thus the validation of paths and refs that checks for reserved Windows device names, already does the right thing here. While the existing tests are presented as being for extensions, the implementation treats a name as reserved when it is parsed as a reserved name followed by a `.` (among other cases), regardless of whether what comes after the `.` is actually an extension in the strict sense. Therefore this is just adding regression tests to express the rule more clearly and, more importantly, to protect against accidental breakage in future changes. (Because of the way gitoxide uses this validation, suhc breakage would likely introduce a vulnerability similar to CVE-2024-35197, because this is part of how we safeguard against malicious names when cloning untrusted remote repos.) The idea to test this is inspired by a new check in `dunce`: https://gitlab.com/kornelski/dunce/-/commit/0ceb0ae141bf78c6d9d68488a55d22cd94658339
diff --git a/gix-validate/tests/path/mod.rs b/gix-validate/tests/path/mod.rs
@@ -1,9 +1,9 @@
 #[test]
 fn component_is_windows_device() {
-    for device in ["con", "CONIN$", "lpt1.txt", "AUX", "Prn", "NUL", "COM9"] {
+    for device in ["con", "CONIN$", "lpt1.txt", "AUX", "Prn", "NUL", "COM9", "nul.a.b "] {
         assert!(gix_validate::path::component_is_windows_device(device.into()));
     }
-    for not_device in ["coni", "CONIN", "lpt", "AUXi", "aPrn", "NULl", "COM"] {
+    for not_device in ["coni", "CONIN", "lpt", "AUXi", "aPrn", "NULl", "COM", "a.nul.b "] {
         assert!(!gix_validate::path::component_is_windows_device(not_device.into()));
     }
 }
@@ -82,6 +82,9 @@ mod component {
         mktest!(conin_without_dollar, b"conin");
         mktest!(not_con, b"com");
         mktest!(also_not_con, b"co");
+        mktest!(con_as_middle, b"x.CON.zip");
+        mktest!(con_after_space, b" CON");
+        mktest!(con_after_space_mixed, b" coN.tar.xz");
         mktest!(not_nul, b"null");
         mktest!(
             not_dot_gitmodules_shorter_hfs,
@@ -248,6 +251,8 @@ mod component {
         mktest!(prn_mixed_with_extension, b"PrN.abc", Error::WindowsReservedName);
         mktest!(con, b"CON", Error::WindowsReservedName);
         mktest!(con_with_extension, b"CON.abc", Error::WindowsReservedName);
+        mktest!(con_with_middle, b"CON.tar.xz", Error::WindowsReservedName);
+        mktest!(con_mixed_with_middle, b"coN.tar.xz ", Error::WindowsReservedName);
         mktest!(
             conout_mixed_with_extension,
             b"ConOut$  .xyz",
