void_core/support/

util.rs

//! Shared utility functions

use std::fs;
use std::path::{Component, Path, PathBuf};

use camino::{Utf8Path, Utf8PathBuf};
use sha2::{Digest, Sha256};

use super::error::{Result, VoidError};
use crate::store::FsStore;

/// Serialize a value to CBOR bytes.
pub fn cbor_to_vec<T: serde::Serialize>(val: &T) -> Result<Vec<u8>> {
    let mut buf = Vec::new();
    ciborium::into_writer(val, &mut buf)
        .map_err(|e| VoidError::Serialization(e.to_string()))?;
    Ok(buf)
}

/// Compute SHA-256 hash of data.
pub fn sha256(data: &[u8]) -> [u8; 32] {
    let mut hasher = Sha256::new();
    hasher.update(data);
    hasher.finalize().into()
}

/// Atomically write content to a file using temp + rename.
///
/// This ensures that readers either see the old content or the new content,
/// never a partially written file.
pub fn atomic_write(path: impl AsRef<Path>, content: &[u8]) -> Result<()> {
    let path = path.as_ref();
    let temp_path = path.with_extension("tmp");

    // Write to temp file
    fs::write(&temp_path, content).map_err(VoidError::Io)?;

    // Atomic rename
    fs::rename(&temp_path, path).map_err(VoidError::Io)?;

    Ok(())
}

/// Atomically write string content to a file.
pub fn atomic_write_str(path: impl AsRef<Path>, content: &str) -> Result<()> {
    atomic_write(path, content.as_bytes())
}

/// Configure a WalkBuilder for void's ignore semantics.
///
/// void respects `.ignore` files (the ignore crate default) but not git-specific
/// ignore sources (global gitconfig, .git/info/exclude, etc.) since void repos
/// don't have a .git directory.
pub fn configure_walker(builder: &mut ignore::WalkBuilder) -> &mut ignore::WalkBuilder {
    builder
        .hidden(false)
        .git_ignore(false)
        .git_global(false)
        .git_exclude(false)
}

/// Count the number of lines in a byte slice (SIMD-accelerated via memchr).
///
/// Matches `wc -l` behavior: counts newlines, plus 1 if file doesn't end with newline.
/// Returns 0 for empty content.
pub fn count_lines(content: &[u8]) -> u32 {
    if content.is_empty() {
        return 0;
    }

    let newlines = memchr::memchr_iter(b'\n', content).count();

    // If file ends with newline, that's the line count
    // If not, add 1 for the final line without newline
    if content.last() == Some(&b'\n') {
        newlines as u32
    } else {
        (newlines + 1) as u32
    }
}

/// Convert a `Path` to a `Utf8PathBuf`, returning `VoidError::InvalidPath` on non-UTF-8.
pub fn to_utf8(path: impl AsRef<Path>) -> Result<Utf8PathBuf> {
    Utf8PathBuf::from_path_buf(path.as_ref().to_path_buf())
        .map_err(|p| VoidError::InvalidPath(p.display().to_string()))
}

/// Open the object store under `void_dir/objects`.
pub fn open_store(void_dir: &Utf8Path) -> Result<FsStore> {
    FsStore::new(void_dir.join("objects"))
}

/// Safely join a relative path to a root directory, preventing path traversal.
///
/// Rejects:
/// - Empty paths
/// - Paths containing null bytes
/// - Absolute paths (starting with `/` or Windows drive letters)
/// - Parent directory references (`..`)
/// - Paths that normalize to empty (e.g., ".", "./")
/// - Any symlink in the path (including broken symlinks)
///
/// Note: This function rejects ALL symlinks in the path, not just those pointing
/// outside the root. This reduces the symlink-based attack surface. However, this
/// does NOT eliminate TOCTOU races (an attacker can still swap a component to a
/// symlink between check and write). True TOCTOU protection requires OS-level
/// openat/O_NOFOLLOW-style APIs.
///
/// Returns the joined path if safe, or `VoidError::PathTraversal` if unsafe.
pub fn safe_join(root: impl AsRef<Path>, rel: &str) -> Result<PathBuf> {
    let root = root.as_ref();
    // Reject empty paths
    if rel.is_empty() {
        return Err(VoidError::PathTraversal {
            path: rel.to_string(),
            reason: "empty path".to_string(),
        });
    }

    // Reject null bytes
    if rel.contains('\0') {
        return Err(VoidError::PathTraversal {
            path: rel.to_string(),
            reason: "null byte in path".to_string(),
        });
    }

    // Normalize separators
    let normalized = rel.replace('\\', "/");

    // Reject absolute paths
    if normalized.starts_with('/') {
        return Err(VoidError::PathTraversal {
            path: rel.to_string(),
            reason: "absolute path".to_string(),
        });
    }

    // Parse and validate components
    let path = Path::new(&normalized);
    let mut sanitized = PathBuf::new();

    for component in path.components() {
        match component {
            Component::Normal(c) => sanitized.push(c),
            Component::CurDir => {} // Skip `.`
            Component::ParentDir => {
                return Err(VoidError::PathTraversal {
                    path: rel.to_string(),
                    reason: "parent directory reference".to_string(),
                });
            }
            Component::RootDir | Component::Prefix(_) => {
                return Err(VoidError::PathTraversal {
                    path: rel.to_string(),
                    reason: "absolute path component".to_string(),
                });
            }
        }
    }

    // Reject paths that normalize to empty (e.g., ".", "./")
    // This prevents attempts to write/remove the root directory itself
    if sanitized.as_os_str().is_empty() {
        return Err(VoidError::PathTraversal {
            path: rel.to_string(),
            reason: "path normalizes to empty".to_string(),
        });
    }

    // Build final path
    let final_path = root.join(&sanitized);

    // Check for symlinks in existing components (including broken symlinks)
    check_symlink_escape(root, &sanitized)?;

    Ok(final_path)
}

/// Walk path components and reject if any existing component is a symlink.
///
/// Uses `symlink_metadata()` which does NOT follow symlinks, allowing us to
/// detect both valid and broken symlinks. This is important because `Path::exists()`
/// follows symlinks and returns false for broken symlinks, which would bypass
/// the security check.
fn check_symlink_escape(root: &Path, rel: &Path) -> Result<()> {
    use std::io::ErrorKind;

    let mut current = root.to_path_buf();

    for component in rel.components() {
        if let Component::Normal(c) = component {
            current.push(c);
            // Use symlink_metadata() unconditionally - it doesn't follow symlinks,
            // so it correctly detects both valid AND broken symlinks.
            match current.symlink_metadata() {
                Ok(meta) => {
                    if meta.file_type().is_symlink() {
                        return Err(VoidError::PathTraversal {
                            path: rel.to_string_lossy().to_string(),
                            reason: format!("symlink in path: {}", current.display()),
                        });
                    }
                }
                Err(e) if e.kind() == ErrorKind::NotFound => {
                    // Path doesn't exist yet - that's fine, continue checking
                }
                Err(e) => {
                    // Propagate unexpected errors (PermissionDenied, etc.)
                    // Don't silently proceed if we can't verify the path
                    return Err(VoidError::Io(e));
                }
            }
        }
    }
    Ok(())
}

/// Validate that a path is a legitimate Nix store path.
///
/// Checks:
/// - Starts with `/nix/store/`
/// - Has a valid 32-char nix base32 hash followed by `-name`
/// - `canonicalize()` resolves to still be under `/nix/store/`
/// - Path exists and is a directory (not a symlink)
pub fn validate_nix_store_path(path: &Path) -> Result<PathBuf> {
    // Nix base32 alphabet (note: no e, o, t, u)
    const NIX_BASE32: &[u8] = b"0123456789abcdfghjklmnpqrsvwxyz";

    let path_str = path.to_str().ok_or_else(|| VoidError::PathTraversal {
        path: path.display().to_string(),
        reason: "non-UTF8 store path".to_string(),
    })?;

    // Must start with /nix/store/
    let remainder =
        path_str
            .strip_prefix("/nix/store/")
            .ok_or_else(|| VoidError::PathTraversal {
                path: path_str.to_string(),
                reason: "not under /nix/store/".to_string(),
            })?;

    // Remainder must be exactly `<32-char-hash>-<name>` with no slashes
    if remainder.contains('/') {
        return Err(VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: "store path contains subdirectory".to_string(),
        });
    }

    // Find the hyphen separating hash from name
    let hyphen_pos = remainder
        .find('-')
        .filter(|&pos| pos == 32)
        .ok_or_else(|| VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: "invalid store path format: expected 32-char hash followed by hyphen"
                .to_string(),
        })?;

    let hash_part = &remainder[..hyphen_pos];
    let name_part = &remainder[hyphen_pos + 1..];

    // Validate hash characters
    if !hash_part.bytes().all(|b| NIX_BASE32.contains(&b)) {
        return Err(VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: "invalid nix base32 hash characters".to_string(),
        });
    }

    // Name must be non-empty
    if name_part.is_empty() {
        return Err(VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: "empty store path name".to_string(),
        });
    }

    // Canonicalize and verify still under /nix/store/
    let canonical = path.canonicalize().map_err(|e| VoidError::PathTraversal {
        path: path_str.to_string(),
        reason: format!("canonicalize failed: {}", e),
    })?;

    if !canonical.starts_with("/nix/store/") {
        return Err(VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: format!(
                "path escapes /nix/store/ after canonicalization: {}",
                canonical.display()
            ),
        });
    }

    // Verify it's a directory (not a symlink) via symlink_metadata
    let meta = path
        .symlink_metadata()
        .map_err(|e| VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: format!("symlink_metadata failed: {}", e),
        })?;

    if !meta.is_dir() {
        return Err(VoidError::PathTraversal {
            path: path_str.to_string(),
            reason: "store path is not a directory".to_string(),
        });
    }

    Ok(canonical)
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::TempDir;

    #[test]
    fn sha256_deterministic() {
        let data = b"hello world";
        let hash1 = sha256(data);
        let hash2 = sha256(data);
        assert_eq!(hash1, hash2);
    }

    #[test]
    fn sha256_different_input() {
        let hash1 = sha256(b"hello");
        let hash2 = sha256(b"world");
        assert_ne!(hash1, hash2);
    }

    #[test]
    fn sha256_known_value() {
        // SHA-256 of empty string
        let hash = sha256(b"");
        let expected =
            hex::decode("e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855")
                .unwrap();
        assert_eq!(hash.as_slice(), expected.as_slice());
    }

    #[test]
    fn atomic_write_creates_file() {
        let temp = TempDir::new().unwrap();
        let path = temp.path().join("test.txt");

        atomic_write(&path, b"hello").unwrap();

        assert!(path.exists());
        assert_eq!(fs::read(&path).unwrap(), b"hello");
    }

    #[test]
    fn atomic_write_overwrites_existing() {
        let temp = TempDir::new().unwrap();
        let path = temp.path().join("test.txt");

        fs::write(&path, b"old content").unwrap();
        atomic_write(&path, b"new content").unwrap();

        assert_eq!(fs::read(&path).unwrap(), b"new content");
    }

    #[test]
    fn atomic_write_no_temp_file_remains() {
        let temp = TempDir::new().unwrap();
        let path = temp.path().join("test.txt");
        let temp_path = temp.path().join("test.tmp");

        atomic_write(&path, b"content").unwrap();

        assert!(path.exists());
        assert!(!temp_path.exists());
    }

    #[test]
    fn atomic_write_str_works() {
        let temp = TempDir::new().unwrap();
        let path = temp.path().join("test.txt");

        atomic_write_str(&path, "hello string").unwrap();

        assert_eq!(fs::read_to_string(&path).unwrap(), "hello string");
    }

    #[test]
    fn count_lines_empty() {
        assert_eq!(count_lines(b""), 0);
    }

    #[test]
    fn count_lines_single_line() {
        assert_eq!(count_lines(b"hello"), 1);
    }

    #[test]
    fn count_lines_multiple_lines() {
        assert_eq!(count_lines(b"line1\nline2\nline3"), 3);
    }

    #[test]
    fn count_lines_trailing_newline() {
        // Matches wc -l: trailing newline doesn't add extra line
        assert_eq!(count_lines(b"line1\nline2\n"), 2);
    }

    // === Path traversal tests ===

    #[test]
    fn safe_join_accepts_normal_paths() {
        let root = Path::new("/tmp/output");
        assert!(safe_join(root, "src/lib.rs").is_ok());
        assert!(safe_join(root, "README.md").is_ok());
        assert!(safe_join(root, "./src/lib.rs").is_ok());
        assert!(safe_join(root, "a//b").is_ok()); // double slash normalized
    }

    #[test]
    fn safe_join_rejects_parent_traversal() {
        let root = Path::new("/tmp/output");
        assert!(safe_join(root, "../escape.txt").is_err());
        assert!(safe_join(root, "a/../../escape.txt").is_err());
        assert!(safe_join(root, "a/b/../../../escape.txt").is_err());
    }

    #[test]
    fn safe_join_rejects_absolute_paths() {
        let root = Path::new("/tmp/output");
        assert!(safe_join(root, "/etc/passwd").is_err());
        assert!(safe_join(root, "/abs/path").is_err());
    }

    #[test]
    fn safe_join_rejects_empty_path() {
        let root = Path::new("/tmp/output");
        assert!(safe_join(root, "").is_err());
    }

    #[test]
    fn safe_join_rejects_paths_normalizing_to_empty() {
        let root = Path::new("/tmp/output");
        // Paths like "." or "./" normalize to empty and should be rejected
        assert!(safe_join(root, ".").is_err());
        assert!(safe_join(root, "./").is_err());
        assert!(safe_join(root, "./.").is_err());
    }

    #[cfg(unix)]
    #[test]
    fn safe_join_rejects_broken_symlinks() {
        let temp = TempDir::new().unwrap();
        let root = temp.path();

        // Create a broken symlink (target doesn't exist)
        let symlink_path = root.join("broken_link");
        std::os::unix::fs::symlink("/nonexistent/path", &symlink_path).unwrap();

        // Verify it's broken: symlink exists, but target doesn't
        assert!(symlink_path.symlink_metadata().is_ok());
        assert!(!symlink_path.exists()); // Path::exists() follows symlinks

        // Should still be rejected
        let result = safe_join(root, "broken_link");
        assert!(result.is_err());
        assert!(result.unwrap_err().to_string().contains("symlink"));
    }

    #[test]
    fn safe_join_rejects_null_bytes() {
        let root = Path::new("/tmp/output");
        assert!(safe_join(root, "file\0.txt").is_err());
    }

    #[cfg(unix)]
    #[test]
    fn safe_join_rejects_symlink_escape() {
        let temp = TempDir::new().unwrap();
        let root = temp.path();

        // Create a symlink pointing outside
        let symlink_path = root.join("escape");
        std::os::unix::fs::symlink("/etc", &symlink_path).unwrap();

        // Should reject path through symlink
        let result = safe_join(root, "escape/passwd");
        assert!(result.is_err());
    }

    // === Nix store path validation tests ===

    #[test]
    fn validate_nix_store_path_rejects_traversal() {
        let path = Path::new("/nix/store/../../etc/evil");
        let result = validate_nix_store_path(path);
        assert!(result.is_err());
    }

    #[test]
    fn validate_nix_store_path_rejects_non_store() {
        let path = Path::new("/tmp/something");
        let result = validate_nix_store_path(path);
        assert!(result.is_err());
    }

    #[test]
    fn validate_nix_store_path_rejects_short_hash() {
        let path = Path::new("/nix/store/abc123-short");
        let result = validate_nix_store_path(path);
        assert!(result.is_err());
    }

    #[test]
    fn validate_nix_store_path_rejects_subdirectory() {
        let path = Path::new("/nix/store/00000000000000000000000000000000-name/sub");
        let result = validate_nix_store_path(path);
        assert!(result.is_err());
    }

    #[test]
    fn validate_nix_store_path_rejects_missing_name() {
        let path = Path::new("/nix/store/00000000000000000000000000000000-");
        let result = validate_nix_store_path(path);
        assert!(result.is_err());
    }

    #[test]
    fn validate_nix_store_path_rejects_invalid_base32() {
        // 'e', 'o', 't', 'u' are not in nix base32
        let path = Path::new("/nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-name");
        let result = validate_nix_store_path(path);
        assert!(result.is_err());
    }
}