plumbing: transport, resolve ..-relative file URLs against CWD#1891
Open
AriehSchneier wants to merge 1 commit intogo-git:mainfrom
Open
plumbing: transport, resolve ..-relative file URLs against CWD#1891AriehSchneier wants to merge 1 commit intogo-git:mainfrom
AriehSchneier wants to merge 1 commit intogo-git:mainfrom
Conversation
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
3 times, most recently
from
18368d6 to
f410dd2
Compare
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
2 times, most recently
from
0501e13 to
a17004f
Compare
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
8 times, most recently
from
496c425 to
a4e8d7e
Compare
pjbgf
reviewed
Mar 24, 2026
plumbing/transport/transport.go
Outdated
Comment on lines
+185
to
+186
| if !filepath.IsAbs(path) && | ||
| (cleaned == ".." || strings.HasPrefix(cleaned, ".."+string(filepath.Separator))) { |
Member
There was a problem hiding this comment.
@AriehSchneier I'm under the impression this needs to be handled higher up the stack e.g. Clone/Open.
Contributor
Author
There was a problem hiding this comment.
I have moved it to CloneOptions.Validate() which fixes it in the Clone case (which is where I was hitting the error), but what if someone calls transport.NewEndpoint() directly it will no longer resolve.
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
7 times, most recently
from
719bc65 to
ad59a5b
Compare
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
3 times, most recently
from
cee6d69 to
13fd8bc
Compare
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
3 times, most recently
from
6439da7 to
b9ea6e8
Compare
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
from
b9ea6e8 to
59bbe1b
Compare
…ptions.Validate When a caller passes a URL like "../../some-repo" to Clone, the billy chroot-based FilesystemLoader rejects any path whose cleaned form starts with ".." with "chroot boundary crossed". Fix: in CloneOptions.Validate, detect local-endpoint paths whose clean form starts with ".." and resolve them to absolute paths via filepath.Abs before any transport code runs. This matches the behaviour of `git clone`: relative paths are resolved against the caller's working directory at the command level, before handing the URL to the transport layer. Fixes: go-git#1723 Assisted-by: GitHub Copilot (claude-sonnet-4-6) <copilot@github.com> Signed-off-by: Arieh Schneier <15041913+AriehSchneier@users.noreply.github.com>
AriehSchneier
force-pushed
the
fix-relative-clone-url
branch
from
59bbe1b to
222e215
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
When a caller passes a URL like "../../some-repo" to Clone, parseFile produced an Endpoint{Path:"../../..."} that was handed unchanged to the chroot-based FilesystemLoader. The billy ChrootHelper rejects any path whose cleaned form starts with ".." ("chroot boundary crossed"), regardless of the chroot root.
Fix: in parseFile, detect paths whose cleaned form starts with ".." and resolve them to absolute paths via filepath.Abs before storing them in the Endpoint. This matches the behaviour of
git clone: relative paths are resolved against the caller's working directory.Adds TestClone_RelativeURL as a regression test.
Fixes: #1723