Ensure that FilePaths don't contain interior NULs

Follow:

* https://gitlab.haskell.org/ghc/ghc/-/merge_requests/10110
* haskell/core-libraries-committee#144

Author: hasufell

System/Posix/ByteString/FilePath.hsc

@@ -1,4 +1,4 @@
-{-# LANGUAGE Safe #-}
+{-# LANGUAGE Trustworthy #-}
 
 -----------------------------------------------------------------------------
 -- |
@@ -40,8 +40,15 @@ import Foreign.C hiding (
 
 import Control.Monad
 import Data.ByteString
-import Data.ByteString.Char8 as BC
-import Prelude hiding (FilePath)
+import Data.ByteString.Internal (c_strlen)
+import qualified Data.ByteString.Char8 as BC
+import qualified System.OsPath.Data.ByteString.Short as SBS
+import GHC.IO.Exception
+import System.OsPath.Posix
+import GHC.IO.Encoding.UTF8 ( mkUTF8 )
+import GHC.IO.Encoding.Failure ( CodingFailureMode(..) )
+import System.OsString.Internal.Types
+import Prelude hiding (FilePath, elem)
 #if !MIN_VERSION_base(4, 11, 0)
 import Data.Monoid ((<>))
 #endif
@@ -50,7 +57,7 @@ import Data.Monoid ((<>))
 type RawFilePath = ByteString
 
 withFilePath :: RawFilePath -> (CString -> IO a) -> IO a
-withFilePath = useAsCString
+withFilePath path = useAsCStringSafe path
 
 peekFilePath :: CString -> IO RawFilePath
 peekFilePath = packCString
@@ -131,3 +138,27 @@ throwErrnoPathIfMinus1_  = throwErrnoPathIf_ (== -1)
 throwErrnoTwoPathsIfMinus1_ :: (Eq a, Num a) => String -> RawFilePath -> RawFilePath -> IO a -> IO ()
 throwErrnoTwoPathsIfMinus1_  loc path1 path2 =
     throwErrnoIfMinus1_ (loc <> " '" <> BC.unpack path1 <> "' to '" <> BC.unpack path2 <> "'")
+
+-- | Wrapper around 'useAsCString', checking the encoded 'FilePath' for internal NUL octets as these are
+-- disallowed in POSIX filepaths. See https://gitlab.haskell.org/ghc/ghc/-/issues/13660
+useAsCStringSafe :: RawFilePath -> (CString -> IO a) -> IO a
+useAsCStringSafe path f = useAsCStringLen path $ \(ptr, len) -> do
+    clen <- c_strlen ptr
+    if clen == fromIntegral len
+        then f ptr
+        else ioError err
+  where
+    err =
+        IOError
+          { ioe_handle = Nothing
+          , ioe_type = InvalidArgument
+          , ioe_location = "checkForInteriorNuls"
+          , ioe_description = "POSIX filepaths must not contain internal NUL octets."
+          , ioe_errno = Nothing
+          , ioe_filename = Just (either (error . show) id
+                                  . decodeWith (mkUTF8 TransliterateCodingFailure)
+                                  . PosixString
+                                  . SBS.toShort
+                                  $ path)
+          }
+

System/Posix/PosixPath/FilePath.hsc

@@ -1,4 +1,5 @@
 {-# LANGUAGE CPP #-}
+{-# LANGUAGE PatternSynonyms #-}
 
 -----------------------------------------------------------------------------
 -- |
@@ -39,20 +40,22 @@ import Foreign.C hiding (
      throwErrnoPathIfMinus1_ )
 
 import System.OsPath.Types
+import Data.ByteString.Internal (c_strlen)
 import Control.Monad
 import GHC.IO.Encoding.UTF8 ( mkUTF8 )
 import GHC.IO.Encoding.Failure ( CodingFailureMode(..) )
-import System.OsPath.Posix
-import System.OsPath.Data.ByteString.Short
+import System.OsPath.Posix as Posix
+import System.OsPath.Data.ByteString.Short as SBS
 import Prelude hiding (FilePath)
-import System.OsString.Internal.Types (PosixString(..))
+import System.OsString.Internal.Types (PosixString(..), pattern PS)
+import GHC.IO.Exception
 #if !MIN_VERSION_base(4, 11, 0)
 import Data.Monoid ((<>))
 #endif
 
 
 withFilePath :: PosixPath -> (CString -> IO a) -> IO a
-withFilePath = useAsCString . getPosixString
+withFilePath path = useAsCStringSafe path
 
 peekFilePath :: CString -> IO PosixPath
 peekFilePath = fmap PosixString . packCString
@@ -138,3 +141,21 @@ throwErrnoTwoPathsIfMinus1_  loc path1 path2 =
 _toStr :: PosixPath -> String
 _toStr fp = either (error . show) id $ decodeWith (mkUTF8 TransliterateCodingFailure) fp
 
+-- | Wrapper around 'useAsCString', checking the encoded 'FilePath' for internal NUL octets as these are
+-- disallowed in POSIX filepaths. See https://gitlab.haskell.org/ghc/ghc/-/issues/13660
+useAsCStringSafe :: PosixPath -> (CString -> IO a) -> IO a
+useAsCStringSafe pp@(PS path) f = useAsCStringLen path $ \(ptr, len) -> do
+    clen <- c_strlen ptr
+    if clen == fromIntegral len
+        then f ptr
+        else ioError err
+  where
+    err =
+        IOError
+          { ioe_handle = Nothing
+          , ioe_type = InvalidArgument
+          , ioe_location = "checkForInteriorNuls"
+          , ioe_description = "POSIX filepaths must not contain internal NUL octets."
+          , ioe_errno = Nothing
+          , ioe_filename = Just (_toStr pp)
+          }

tests/T13660.hs

@@ -0,0 +1,67 @@
+{-# LANGUAGE CPP               #-}
+{-# LANGUAGE OverloadedStrings #-}
+
+module Main where
+
+import Data.Maybe
+#if !MIN_VERSION_base(4, 11, 0)
+import Data.Monoid ((<>))
+#endif
+import GHC.IO.Exception
+import System.IO.Error
+import System.OsPath.Posix
+import System.OsString.Internal.Types (PosixString(..))
+import System.Posix.IO (defaultFileFlags, OpenFileFlags(..), OpenMode(..))
+import System.Posix.ByteString.FilePath
+
+import qualified Data.ByteString.Char8 as C
+import qualified System.OsPath.Data.ByteString.Short as SBS
+import qualified System.Posix.Env.PosixString as PS
+import qualified System.Posix.IO.PosixString as PS
+import qualified System.Posix.IO.ByteString as BS
+import qualified System.Posix.Env.ByteString as BS
+
+
+main :: IO ()
+main = do
+  tmp <- getTemporaryDirectory
+  let fp = tmp <> fromStr' "/hello\0world"
+  res  <- tryIOError $ PS.openFd fp WriteOnly df
+
+  tmp' <- getTemporaryDirectory'
+  let fp' = tmp' <> "/hello\0world"
+  res' <- tryIOError $ BS.openFd fp' WriteOnly df
+
+  case (res, res') of
+    (Left e,  Left e')
+      | e == fileError (_toStr fp)
+      , e' == fileError (C.unpack fp') -> pure ()
+      | otherwise -> fail $ "Unexpected errors: " <> show e <> "\n\t" <> show e'
+    (Right _, Left _)  -> fail "System.Posix.IO.PosixString.openFd should not accept filepaths with NUL bytes"
+    (Left _,  Right _) -> fail "System.Posix.IO.ByteString.openFd should not accept filepaths with NUL bytes"
+    (Right _, Right _) -> fail $ "System.Posix.IO.PosixString.openFd and System.Posix.IO.ByteString.openFd" <>
+                                 " should not accept filepaths with NUL bytes"
+
+  where
+    df :: OpenFileFlags
+    df = defaultFileFlags{ trunc = True, creat = Just 0o666, noctty = True, nonBlock = True }
+
+    getTemporaryDirectory :: IO PosixPath
+    getTemporaryDirectory = fromMaybe (fromStr' "/tmp") <$> PS.getEnv (fromStr' "TMPDIR")
+
+    getTemporaryDirectory' :: IO RawFilePath
+    getTemporaryDirectory' = fromMaybe "/tmp" <$> BS.getEnv "TMPDIR"
+
+    fromStr' = pack . fmap unsafeFromChar
+
+    _toStr (PosixString sbs) = C.unpack $ SBS.fromShort sbs
+
+    fileError fp = IOError
+          { ioe_handle = Nothing
+          , ioe_type = InvalidArgument
+          , ioe_location = "checkForInteriorNuls"
+          , ioe_description = "POSIX filepaths must not contain internal NUL octets."
+          , ioe_errno = Nothing
+          , ioe_filename = Just fp
+          }
+

unix.cabal

@@ -279,3 +279,11 @@ test-suite SemaphoreInterrupt
     default-language: Haskell2010
     build-depends: base, unix
     ghc-options: -Wall -threaded
+
+test-suite T13660
+    hs-source-dirs: tests
+    main-is: T13660.hs
+    type: exitcode-stdio-1.0
+    default-language: Haskell2010
+    build-depends: base, unix, filepath >= 1.4.100.0 && < 1.5, bytestring
+    ghc-options: -Wall