From 2d9d5c39549c634911515cad447f3fc3ec219fea Mon Sep 17 00:00:00 2001
From: Tim Besard <tim.besard@gmail.com>
Date: Wed, 8 Feb 2023 01:21:49 -0500
Subject: [PATCH] Check if directories are safe before hashing them.

---
 src/evaluate.jl | 25 +++++++++++++++++++++++--
 src/sandbox.jl  |  2 +-
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/src/evaluate.jl b/src/evaluate.jl
index c76819c7..ce73e443 100644
--- a/src/evaluate.jl
+++ b/src/evaluate.jl
@@ -772,6 +772,27 @@ function evaluate_compiled_test(config::Configuration, pkg::Package;
 end
 
 
+# check for entries that GitTools.tree_hash doesn't handle (Pkg.jl#3365).
+# chardev entries indicate a whiteout file, which isn't cacheable anyway.
+function is_hasheable(path)
+    try
+        if isdir(path)
+            for entry in readdir(path; join=true)
+                if !is_hasheable(entry)
+                    return false
+                end
+            end
+        elseif !isfile(path)
+            return false
+        end
+        return true
+    catch err
+        # -ELOOP, etc
+        @error "Encountered broken filesystem entry '$path'" exception=(err,catch_backtrace())
+        return false
+    end
+end
+
 function verify_artifacts(artifacts; show_status::Bool=true)
     removals = []
     removals_lock = ReentrantLock()
@@ -799,7 +820,7 @@ function verify_artifacts(artifacts; show_status::Bool=true)
     p = Progress(length(jobs); desc="Verifying artifacts: ",
                  enabled=isinteractive() && show_status)
     @threads for (path, tree_hash) in jobs
-        if tree_hash != Base.SHA1(Pkg.GitTools.tree_hash(path))
+        if !is_hasheable(path) || Base.SHA1(Pkg.GitTools.tree_hash(path)) != tree_hash
             # remove corrupt artifacts
             @debug "A broken artifact was found: $entry"
             lock(removals_lock) do
@@ -914,7 +935,7 @@ function remove_uncacheable_packages(registry, package_dir; show_status::Bool=tr
             # because that would result in the build script not being run.
             @debug "Package $(name) has a build script, and cannot be cached"
             remove = true
-        elseif Base.SHA1(Pkg.GitTools.tree_hash(path)) != tree_hash
+        elseif !is_hasheable(path) || Base.SHA1(Pkg.GitTools.tree_hash(path)) != tree_hash
             # the contents of the package should match what's in the registry,
             # so that we don't cache broken checkouts or other weirdness.
             @debug "Package $(name) has been modified, and cannot be cached"
diff --git a/src/sandbox.jl b/src/sandbox.jl
index def0586c..cb6c3ba7 100644
--- a/src/sandbox.jl
+++ b/src/sandbox.jl
@@ -164,7 +164,7 @@ function run_sandbox(config::Configuration, setup, args...; workdir=nothing, wai
     mkpath(bundle_path)
     config_path = joinpath(bundle_path, "config.json")
     open(config_path, "w") do io
-        JSON3.write(io, sandbox_config)
+        JSON3.pretty(io, JSON3.write(sandbox_config))
     end
 
     proc = run(pipeline(`$(crun()) --systemd-cgroup --root $(container_root) run --bundle $bundle_path $(sandbox.name)`;