fix(node): close under-withholding via full ref scope and full-history classification (#42)

[beardthelion]

Closes #42.

Re-homes the under-withholding fix onto current main as a focused same-repo PR. It previously lived in #46 (a fork PR from when this work predated a maintainer); #46's other commits are already covered elsewhere (blind recipients via #40, partial-recipient and mirror fail-closed via #67/#69), so #46 will be closed in favor of this.

Rebased onto main after #90 (per-push delta pin) landed. #90 reworked object enumeration for the pin path, so the "reachable-only pin set" half this work originally carried is no longer needed and has been dropped. The PR is now scoped to the withheld-blob classifier.

What it does:

• Classifies the withheld-blob set across the full ref scope and full history, not just the refs/heads + refs/tags tips. A blob reachable only through a non-standard ref namespace, only in older history (a since-deleted file), or only via a detached HEAD is still withheld. upload-pack (serve) and feat(node): pin the per-push object delta instead of re-enumerating the whole repo #90's whole-repo pin fallback both expose the full reachable object graph, so classifying only ref-tip trees would under-withhold.
• Fails closed on any ref that does not resolve to a commit. Each ref is peeled fully with <ref>^{} through git cat-file --batch-check, so a ref pointing at a blob or tree, or an annotated tag (including a nested one) of such an object, is refused rather than silently skipped. git rev-list --all skips those refs while the serve and pin paths still expose their target object.
• Walks history once per call: withheld_blob_recipients now shares the blob_paths result with the withheld-set computation instead of walking it twice.

Implementation note: the ref peel writes its queries to cat-file on a separate thread while the main thread drains stdout, so a repo with many (or long-named) refs cannot deadlock the classifier.

Tests: withholding via a non-standard ref, a detached HEAD, and a blob deleted at the tip but reachable in history; fail-closed on an untraversable ref, an annotated tag of a blob, and a ref pointing at a missing object; an annotated tag and a nested tag of a commit that must not fail closed; a blob shared across an allowed and a denied path; and a many-long-named-ref regression guard for the peel.

Known adjacent gap (not this PR): #90's pin candidate set (git cat-file --batch-all-objects) can include unreachable/dangling objects the reachable-only classifier never sees, and replicable_objects replicates anything not explicitly withheld, so an unreachable private blob could be pinned in cleartext. Tracked separately in #99.

Summary by CodeRabbit

• Bug Fixes
  • Improved “fail-closed” blob visibility checks: all refs must resolve to commits, and invalid/missing targets now block withholding decisions.
  • Reworked history and path handling to reliably walk reachable commits and compute withheld blobs using raw path bytes (safer for non-ASCII and control characters).
  • Ensured recipients and paths are derived consistently, and prevented incorrect withholding when a blob exists in both allowed and denied locations.
• Tests
  • Added coverage for detached/unborn states, custom ref namespaces, non-UTF-8 paths, annotated-tag peel errors, unreachable refs, and large batches of dangling refs.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b88ea02f-aab7-49b3-8a72-7f20464fc719

📥 Commits

Reviewing files that changed from the base of the PR and between 3266eaf and 836bf7b.

📒 Files selected for processing (1)

• crates/gitlawb-node/src/git/visibility_pack.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• crates/gitlawb-node/src/git/visibility_pack.rs

---

📝 Walkthrough

Walkthrough

visibility_pack.rs now validates every ref target, traverses reachable commits plus HEAD into unique blob/path pairs, and reuses that same pair list to compute withheld OIDs and recipients. Tests add coverage for detached HEAD, custom refs, missing targets, and overlapping path cases.

Changes

Visibility pack withholding traversal

Layer / File(s)	Summary
Ref validation and blob walk crates/gitlawb-node/src/git/visibility_pack.rs	assert_all_refs_are_commits peels every ref target before traversal, and blob_paths collects unique (blob_oid, path) pairs from reachable commits plus resolved HEAD.
Shared withheld pair reuse crates/gitlawb-node/src/git/visibility_pack.rs	withheld_blob_oids derives withheld blobs from blob_paths via withheld_from_pairs, and withheld_blob_recipients reuses the same pairs for withheld and recipient mapping.
Withholding regression coverage crates/gitlawb-node/src/git/visibility_pack.rs	Tests cover custom refs, detached HEAD, history-only blobs, missing or non-commit refs, long dangling refs, annotated tag peeling, and overlapping allowed/denied blob paths.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related issues

• Phase 3 withholding: incomplete withheld set can leak blobs in cleartext (ref namespace scope + fail-open ref walk) #42: blob_paths now enumerates all refs, peels targets strictly, and fails closed on missing or non-commit objects, matching the issue’s traversal-scope and skipped-error concerns.

Possibly related PRs

• Gitlawb/node#28: Both changes center on visibility_pack withholding behavior, so this PR’s stricter blob-path and withheld-OID computation directly affects that flow.
• Gitlawb/node#34: That PR consumes visibility_pack::withheld_blob_oids, and this PR rewrites the same withheld-blob computation and recipient mapping paths it relies on.
• Gitlawb/node#90: Both changes touch the central withheld-set flow used by replication and recipient handling.

Suggested labels

kind:bug

Suggested reviewers

• kevincodex1

Poem

I hopped through refs by moonlit light,
and sniffed each commit tree just right.
No dangling tag could fool my nose,
The withheld set blooms like carrot rows,
🐇✨ hop hop—history stays bright.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main fix: closing under-withholding by expanding ref scope and history classification.
Description check	✅ Passed	The description covers the issue, scope, implementation, tests, and reviewer context; only the template's formal section headings/checklist are missing.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/under-withholding-ref-scope

---

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@crates/gitlawb-node/src/git/visibility_pack.rs`:
- Around line 40-43: The current implementation in the ref-walking loop only
uses git ls-tree to examine blobs at each ref tip, but this misses blobs in
historical commits that remain reachable via commit history. This creates a
security gap where the visibility pack fails to classify all reachable objects
that other flows like rev-list traversals would include. Replace the git ls-tree
command with git rev-list --objects (or an equivalent command that traverses
full commit history) to ensure all blobs reachable from each ref, including
those in older commits, are properly classified. This will align the visibility
classification with what the rev-list based flows use elsewhere in the codebase.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b7f77d48-b23e-4b59-a8ac-d96a6cd83b78

📥 Commits

Reviewing files that changed from the base of the PR and between 2153b0b and 53cd319.

📒 Files selected for processing (3)

• crates/gitlawb-node/src/git/visibility_pack.rs
• crates/gitlawb-node/src/ipfs_pin.rs
• crates/gitlawb-node/src/pinata.rs

[beardthelion]

@kevincodex1 flagging this one as higher priority. It closes the under-withholding hole (#42): full ref scope plus a reachable-only pin set so history blobs can't leak past a path-scoped withhold. It's also a gate for follow-on work, the reconciliation sweep can't land until this is in main. All green (tests, clippy, cargo audit, MSRV, CodeQL), mergeable, no open threads. Ready when you are.

[jatmn]

Findings

1. Merge conflicts with main — BLOCKING

• Severity: High
• Evidence: gh pr view 84 reports "mergeable":"CONFLICTING". A local git diff main against the checked-out branch shows large unrelated deletions (.env.example, auth/mod.rs, config.rs, git/push_delta.rs, docs/RUN-A-NODE.md, api/repos.rs, etc.) that are not part of the intended PR diff (gh pr diff 84 only touches visibility_pack.rs, ipfs_pin.rs, and pinata.rs).
• Impact: Cannot be merged as-is; must be rebased/merged onto current main and conflicts resolved before review approval.

2. Detached HEAD not included in pin enumerators

• Severity: Medium
• Files: crates/gitlawb-node/src/ipfs_pin.rs (lines 154–180), crates/gitlawb-node/src/pinata.rs (lines 137–159)
• Details:
  • blob_paths in visibility_pack.rs explicitly appends HEAD to the commit enumeration when store::head_commit resolves (visibility_pack.rs:81–85), ensuring a blob reachable only via a detached HEAD is still classified.
  • The two pin listers, ipfs_pin::list_all_objects and pinata::list_all_objects, run git rev-list --objects --all without HEAD. In a detached-HEAD repository, git rev-list --objects --all does not traverse the commit recorded in HEAD because --all only walks refs under refs/.
  • This creates a mismatch: the withholding set is a superset of what the pin set actually replicates. Public objects reachable only through a detached HEAD would be classified as replicable but then not pinned, producing an silent under-pinning/availability gap.
• Recommendation: Make the pin enumerators mirror blob_paths: append HEAD to the rev-list arguments whenever store::head_commit(repo_path).is_some(), or, better, share a single "reachable objects" helper between visibility_pack, ipfs_pin, and pinata so the three sites cannot drift again.

3. blob_paths is now expensive for large/long histories

• Severity: Medium
• File: crates/gitlawb-node/src/git/visibility_pack.rs (lines 34–132)
• Details:
  • The old implementation ran git ls-tree -r <ref> once per ref tip.
  • The new implementation runs git rev-list --all to enumerate every reachable commit, then runs git ls-tree -r <commit> for every commit in history.
  • For repositories with deep history, this is O(history × tree-size) and may materially slow down every push/serve/pin path that calls withheld_blob_oids.
• Recommendation: This may be a necessary cost for per-path classification across history, but it should be benchmarked on a representative repo. If the cost is too high, consider caching the (oid, path) set per repo or documenting the expected latency. Avoid further duplicating this work (see next finding).

4. withheld_blob_recipients recomputes the full blob_paths set

• Severity: Low
• File: crates/gitlawb-node/src/git/visibility_pack.rs (lines 176–205)
• Details:
  • withheld_blob_recipients calls withheld_blob_oids (which computes blob_paths) and then calls blob_paths again to build the recipient map.
  • With the new O(history) implementation, this doubles the expensive enumeration.
• Recommendation: Refactor so the caller computes blob_paths once and reuses it, or have withheld_blob_oids return both the withheld set and the path map used to compute it.

5. Minor: for-each-ref parsing could be more robust

• Severity: Low
• File: crates/gitlawb-node/src/git/visibility_pack.rs (lines 41–75)
• Details:
  • The code formats each ref as %(objecttype) %(*objecttype) %(refname) and splits on whitespace.
  • Refnames cannot contain whitespace, so this is safe today, but a NUL-delimited format (--format=...%00...) plus split('\0') would be more robust and avoid the ad-hoc token arithmetic for annotated tags.
• Recommendation: Optional cleanup; not a blocker.

[beardthelion]

Pushed 3266eaf. Rebased onto main and worked your findings.

1. Resolved. Merged main; the branch is mergeable and 0 behind. The collision was with feat(node): pin the per-push object delta instead of re-enumerating the whole repo #90, which is what moved the pin-set work below.

2. Mooted by feat(node): pin the per-push object delta instead of re-enumerating the whole repo #90. The pin enumerators you flagged (ipfs_pin/pinata list_all_objects over rev-list --all) no longer exist: feat(node): pin the per-push object delta instead of re-enumerating the whole repo #90 centralized enumeration in push_delta and the pin path now takes a candidate OID set. The classifier still appends HEAD, so the serve path's detached-HEAD case stays covered.

3. The per-commit ls-tree is load-bearing for correctness, not just thoroughness. rev-list --objects reports one path per blob, but a blob that appears at both an allowed and a denied path has to be evaluated at each, so the walk can't collapse to a single --objects pass. Left as-is and documented; caching is the right lever if the cost shows up, not a narrower walk.

4. Fixed. Extracted withheld_from_pairs so withheld_blob_recipients shares one blob_paths walk with the withheld-set computation instead of walking history twice.

5. Done. Replaced the %(*objecttype) token parsing with a full <ref>^{} peel through git cat-file --batch-check. That also fixes a real bug in the old one-level peel: a nested annotated tag of a commit was misread as a non-commit and failed the whole walk closed. The peel feeds cat-file stdin on a separate thread while draining stdout, so it can't deadlock on a repo with many or long-named refs. Added tests for the nested-tag, annotated-tag-of-blob, missing-object, shared-allowed/denied-path, and many-ref cases.

One adjacent thing I hit while tracing this: #90's pin candidate set uses cat-file --batch-all-objects (which includes unreachable objects) while this classifier is reachable-only, and replicable_objects is fail-open, so an unreachable private blob could be pinned in cleartext. It is independent of this PR and pre-dates it on main; filed as #99.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

crates/gitlawb-node/src/git/visibility_pack.rs (1)

180-203: 🔒 Security & Privacy | 🔴 Critical

Use git ls-tree -rz and parse raw entries here.
git ls-tree -r C-quotes paths by default, so a path like secret/café.txt is stored as /"secret/caf\303\251.txt" and visibility rules such as /secret/** can miss it. Parse NUL-delimited output and reject malformed entries instead of lossy-decoding them.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@crates/gitlawb-node/src/git/visibility_pack.rs` around lines 180 - 203, The
path parsing in the git tree listing logic is using the quoted text output from
Command::new("git") with ls-tree -r, which can mangle non-ASCII or
special-character paths and break visibility matching. Update the listing flow
in the visibility_pack.rs code that builds out from git ls-tree to use git
ls-tree -rz, parse NUL-delimited raw entries, and reject malformed entries
explicitly instead of relying on lossy UTF-8 decoding or split_once on quoted
lines.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@crates/gitlawb-node/src/git/visibility_pack.rs`:
- Around line 180-203: The path parsing in the git tree listing logic is using
the quoted text output from Command::new("git") with ls-tree -r, which can
mangle non-ASCII or special-character paths and break visibility matching.
Update the listing flow in the visibility_pack.rs code that builds out from git
ls-tree to use git ls-tree -rz, parse NUL-delimited raw entries, and reject
malformed entries explicitly instead of relying on lossy UTF-8 decoding or
split_once on quoted lines.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e0b64e30-fd64-49dd-a5ca-efef347fdba6

📥 Commits

Reviewing files that changed from the base of the PR and between 687b068 and 3266eaf.

📒 Files selected for processing (1)

• crates/gitlawb-node/src/git/visibility_pack.rs

[jatmn]

1. git ls-tree -r C-quotes non-ASCII paths, causing under-withholding (CodeRabbit finding, unaddressed)

Severity: High / blocking — privacy/security.

Location: crates/gitlawb-node/src/git/visibility_pack.rs, blob_paths (lines 180–205).

Details:
The code parses tree entries from plain git ls-tree -r <commit> output and extracts the path by splitting on \t:

let listing = std::process::Command::new("git")
    .args(["ls-tree", "-r", commit])
    ...
let Some((meta, path)) = line.split_once('\t') else {
    continue;
};

Git's default text output C-quotes path names that contain non-ASCII bytes. I verified this directly: a blob at secret/café.txt is emitted by git ls-tree -r HEAD as:

100644 blob 33ea03ba1db1ac1fdfdc0c0a7cc57d3673ae3c1b	"secret/caf\303\251.txt"

The path string the code stores is therefore "/\"secret/caf\\303\\251.txt\"" (quotes and escapes included). That literal string does not match a visibility rule such as /secret/**, so the blob is not withheld. A secret blob stored under a non-ASCII path inside a denied subtree would be served/pinned in cleartext.

The fix is to use git ls-tree -rz and parse NUL-delimited raw records. With -z, the same entry is emitted as:

100644 blob 33ea03ba1db1ac1fdfdc0c0a7cc57d3673ae3c1b secret/café.txt<NUL>

The parser would need to split records on \0 and split each record on the first ASCII space sequence, rather than on \t and newlines.

Recommendation:

• Switch blob_paths to git ls-tree -rz <commit> and parse NUL-delimited raw output.
• Add a regression test with a non-ASCII (or otherwise C-quoted) path under a denied subtree to ensure it is withheld.

---

[beardthelion]

Fixed in 836bf7b.

blob_paths now runs git ls-tree -rz and parses the NUL-delimited records, so paths come back raw instead of C-quoted. secret/café.txt keeps its raw bytes and matches /secret/**, so the blob is withheld. Confirmed on git 2.43: -r emits "secret/caf\303\251.txt" (quoted, no match, leaked); -rz emits the raw path (withheld). -rz also ignores core.quotePath, so a repo can't re-enable quoting to dodge the filter.

While there I closed the adjacent byte-vs-string hole: the parse used from_utf8_lossy, so a genuinely non-UTF-8 byte in a denied directory name would be rewritten to U+FFFD and stop matching its rule. It now parses strictly with from_utf8 and fails closed (the whole walk aborts) on invalid UTF-8 rather than serving a partial set.

Regression tests cover all three: a non-ASCII path stays withheld (and the public blob still replicates), a TAB+newline path stays withheld (pins the -rz raw-path and NUL-record parse against a revert), and a non-UTF-8 path fails closed.

Separate from this PR: glob_matches in visibility.rs does a byte-level prefix compare, so an NFC-vs-NFD skew between a deny rule and the stored path won't match. Pre-existing, tracking it on its own.

[jatmn]

No blocking findings.

The implementation correctly:

• Covers non-standard ref namespaces and detached HEAD.
• Walks full reachable history rather than only ref-tip trees.
• Fails closed on unclassifiable refs, missing objects, and invalid UTF-8 paths.
• Avoids the cat-file stdin/stdout deadlock via a concurrent writer thread.
• Reuses the blob_paths listing between withheld-set and recipient-map computation.
• Parses raw (-z) ls-tree output so non-ASCII and special-character paths match visibility rules.
• Uses strict std::str::from_utf8 rather than lossy decoding for path bytes.

Non-blocking observations

1. Performance of per-commit ls-tree: Walking every reachable commit and running git ls-tree -rz per commit is O(history × tree-size). The author documents this as a deliberate correctness-vs-thoroughness trade-off in the code comments and PR description; caching can be added later if profiling shows it is needed. Not a blocker for this security fix.
2. Unreachable/dangling objects (#99): The PR explicitly scopes out unreachable objects. The author already filed #99 to track the adjacent risk that push_delta.rs::list_all_objects uses git cat-file --batch-all-objects (which includes unreachable/dangling objects) while the classifier is reachable-only. This is noted and out of scope here.
3. Windows-only test coverage: The two cfg(unix) tests for TAB/newline and non-UTF-8 paths do not run on Windows. This is appropriate because those byte sequences are not legal in Windows filenames, so the fixtures cannot be built there. The non-ASCII path test runs on Windows and passed.

@kevincodex1 LGTM