Commit 24e75d3
committed
backup: M4-2b reject walker-skipped names + backslash in encoded keymap path (codex P2 #928 round 4)
Two related findings on encode_s3_collision.go's validateKeymapEncodedPath:
1. Encoded backslash slips past slash-only segment scan. On Windows
filepath.Join treats '\' as a path separator, but
strings.Split(encoded, '/') doesn't see it. A corrupt KEYMAP
entry like 'dir\\x.elastickv-leaf-data' passes target
verification (Lstat against the joined Windows path) and the
walk later looks up the slash-form, missing the backslash-keyed
record - emits the renamed on-disk key instead of failing closed.
2. Encoded targets that the walker skips. walkObjectEntry returns
nil for top-level '_bucket.json', top-level 'KEYMAP.jsonl' (when
a tracker is loaded), and anything ending in
S3MetaSuffixReserved (sidecars). A KEYMAP entry naming one of
those paths passes the IsRegular check but the walk drops it -
the rename is silently ignored.
Fix: validateKeymapEncodedPath now also:
- Rejects any backslash anywhere in rec.Encoded (mirrors
safeJoinUnderRoot's backslash guard).
- Rejects encoded paths ending in S3MetaSuffixReserved (sidecar
suffix at any depth).
- Rejects bare '_bucket.json' and 'KEYMAP.jsonl' (top-level
control files). Nested 'prefix/_bucket.json' and
'prefix/KEYMAP.jsonl' remain valid user object keys (the walk
processes them normally).
Caller audit: validateKeymapEncodedPath is invoked once from
validateKeymapRecord (single chain). No call-site changes.
Regression tests:
- TestValidateKeymapEncodedPath_Backslash: 4 cases covering
middle / leading / trailing / multi-segment backslash.
- TestValidateKeymapEncodedPath_WalkerSkipped: 6-case table
covering top-level reserved + sidecar suffix (top-level +
nested) + accepted nested user-key forms.1 parent 3c6fb92 commit 24e75d3
2 files changed
Lines changed: 104 additions & 5 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
193 | 193 | | |
194 | 194 | | |
195 | 195 | | |
196 | | - | |
197 | | - | |
198 | | - | |
199 | | - | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
200 | 210 | | |
201 | | - | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
202 | 217 | | |
203 | 218 | | |
204 | 219 | | |
205 | 220 | | |
206 | 221 | | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| 228 | + | |
| 229 | + | |
| 230 | + | |
| 231 | + | |
| 232 | + | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
207 | 236 | | |
208 | 237 | | |
209 | 238 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
253 | 253 | | |
254 | 254 | | |
255 | 255 | | |
| 256 | + | |
| 257 | + | |
| 258 | + | |
| 259 | + | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
| 267 | + | |
| 268 | + | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
| 273 | + | |
| 274 | + | |
| 275 | + | |
| 276 | + | |
| 277 | + | |
| 278 | + | |
| 279 | + | |
| 280 | + | |
| 281 | + | |
| 282 | + | |
| 283 | + | |
| 284 | + | |
| 285 | + | |
| 286 | + | |
| 287 | + | |
| 288 | + | |
| 289 | + | |
| 290 | + | |
| 291 | + | |
| 292 | + | |
| 293 | + | |
| 294 | + | |
| 295 | + | |
| 296 | + | |
| 297 | + | |
| 298 | + | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
| 305 | + | |
| 306 | + | |
| 307 | + | |
| 308 | + | |
| 309 | + | |
| 310 | + | |
| 311 | + | |
| 312 | + | |
| 313 | + | |
| 314 | + | |
| 315 | + | |
| 316 | + | |
| 317 | + | |
| 318 | + | |
| 319 | + | |
| 320 | + | |
| 321 | + | |
| 322 | + | |
| 323 | + | |
| 324 | + | |
| 325 | + | |
256 | 326 | | |
257 | 327 | | |
258 | 328 | | |
| |||
0 commit comments