Resolve sparse checkout paths with SecureJoin

When validating that the paths listed in `spec.sparseCheckout`
exist in the cloned working tree, resolve each entry with
`securejoin.SecureJoin` instead of `filepath.Join`. `filepath.Join`
collapses parent-directory segments via `filepath.Clean`, so a
configured path like `../foo` would have been checked against a
location outside the working tree, masking a missing entry behind
an unrelated filesystem stat. SecureJoin keeps the resolved path
inside the working tree, matching the pattern already used for
include paths elsewhere in the controller.

Assisted-by: claude-code/opus-4.7
Signed-off-by: Hidde Beydals <hidde@hhh.computer>

Author: hiddeco

internal/controller/gitrepository_controller.go

@@ -1319,7 +1319,10 @@ func gitContentConfigChanged(obj *sourcev1.GitRepository, includes *artifactSet)
 func (r *GitRepositoryReconciler) validateSparseCheckoutPaths(obj *sourcev1.GitRepository, dir string) error {
 	if obj.Spec.SparseCheckout != nil {
 		for _, path := range obj.Spec.SparseCheckout {
-			fullPath := filepath.Join(dir, path)
+			fullPath, err := securejoin.SecureJoin(dir, path)
+			if err != nil {
+				return fmt.Errorf("sparse checkout dir '%s' cannot be resolved: %w", path, err)
+			}
 			if _, err := os.Lstat(fullPath); err != nil {
 				return fmt.Errorf("sparse checkout dir '%s' does not exist in repository: %w", path, err)
 			}

internal/controller/gitrepository_controller_test.go

@@ -3101,6 +3101,42 @@ func resetChmod(path string, dirMode os.FileMode, fileMode os.FileMode) error {
 	return nil
 }
 
+func TestGitRepositoryReconciler_validateSparseCheckoutPaths(t *testing.T) {
+	t.Run("succeeds when configured paths exist in the working directory", func(t *testing.T) {
+		g := NewWithT(t)
+
+		dir := t.TempDir()
+		g.Expect(os.MkdirAll(filepath.Join(dir, "a", "b"), 0o700)).To(Succeed())
+
+		obj := &sourcev1.GitRepository{
+			Spec: sourcev1.GitRepositorySpec{SparseCheckout: []string{"a/b"}},
+		}
+
+		r := &GitRepositoryReconciler{}
+		g.Expect(r.validateSparseCheckoutPaths(obj, dir)).To(Succeed())
+	})
+
+	t.Run("errors when a configured path is not present in the working directory", func(t *testing.T) {
+		g := NewWithT(t)
+
+		// The working directory has nothing in it; a sibling of the working
+		// directory exists at the same name as the requested path.
+		parent := t.TempDir()
+		dir := filepath.Join(parent, "work")
+		g.Expect(os.Mkdir(dir, 0o700)).To(Succeed())
+		g.Expect(os.MkdirAll(filepath.Join(parent, "sibling"), 0o700)).To(Succeed())
+
+		obj := &sourcev1.GitRepository{
+			Spec: sourcev1.GitRepositorySpec{SparseCheckout: []string{"../sibling"}},
+		}
+
+		r := &GitRepositoryReconciler{}
+		err := r.validateSparseCheckoutPaths(obj, dir)
+		g.Expect(err).To(HaveOccurred())
+		g.Expect(err.Error()).To(ContainSubstring("../sibling"))
+	})
+}
+
 func TestGitRepositoryIncludeEqual(t *testing.T) {
 	tests := []struct {
 		name string