Merge pull request #20 from mbarbin/fix-escaping-paths

Fix escaping paths

Author: mbarbin

CHANGES.md

@@ -1,3 +1,13 @@
+## 0.4.0 (unreleased)
+
+### Added
+
+- Document handling of escaping relative paths (#PR, @mbarbin).
+
+### Changed
+
+- `Relative_path.t` now rejects paths that escape above their starting point (#PR, @mbarbin).
+
 ## 0.3.1 (2025-05-26)
 
 ### Changed

doc/explanation/dune

@@ -0,0 +1,10 @@
+(env
+ (_
+  (env-vars
+   (OCAMLRUNPARAM b=0))))
+
+(mdx
+ (package fpath-base-dev)
+ (deps
+  (package fpath-base))
+ (preludes prelude.txt))

doc/explanation/path-normalization.md

@@ -0,0 +1,83 @@
+# Path Normalization and Escaping Prevention
+
+## Overview
+
+Starting in version 0.4.0, `Relative_path.t` rejects paths that escape above their starting point.
+
+**The process:**
+1. Paths are normalized using `Fpath.normalize` (resolves `.` and `..` segments)
+2. If the normalized path has leading `..` segments, it's rejected by `Relative_path.t`
+
+## What Gets Rejected
+
+Paths that escape above their starting point:
+
+```ocaml
+# Relative_path.v ".." ;;
+Exception:
+Invalid_argument "Relative_path.v: path \"..\" escapes above starting point".
+# Relative_path.v "../config" ;;
+Exception:
+Invalid_argument
+ "Relative_path.v: path \"../config\" escapes above starting point".
+# Relative_path.v "a/../.." ;;
+Exception:
+Invalid_argument
+ "Relative_path.v: path \"a/../..\" escapes above starting point".
+```
+
+Paths that stay within bounds are accepted:
+
+```ocaml
+# Relative_path.to_string (Relative_path.v "a/..") ;;
+- : string = "./"
+# Relative_path.to_string (Relative_path.v "a/b/../c") ;;
+- : string = "a/c"
+```
+
+## Why This Matters
+
+### Prevents Memory Growth
+
+Before v0.4.0, calling `parent` repeatedly could grow memory unboundedly:
+
+<!-- $MDX skip -->
+```ocaml
+(* Before: Starting from "./" *)
+parent "./"    (* -> "../" *)
+parent "../"   (* -> "../../" *)
+parent "../../" (* -> "../../../" ... forever *)
+```
+
+After v0.4.0:
+
+```ocaml
+# Relative_path.parent Relative_path.empty ;;
+- : Relative_path.t option = None
+```
+
+### Type Safety Guarantee
+
+`Relative_path.t` now guarantees the path won't escape above its starting point, making it safe for:
+- Sandbox operations (can't escape sandbox root)
+- Archive extraction (can't write outside target directory)
+- Path concatenation (stays within base directory)
+
+## When You Need Escaping Paths
+
+If you need paths with leading `..` segments, use `Fpath.t` directly:
+
+```ocaml
+# let path : Fpath.t = Fpath.v "../config" |> Fpath.normalize ;;
+val path : Fpath.t = <abstr>
+```
+
+## Type Selection Guide
+
+```
+Does the path escape above its starting point (has leading ".." after normalization)?
+├─ YES → Use Fpath.t
+└─ NO  → Does it start from filesystem root?
+         ├─ YES → Use Absolute_path.t
+         └─ NO  → Use Relative_path.t
+```

doc/explanation/prelude.txt

@@ -0,0 +1,2 @@
+#require "fpath-base" ;;
+open Fpath_base ;;

doc/guides/dune

@@ -0,0 +1,10 @@
+(env
+ (_
+  (env-vars
+   (OCAMLRUNPARAM b=0))))
+
+(mdx
+ (package fpath-base-dev)
+ (deps
+  (package fpath-base))
+ (preludes prelude.txt))

doc/guides/migration-0.4.0.md

@@ -0,0 +1,119 @@
+# Migration Guide: Version 0.4.0
+
+## Summary
+
+Version 0.4.0 makes `Relative_path.t` reject paths that escape above their starting point (paths with leading `..` segments after normalization).
+
+## Breaking Changes
+
+### Construction Functions
+
+All construction functions (`v`, `of_string`, `of_fpath`) now reject escaping paths:
+
+```ocaml
+# Relative_path.v "../config" ;;
+Exception:
+Invalid_argument
+ "Relative_path.v: path \"../config\" escapes above starting point".
+```
+
+**Migration options:**
+
+Use `Absolute_path.t` for explicit paths:
+```ocaml
+# let path = Absolute_path.v "/path/to/parent/config" ;;
+val path : Absolute_path.t = <abstr>
+```
+
+Or use `Fpath.t` for paths that may escape:
+```ocaml
+# let path : Fpath.t = Fpath.v "../config" |> Fpath.normalize ;;
+val path : Fpath.t = <abstr>
+```
+
+### Parent Function
+
+Returns `None` for the empty path (previously returned `"../"`):
+
+```ocaml
+# Relative_path.parent Relative_path.empty ;;
+- : Relative_path.t option = None
+```
+
+This fixes infinite loops in upward navigation:
+
+```ocaml
+# let rec navigate_to_root path =
+    match Relative_path.parent path with
+    | None -> path
+    | Some p -> navigate_to_root p ;;
+val navigate_to_root : Relative_path.t -> Relative_path.t = <fun>
+# Relative_path.to_string (navigate_to_root (Relative_path.v "a/b/c")) ;;
+- : string = "./"
+```
+
+### Extend Function
+
+Raises `Invalid_argument` if extending creates an escaping path:
+
+```ocaml
+# Relative_path.extend Relative_path.empty (Fsegment.v "..") ;;
+Exception:
+Invalid_argument
+ "Relative_path.extend: path \"./..\" escapes above starting point".
+```
+
+**Migration:** Use `Fpath.t` if segments might create escaping paths.
+
+### Chop Prefix/Suffix
+
+Empty prefix/suffix now returns `Some path` (previously `None`):
+
+```ocaml
+# match Relative_path.chop_prefix (Relative_path.v "foo/bar") ~prefix:Relative_path.empty with
+  | None -> "no match"
+  | Some p -> Relative_path.to_string p ;;
+- : string = "foo/bar"
+```
+
+## Common Migration Patterns
+
+### Dynamic Path Construction
+
+Validate paths and handle rejections:
+
+```ocaml
+# let load_relative_file filename =
+    match Relative_path.of_string filename with
+    | Error (`Msg err) -> Error err
+    | Ok path -> Ok path ;;
+val load_relative_file : string -> (Relative_path.t, string) result = <fun>
+# load_relative_file "config/settings.conf" ;;
+- : (Relative_path.t, string) result = Ok <abstr>
+```
+
+### Upward Navigation
+
+Use absolute paths for upward traversal:
+
+```ocaml
+# let find_project_root has_marker current_path =
+    let rec search path =
+      if has_marker path then Some path
+      else
+        match Absolute_path.parent path with
+        | None -> None
+        | Some parent -> search parent
+    in
+    search current_path ;;
+val find_project_root :
+  (Absolute_path.t -> bool) -> Absolute_path.t -> Absolute_path.t option =
+  <fun>
+```
+
+## Why These Changes
+
+1. **Improve type safety** - `Relative_path.t` guarantees non-escaping
+2. **Less error-prone APIs** for sandbox operations and recursive parent traversal
+
+See [Path Normalization](../explanation/path-normalization.md) for more details.

doc/guides/prelude.txt

@@ -0,0 +1,2 @@
+#require "fpath-base" ;;
+open Fpath_base ;;

dune-project

@@ -15,6 +15,8 @@
 
 (documentation "https://mbarbin.github.io/fpath-base/")
 
+(using mdx 0.4)
+
 ;; The value for the [implicit_transitive_deps] option is set during the CI
 ;; depending on the OCaml compiler version.
 ;;
@@ -120,6 +122,8 @@
    (= :version))
   (fpath-sexp0
    (= :version))
+  (mdx
+   (>= 2.4))
   (ppx_compare
    (>= v0.17))
   (ppx_enumerate

fpath-base-dev.opam

@@ -19,6 +19,7 @@ depends: [
   "fpath-base" {= version}
   "fpath-base-tests" {= version}
   "fpath-sexp0" {= version}
+  "mdx" {>= "2.4"}
   "ppx_compare" {>= "v0.17"}
   "ppx_enumerate" {>= "v0.17"}
   "ppx_expect" {>= "v0.17"}