Git consistently uses canonicalized paths internally. This is for many
reasons, but mostly to verify that a single path is within a repository.
In order to interoperate properly with Git, we need to canonicalize
paths and do it in the same way as Git.
On Unix systems, to canonicalize a path, it is sufficient to make the
path absolute and then resolve any symlinks. Go provides two functions
to do these two steps, filepath.Abs and filepath.EvalSymlinks, and they
work as advertised.
Windows, however, has much more complex path handling and these
functions do not handle all cases. The typical way to canonicalize
paths on Windows is using GetFinalPathNameByHandle, and this is the
technique Git uses.
Go, however, does not provide a general API to canonicalize paths,
unlike Rust's std::fs::canonicalize and similar functionality in myriad
other languages. Therefore, in order to get this working on Windows,
let's add a function to canonicalize paths in the appropriate system
way, one for Unix systems and one for Windows. The code comes from Go's
standard library, so update the copyright and license accordingly.
Update the CanonicalizePath function to use the new function. We
duplicate the Abs call because we an absolute path in CanonicalizePath
in some cases even if the path is missing, whereas the new function
needs to do it in all cases because we will use it other situations in
the future. This should be a simple string check, so it should not
involve an extra system call or other overhead.
When Go runs a program with os.exec, it uses the LookPath function to
look up the path name if the path does not contain a path separator. On
Unix, this provides the standard Unix semantics by looking in PATH.
However, on Windows, it also looks in the current directory as well to
emulate the behavior of CMD.
Unfortunately, this is a well-known security flaw on Windows and similar
behavior there is the source for several whole classes of security
vulnerabilities. This leads to an untrusted repository being able to
create a git.bat file that gets executed in preference to our trusted
path for the git binary.
Since we don't want to rely on Go fixing this behavior, let's import
some code from Go to provide the Unix semantics for LookPath, which are
secure if the user hasn't put the current directory in PATH. That
should provide secure behavior in this case. Fortunately, our code goes
through one particular place to run all commands, so this is a
relatively simple fix.
Update the various copyright and license files to reflect our imported
code.
Document that we use other Go modules which are available under
different license terms, so that folks aren't confused, and point them
to the other license files.
