filter out control characters in error messages

giveup changed to filter out control characters. (It is too low level to
make it use StringContainingQuotedPath.)

error still does not, but it should only be used for internal errors,
where the message is not attacker-controlled.

Changed a lot of existing error to giveup when it is not strictly an
internal error.

Of course, other exceptions can still be thrown, either by code in
git-annex, or a library, that include some attacker-controlled value.
This does not guard against those.

Sponsored-by: Noam Kremen on Patreon

8 files changed, 12 insertions, 11 deletions

diff --git a/Git/CatFile.hs b/Git/CatFile.hs
index f33ad493b7..daa41ad083 100644
--- a/Git/CatFile.hs
+++ b/Git/CatFile.hs
@@ -120,7 +120,7 @@ catObjectDetails h object = query (catFileProcess h) object newlinefallback $ \f
 			content <- readObjectContent from r
 			return $ Just (content, sha, objtype)
 		Just DNE -> return Nothing
-		Nothing -> error $ "unknown response from git cat-file " ++ show (header, object)
+		Nothing -> giveup $ "unknown response from git cat-file " ++ show (header, object)
   where
 	-- Slow fallback path for filenames containing newlines.
 	newlinefallback = queryObjectType object (catFileGitRepo h) >>= \case
@@ -144,7 +144,7 @@ readObjectContent h (ParsedResp _ _ size) = do
 	eatchar expected = do
 		c <- hGetChar h
 		when (c /= expected) $
-			error $ "missing " ++ (show expected) ++ " from git cat-file"
+			giveup $ "missing " ++ (show expected) ++ " from git cat-file"
 readObjectContent _ DNE = error "internal"
 
 {- Gets the size and type of an object, without reading its content. -}
diff --git a/Git/CheckAttr.hs b/Git/CheckAttr.hs
index e4a7ea9d40..f93c9075cf 100644
--- a/Git/CheckAttr.hs
+++ b/Git/CheckAttr.hs
@@ -54,7 +54,7 @@ checkAttrs (h, attrs, currdir) want file = do
 	getvals l (x:xs) = case map snd $ filter (\(attr, _) -> attr == x) l of
 			["unspecified"] -> "" : getvals l xs
 			[v] -> v : getvals l xs
-			_ -> error $ "unable to determine " ++ x ++ " attribute of " ++ fromRawFilePath file
+			_ -> giveup $ "unable to determine " ++ x ++ " attribute of " ++ fromRawFilePath file
 
 	send to = B.hPutStr to $ file' `B.snoc` 0
 	receive c from = do
diff --git a/Git/Construct.hs b/Git/Construct.hs
index a64a9d5566..82929d9076 100644
--- a/Git/Construct.hs
+++ b/Git/Construct.hs
@@ -86,7 +86,7 @@ fromAbsPath :: RawFilePath -> IO Repo
 fromAbsPath dir
 	| absoluteGitPath dir = fromPath dir
 	| otherwise =
-		error $ "internal error, " ++ show dir ++ " is not absolute"
+		giveup $ "internal error, " ++ show dir ++ " is not absolute"
 
 {- Construct a Repo for a remote's url.
  -
diff --git a/Git/DiffTree.hs b/Git/DiffTree.hs
index d57ca385c0..3be5cb980a 100644
--- a/Git/DiffTree.hs
+++ b/Git/DiffTree.hs
@@ -113,8 +113,8 @@ parseDiffRaw l = go l
 	go [] = []
 	go (info:f:rest) = case A.parse (parserDiffRaw (L.toStrict f)) info of
 		A.Done _ r -> r : go rest
-		A.Fail _ _ err -> error $ "diff-tree parse error: " ++ err
-	go (s:[]) = error $ "diff-tree parse error near \"" ++ decodeBL s ++ "\""
+		A.Fail _ _ err -> giveup $ "diff-tree parse error: " ++ err
+	go (s:[]) = giveup $ "diff-tree parse error near \"" ++ decodeBL s ++ "\""
 
 -- :<srcmode> SP <dstmode> SP <srcsha> SP <dstsha> SP <status>
 --
diff --git a/Git/PktLine.hs b/Git/PktLine.hs
index a49cfc2b63..95e8af26be 100644
--- a/Git/PktLine.hs
+++ b/Git/PktLine.hs
@@ -31,6 +31,7 @@ import Text.Printf
 
 import Utility.PartialPrelude
 import Utility.FileSystemEncoding
+import Utility.Exception
 
 {- This is a variable length binary string, but its size is limited to
  - maxPktLineLength. Its serialization includes a 4 byte hexadecimal
@@ -96,7 +97,7 @@ encodePktLine b
 stringPktLine :: String -> PktLine
 stringPktLine s
 	| length s > maxPktLineLength =
-		error "textPktLine called with too-long value"
+		giveup "textPktLine called with too-long value"
 	| otherwise = PktLine (encodeBS s <> "\n")
 
 {- Sends a PktLine to a Handle, and flushes it so that it will be
diff --git a/Git/Sha.hs b/Git/Sha.hs
index a66c34ee2c..389bcc01a3 100644
--- a/Git/Sha.hs
+++ b/Git/Sha.hs
@@ -20,7 +20,7 @@ import Data.Char
 getSha :: String -> IO S.ByteString -> IO Sha
 getSha subcommand a = maybe bad return =<< extractSha <$> a
   where
-	bad = error $ "failed to read sha from git " ++ subcommand
+	bad = giveup $ "failed to read sha from git " ++ subcommand
 
 {- Extracts the Sha from a ByteString. 
  -
diff --git a/Git/Tree.hs b/Git/Tree.hs
index 48ed126cfe..8c034be4cd 100644
--- a/Git/Tree.hs
+++ b/Git/Tree.hs
@@ -62,7 +62,7 @@ data TreeContent
 getTree :: LsTree.LsTreeRecursive -> Ref -> Repo -> IO Tree
 getTree recursive r repo = do
 	(l, cleanup) <- lsTreeWithObjects recursive r repo
-	let !t = either (\e -> error ("ls-tree parse error:" ++ e)) id
+	let !t = either (\e -> giveup ("ls-tree parse error:" ++ e)) id
 		(extractTree l)
 	void cleanup
 	return t
@@ -254,7 +254,7 @@ adjustTree adjusttreeitem addtreeitems resolveaddconflict removefiles r repo =
 					Just (TreeItem f m s) -> 
 						let commit = TreeCommit f m s
 						in go h wasmodified (commit:c) depth intree is
-			_ -> error ("unexpected object type \"" ++ decodeBS (LsTree.typeobj i) ++ "\"")
+			_ -> giveup ("unexpected object type \"" ++ decodeBS (LsTree.typeobj i) ++ "\"")
 		| otherwise = return (c, wasmodified, i:is)
 
 	adjustlist h depth ishere underhere l = do
diff --git a/Git/UnionMerge.hs b/Git/UnionMerge.hs
index ffa5773975..9f738da844 100644
--- a/Git/UnionMerge.hs
+++ b/Git/UnionMerge.hs
@@ -78,7 +78,7 @@ doMerge hashhandle ch differ repo streamer = do
 	go [] = noop
 	go (info:file:rest) = mergeFile info file hashhandle ch >>=
 		maybe (go rest) (\l -> streamer l >> go rest)
-	go (_:[]) = error $ "parse error " ++ show differ
+	go (_:[]) = giveup $ "parse error " ++ show differ
 
 {- Given an info line from a git raw diff, and the filename, generates
  - a line suitable for update-index that union merges the two sides of the