import { spawn, execSync } from 'child_process';

import { existsSync, statSync, mkdirSync, writeFileSync } from 'fs';

import { join, resolve, dirname } from 'path';

import { getDataRoot } from '../utils/url.js';

/**

* Check if a URL path is a Git protocol request

* @param {string} urlPath - The URL path

* @returns {boolean}

*/

export function isGitRequest(urlPath) {

return urlPath.includes('/info/refs') ||

urlPath.includes('/git-upload-pack') ||

urlPath.includes('/git-receive-pack');

}

/**

* Determine if this is a write operation (push)

* @param {string} urlPath - The URL path

* @returns {boolean}

*/

export function isGitWriteOperation(urlPath) {

return urlPath.includes('/git-receive-pack') || urlPath.includes('service=git-receive-pack');

}

/**

* Extract the repository path from the URL with path traversal protection

* @param {string} urlPath - The URL path

* @returns {string|null} The repository relative path or null

*/

function extractRepoPath(urlPath) {

// Remove git service suffixes to get the repo path

let cleanPath = urlPath

.replace(/\/info\/refs.*$/, '')

.replace(/\/git-upload-pack$/, '')

.replace(/\/git-receive-pack$/, '');

// Remove leading slash

cleanPath = cleanPath.replace(/^\//, '');

// Security: remove path traversal attempts (multiple passes for ....// bypass)

let previous;

do {

previous = cleanPath;

cleanPath = cleanPath.replace(/\.\./g, '');

} while (cleanPath !== previous);

// Use '.' for root/empty path

return cleanPath === '' ? '.' : cleanPath;

}

/**

* Validate that a resolved path is within the data root

* @param {string} resolvedPath - Absolute path to validate

* @param {string} dataRoot - The data root directory

* @returns {boolean} - true if path is safe

*/

function isPathWithinDataRoot(resolvedPath, dataRoot) {

const normalizedRoot = resolve(dataRoot);

const normalizedPath = resolve(resolvedPath);

return normalizedPath.startsWith(normalizedRoot + '/') || normalizedPath === normalizedRoot;

}

/**

* Find the git directory for a path

* @param {string} repoPath - Absolute path to check

* @returns {{gitDir: string, isRegular: boolean}|null}

*/

function findGitDir(repoPath) {

if (!existsSync(repoPath) || !statSync(repoPath).isDirectory()) {

return null;

}

// Check for regular repo with .git subdirectory

const dotGitPath = join(repoPath, '.git');

if (existsSync(dotGitPath) && statSync(dotGitPath).isDirectory()) {

return { gitDir: dotGitPath, isRegular: true };

}

// Check for bare repository

const objectsPath = join(repoPath, 'objects');

const refsPath = join(repoPath, 'refs');

if (existsSync(objectsPath) && existsSync(refsPath)) {

return { gitDir: repoPath, isRegular: false };

}

return null;

}

/**

* Handle Git HTTP requests using git http-backend

* @param {FastifyRequest} request

* @param {FastifyReply} reply

*/

export async function handleGit(request, reply) {

// Handle CORS preflight

if (request.method === 'OPTIONS') {

reply.header('Access-Control-Allow-Origin', '*');

reply.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');

reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization');

return reply.code(200).send();

}

const urlPath = decodeURIComponent(request.url.split('?')[0]);

const queryString = request.url.split('?')[1] || '';

// Extract repository path

const repoRelative = extractRepoPath(urlPath);

if (!repoRelative) {

return reply.code(400).send({ error: 'Invalid git request' });

}

// Handle subdomain mode

let dataRoot = getDataRoot();

if (request.podName) {

dataRoot = join(dataRoot, request.podName);

}

const repoAbs = resolve(dataRoot, repoRelative);

// Security: verify resolved path is within data root (path traversal protection)

if (!isPathWithinDataRoot(repoAbs, getDataRoot())) {

return reply.code(403).send({ error: 'Path traversal detected' });

}

// Find git directory

const gitInfo = findGitDir(repoAbs);

if (!gitInfo) {

return reply.code(404).send({ error: 'Not a git repository' });

}

// Auto-configure repos to accept pushes (check full URL for query string)

if (isGitWriteOperation(request.url)) {

try {

// Enable receive-pack for HTTP push

execSync('git config http.receivepack true', {

cwd: repoAbs,

env: { ...process.env, GIT_DIR: gitInfo.gitDir }

});

// For non-bare repos, auto-update working directory after push

if (gitInfo.isRegular) {

execSync('git config receive.denyCurrentBranch updateInstead', {

cwd: repoAbs,

env: { ...process.env, GIT_DIR: gitInfo.gitDir }

});

}

} catch (e) {

// Ignore config errors - repo may still work

}

}

// Build CGI environment

const env = {

...process.env,

GIT_PROJECT_ROOT: dataRoot,

GIT_HTTP_EXPORT_ALL: '', // Allow read access

GIT_HTTP_RECEIVE_PACK: 'true', // Enable push

GIT_CONFIG_PARAMETERS: "'uploadpack.allowTipSHA1InWant=true'",

PATH_INFO: urlPath,

REQUEST_METHOD: request.method,

CONTENT_TYPE: request.headers['content-type'] || '',

QUERY_STRING: queryString,

REMOTE_USER: request.webId || '', // Pass authenticated user

CONTENT_LENGTH: request.headers['content-length'] || '0',

};

// For regular repositories, set GIT_DIR

if (gitInfo.isRegular) {

env.GIT_DIR = gitInfo.gitDir;

}

// Spawn git http-backend

return new Promise((resolve, reject) => {

const child = spawn('git', ['http-backend'], { env });

let buffer = Buffer.alloc(0);

let headersSent = false;

child.stdout.on('data', (data) => {

buffer = Buffer.concat([buffer, data]);

if (!headersSent) {

// Look for end of CGI headers (try both \r\n\r\n and \n\n)

let headerEnd = buffer.indexOf('\r\n\r\n');

let headerSep = '\r\n';

let headerEndLen = 4;

if (headerEnd === -1) {

headerEnd = buffer.indexOf('\n\n');

headerSep = '\n';

headerEndLen = 2;

}

if (headerEnd !== -1) {

const headerSection = buffer.subarray(0, headerEnd).toString();

const bodySection = buffer.subarray(headerEnd + headerEndLen);

// Parse CGI headers and set on raw response

const lines = headerSection.split(headerSep);

let statusCode = 200;

for (const line of lines) {

const colonIndex = line.indexOf(':');

if (colonIndex > 0) {

const key = line.substring(0, colonIndex).trim();

const value = line.substring(colonIndex + 1).trim();

// Handle Status header specially

if (key.toLowerCase() === 'status') {

statusCode = parseInt(value.split(' ')[0], 10);

} else {

reply.raw.setHeader(key, value);

}

}

}

// Add CORS headers for browser git clients

reply.raw.setHeader('Access-Control-Allow-Origin', '*');

reply.raw.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');

reply.raw.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

reply.raw.writeHead(statusCode);

headersSent = true;

reply.raw.write(bodySection);

buffer = Buffer.alloc(0);

}

} else {

reply.raw.write(buffer);

buffer = Buffer.alloc(0);

}

});

child.stdout.on('end', () => {

reply.raw.end();

resolve();

});

// Send request body to git

// For POST requests, Fastify has already parsed the body into request.body

if (request.body && request.body.length > 0) {

child.stdin.write(request.body);

child.stdin.end();

} else {

// For GET requests or empty bodies, just close stdin

child.stdin.end();

}

// Log errors

child.stderr.on('data', (data) => {

console.error('git http-backend stderr:', data.toString());

});

child.on('error', (err) => {

console.error('Failed to spawn git http-backend:', err);

if (!headersSent) {

reply.code(500).send({ error: 'Git backend error' });

}

resolve();

});

child.on('close', (code) => {

if (code !== 0 && !headersSent) {

reply.code(500).send({ error: 'Git operation failed' });

}

resolve();

});

});

}