From 244d4c56768fcc60bd1b23fe45df7a57c7b293ec Mon Sep 17 00:00:00 2001
From: Craig Jennings <c@cjennings.net>
Date: Sat, 16 May 2026 11:30:04 -0500
Subject: feat(gptel-tools): harden path validation with file-truename realpath

Resolves PATH through file-truename before applying home-directory and
read/write checks across the path-handling tools (git_status, git_log,
git_diff, move_to_trash, read_text_file, update_text_file,
write_text_file, list_directory_files, read_buffer, web_fetch).
Without the resolve step, a symlink under HOME pointing outside HOME
would pass the prefix check but the tool would act on the real target
-- a symlink-escape.

move_to_trash also tightens the trash-bin construction (treats empty
file extensions correctly) and switches the "critical directories"
list to truename-resolved canonical forms so a symlinked ~/.config
can't be trashed via an aliased path.

update_text_file fixes an off-by-one in the line-count derivation
when the source content is empty.

Each source change pairs with tests in tests/test-gptel-tools-*.el
and tests/test-update-text-file.el covering the realpath escape
paths, the empty-extension trash case, and the empty-content line-
count edge.  Combined coverage is now 100% across all ten gptel-tools
source files: 516 / 516 executable lines, 217 tests.
---
 tests/test-gptel-tools-git-log.el | 52 +++++++++++++++++++++++++++++++++++++--
 1 file changed, 50 insertions(+), 2 deletions(-)

(limited to 'tests/test-gptel-tools-git-log.el')

diff --git a/tests/test-gptel-tools-git-log.el b/tests/test-gptel-tools-git-log.el
index 708819b6..c0503039 100644
--- a/tests/test-gptel-tools-git-log.el
+++ b/tests/test-gptel-tools-git-log.el
@@ -36,8 +36,13 @@ Call FN with the absolute path, clean up after."
             (call-process "git" nil nil nil "config" "user.email" "test@x")
             (call-process "git" nil nil nil "config" "user.name" "Test")
             (dotimes (i commit-count)
-              (call-process "git" nil nil nil "commit" "--allow-empty"
-                            "--quiet" "-m" (format "commit %d" i))))
+              (let ((process-environment
+                     (append
+                      (list "GIT_AUTHOR_DATE=2000-01-01T00:00:00+0000"
+                            "GIT_COMMITTER_DATE=2000-01-01T00:00:00+0000")
+                      process-environment)))
+                (call-process "git" nil nil nil "commit" "--allow-empty"
+                              "--quiet" "-m" (format "commit %d" i)))))
           (funcall fn dir))
       (when (file-exists-p dir) (delete-directory dir t)))))
 
@@ -92,6 +97,26 @@ Call FN with the absolute path, clean up after."
         (should-error (cj/gptel-git-log--validate-path dir))
       (when (file-exists-p dir) (delete-directory dir t)))))
 
+(ert-deftest test-gptel-tools-git-log-validate-path-error-not-a-directory ()
+  "Error: file paths are rejected."
+  (let ((file (make-temp-file
+               (expand-file-name ".test-gptel-tools-git-log-file-" "~"))))
+    (unwind-protect
+        (should-error (cj/gptel-git-log--validate-path file))
+      (when (file-exists-p file) (delete-file file)))))
+
+(ert-deftest test-gptel-tools-git-log-validate-path-error-symlink-outside-home ()
+  "Error: symlinked directories resolving outside HOME are rejected."
+  (let ((link (expand-file-name
+               (format ".test-gptel-tools-git-log-link-%s"
+                       (format-time-string "%s%N"))
+               "~")))
+    (unwind-protect
+        (progn
+          (make-symbolic-link "/tmp" link t)
+          (should-error (cj/gptel-git-log--validate-path link)))
+      (when (file-symlink-p link) (delete-file link)))))
+
 ;; ---------- run
 
 (ert-deftest test-gptel-tools-git-log-run-default-count ()
@@ -112,6 +137,29 @@ Call FN with the absolute path, clean up after."
             (lines (split-string (string-trim out) "\n")))
        (should (= (length lines) 3))))))
 
+(ert-deftest test-gptel-tools-git-log-run-since-no-match ()
+  "Boundary: --since filter with no matching commits returns marker."
+  (test-gptel-tools-git-log--with-repo
+   1
+   (lambda (dir)
+     (let ((out (cj/gptel-git-log--run dir 10 "2001-01-01")))
+       (should (string-match-p "No commits" out))))))
+
+(ert-deftest test-gptel-tools-git-log-run-error-on-git-log-failure ()
+  "Error: non-zero git log exits are surfaced."
+  (test-gptel-tools-git-log--with-repo
+   1
+   (lambda (dir)
+     (cl-letf (((symbol-function 'process-file)
+                (lambda (program infile destination display &rest args)
+                  (if (member "log" args)
+                      (progn
+                        (when (bufferp destination)
+                          (with-current-buffer destination (insert "bad log")))
+                        2)
+                    (apply #'call-process program infile destination display args)))))
+       (should-error (cj/gptel-git-log--run dir))))))
+
 (ert-deftest test-gptel-tools-git-log-run-empty-repo ()
   "Boundary: a repo with no commits returns the empty-result marker."
   (let* ((name (format ".test-gptel-tools-git-log-empty-%s"
-- 
cgit v1.2.3