Disallow parent path component

Author: theory

schema/v2/path.schema.json

@@ -5,6 +5,7 @@
   "description": "A *Path* is a string with a relative file path that identifies a file in the Distribution. The path **MUST** be specified with Unix conventions.",
   "type": "string",
   "minLength": 2,
+  "format": "path",
   "pattern": "^(?:[^/\\\\]|\\\\\\\\)(?:[^\\\\]|\\\\\\\\)+$",
   "$comment": "https://regex101.com/r/d49AVj",
   "examples": [".git", "src/pair.c", "doc/pair.md"]

tests/common/mod.rs

@@ -1,4 +1,5 @@
 use std::fs::{self, File};
+use std::path::{Component, Path};
 use std::{collections::HashMap, error::Error};
 
 use boon::{Compiler, Schemas};
@@ -90,6 +91,10 @@ pub fn id_for(version: u8, schema: &str) -> String {
 pub fn new_compiler(dir: &str) -> Result<Compiler, Box<dyn Error>> {
     let mut compiler = Compiler::new();
     compiler.enable_format_assertions();
+    compiler.register_format(boon::Format {
+        name: "path",
+        func: is_path,
+    });
     let paths = fs::read_dir(dir)?;
     for path in paths {
         let path = path?.path();
@@ -110,6 +115,24 @@ pub fn new_compiler(dir: &str) -> Result<Compiler, Box<dyn Error>> {
     Ok(compiler)
 }
 
+fn is_path(v: &Value) -> Result<(), Box<dyn Error>> {
+    let Value::String(s) = v else {
+        return Ok(()); // applicable only on strings
+    };
+
+    let path = Path::new(s);
+    for c in path.components() {
+        match c {
+            Component::ParentDir => Err("parent dir")?,
+            Component::Prefix(_) => Err("windows path")?,
+            Component::RootDir => Err("absolute path")?,
+            _ => (),
+        };
+    }
+
+    Ok(())
+}
+
 pub fn test_term_schema(mut compiler: Compiler, version: u8) -> Result<(), Box<dyn Error>> {
     let mut schemas = Schemas::new();
     let id = id_for(version, "term");

tests/v2_schema_test.rs

@@ -83,10 +83,10 @@ fn test_v2_path() -> Result<(), Box<dyn Error>> {
         json!("\\foo.md"),
         json!("this\\and\\that.txt"),
         json!("/absolute/path"),
-        // ECMA supports look-ahead, but the regex crate does not.
+        // Enforced only by custom format for now.
         // https://github.com/santhosh-tekuri/boon/issues/19
-        // json!("../outside/path"),
-        // json!("thing/../other"),
+        json!("../outside/path"),
+        json!("thing/../other"),
     ] {
         if schemas.validate(&invalid_path, idx).is_ok() {
             panic!("{} unexpectedly passed!", invalid_path)