3 files changed, 21 insertions, 2 deletions

diff --git a/src/buildtool/common/repository_config.hpp b/src/buildtool/common/repository_config.hpp
index 61eb4b7c..68023b8e 100644
--- a/src/buildtool/common/repository_config.hpp
+++ b/src/buildtool/common/repository_config.hpp
@@ -86,8 +86,10 @@ class RepositoryConfig {
         std::string const& hex_id,
         LogLevel log_failure = LogLevel::Warning) const noexcept
         -> std::optional<std::string> {
-        return git_cas_ ? git_cas_->ReadObject(
-                              hex_id, /*is_hex_id=*/true, log_failure)
+        return git_cas_ ? git_cas_->ReadObject(hex_id,
+                                               /*is_hex_id=*/true,
+                                               /*validate=*/false,
+                                               log_failure)
                         : std::nullopt;
     }
 
diff --git a/src/buildtool/file_system/git_cas.cpp b/src/buildtool/file_system/git_cas.cpp
index 1af1dde2..b49a75dd 100644
--- a/src/buildtool/file_system/git_cas.cpp
+++ b/src/buildtool/file_system/git_cas.cpp
@@ -136,6 +136,7 @@ auto GitCAS::CreateEmpty() noexcept -> GitCASPtr {
 
 auto GitCAS::ReadObject(std::string const& id,
                         bool is_hex_id,
+                        bool as_valid_symlink,
                         LogLevel log_failure) const noexcept
     -> std::optional<std::string> {
 #ifdef BOOTSTRAP_BUILD_TOOL
@@ -161,8 +162,21 @@ auto GitCAS::ReadObject(std::string const& id,
 
     std::string data(static_cast<char const*>(git_odb_object_data(obj)),
                      git_odb_object_size(obj));
+    auto obj_type = GitTypeToObjectType(git_odb_object_type(obj));
     git_odb_object_free(obj);
 
+    if (as_valid_symlink) {
+        if (not obj_type) {
+            return std::nullopt;
+        }
+        if (not IsTreeObject(*obj_type) and not PathIsNonUpwards(data)) {
+            Logger::Log(log_failure,
+                        "invalid git object {}: upwards symlink",
+                        is_hex_id ? id : ToHexString(id));
+            return std::nullopt;
+        }
+    }
+
     return data;
 #endif
 }
diff --git a/src/buildtool/file_system/git_cas.hpp b/src/buildtool/file_system/git_cas.hpp
index 299f7a2f..23fc4c14 100644
--- a/src/buildtool/file_system/git_cas.hpp
+++ b/src/buildtool/file_system/git_cas.hpp
@@ -65,10 +65,13 @@ class GitCAS {
     /// \brief Read object from CAS.
     /// \param id          The object id.
     /// \param is_hex_id   Specify whether `id` is hex string or raw.
+    /// \param as_valid_symlink Specify whether to treat any read blob as a
+    ///                         valid symlink and check for non-upwardness.
     /// \param log_failure Log level at which to log failures accessing the
     /// object.
     [[nodiscard]] auto ReadObject(std::string const& id,
                                   bool is_hex_id,
+                                  bool as_valid_symlink = false,
                                   LogLevel log_failure = LogLevel::Warning)
         const noexcept -> std::optional<std::string>;