Show undecryptable filenames if they match supplied glob

Resolves https://github.com/rfjakob/gocryptfs/issues/393

1 files changed, 20 insertions, 2 deletions

diff --git a/internal/nametransform/names.go b/internal/nametransform/names.go
index d5c2c8b..de70bce 100644
--- a/internal/nametransform/names.go
+++ b/internal/nametransform/names.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"crypto/aes"
 	"encoding/base64"
+	"path/filepath"
 	"syscall"
 
 	"github.com/rfjakob/eme"
@@ -35,6 +36,8 @@ type NameTransform struct {
 	// B64 = either base64.URLEncoding or base64.RawURLEncoding, depending
 	// on the Raw64 feature flag
 	B64 *base64.Encoding
+	// Patterns to bypass decryption
+	BadnamePatterns []string
 }
 
 // New returns a new NameTransform instance.
@@ -50,9 +53,24 @@ func New(e *eme.EMECipher, longNames bool, raw64 bool) *NameTransform {
 	}
 }
 
-// DecryptName decrypts a base64-encoded encrypted filename "cipherName" using the
-// initialization vector "iv".
+// DecryptName calls decryptName to try and decrypt a base64-encoded encrypted
+// filename "cipherName", and failing that checks if it can be bypassed
 func (n *NameTransform) DecryptName(cipherName string, iv []byte) (string, error) {
+	res, err := n.decryptName(cipherName, iv)
+	if err != nil {
+		for _, pattern := range n.BadnamePatterns {
+			match, err := filepath.Match(pattern, cipherName)
+			if err == nil && match { // Pattern should have been validated already
+				return "GOCRYPTFS_BAD_NAME " + cipherName, nil
+			}
+		}
+	}
+	return res, err
+}
+
+// decryptName decrypts a base64-encoded encrypted filename "cipherName" using the
+// initialization vector "iv".
+func (n *NameTransform) decryptName(cipherName string, iv []byte) (string, error) {
 	bin, err := n.B64.DecodeString(cipherName)
 	if err != nil {
 		return "", err