Eagerly reject unsupported Git schemes

Initially, we were limiting Git schemes to HTTPS and SSH as only supported schemes. We lost this validation in #3429. This incidentally allow file schemes, which apparently work with Git out of the box.

A caveat for this is that in `tool.uv.sources`, we parse the `git` field always as URL. This caused a problem with #11425: `repo = { git = 'c:\path\to\repo', rev = "xxxxx" }` was parsed as a URL where `c:` is the scheme, causing a bad error message down the line.

This PR:
* Puts Git URL validation back in place
* Allows `file:` URL in Git: This seems to be supported by Git and we were supporting it albeit unintentionally, so it's reasonable to continue to support it.
* It does _not_ allow relative paths in the `git` field in `tool.uv.sources`. Absolute file URLs are supported, whether we want relative file URLs for Git too should be discussed separately.

Closes #3429: We reject the input with a proper error message, while hinting the user towards `file:`. If there's still desire for a relative path, we can reopen.

Author: konstin

crates/uv-distribution-types/src/error.rs

@@ -21,4 +21,7 @@ pub enum Error {
 
     #[error("Requested package name `{0}` does not match `{1}` in the distribution filename: {2}")]
     PackageNameMismatch(PackageName, PackageName, String),
+
+    #[error("Unsupported git URL scheme `{0}:` in `{1}`, only `https:`, `ssh:` and `file:` are supported")]
+    UnsupportedGitScheme(String, Url),
 }

crates/uv-distribution-types/src/lib.rs

@@ -474,6 +474,15 @@ impl Dist {
         git: GitUrl,
         subdirectory: Option<PathBuf>,
     ) -> Result<Dist, Error> {
+        match url.scheme() {
+            "https" | "ssh" | "file" => {}
+            unsupported => {
+                return Err(Error::UnsupportedGitScheme(
+                    unsupported.to_string(),
+                    url.to_url(),
+                ))
+            }
+        }
         Ok(Self::Source(SourceDist::Git(GitSourceDist {
             name,
             git: Box::new(git),

crates/uv-git/src/resolver.rs

@@ -3,17 +3,19 @@ use std::path::PathBuf;
 use std::str::FromStr;
 use std::sync::Arc;
 
-use tracing::debug;
-
-use crate::{Fetch, GitHubRepository, GitOid, GitReference, GitSource, GitUrl, Reporter};
 use dashmap::mapref::one::Ref;
 use dashmap::DashMap;
 use fs_err::tokio as fs;
 use reqwest_middleware::ClientWithMiddleware;
+use tracing::debug;
+use url::Url;
+
 use uv_cache_key::{cache_digest, RepositoryUrl};
 use uv_fs::LockedFile;
 use uv_version::version;
 
+use crate::{Fetch, GitHubRepository, GitOid, GitReference, GitSource, GitUrl, Reporter};
+
 #[derive(Debug, thiserror::Error)]
 pub enum GitResolverError {
     #[error(transparent)]
@@ -26,6 +28,8 @@ pub enum GitResolverError {
     Reqwest(#[from] reqwest::Error),
     #[error(transparent)]
     ReqwestMiddleware(#[from] reqwest_middleware::Error),
+    #[error("Unsupported git URL scheme `{0}:` in `{1}`, only `https:`, `ssh:` and `file:` are supported")]
+    UnsupportedGitScheme(String, Url),
 }
 
 /// A resolver for Git repositories.
@@ -112,6 +116,16 @@ impl GitResolver {
     ) -> Result<Fetch, GitResolverError> {
         debug!("Fetching source distribution from Git: {url}");
 
+        match url.repository.scheme() {
+            "https" | "ssh" | "file" => {}
+            unsupported => {
+                return Err(GitResolverError::UnsupportedGitScheme(
+                    unsupported.to_string(),
+                    url.repository().clone(),
+                ))
+            }
+        }
+
         let reference = RepositoryReference::from(url);
 
         // If we know the precise commit already, reuse it, to ensure that all fetches within a

crates/uv-requirements/src/lib.rs

@@ -69,6 +69,15 @@ pub(crate) fn required_dist(
             } else {
                 GitUrl::from_reference(repository.clone(), reference.clone())
             };
+            match url.scheme() {
+                "https" | "ssh" | "file" => {}
+                unsupported => {
+                    return Err(uv_distribution_types::Error::UnsupportedGitScheme(
+                        unsupported.to_string(),
+                        url.to_url(),
+                    ))
+                }
+            }
             Dist::Source(SourceDist::Git(GitSourceDist {
                 name: requirement.name.clone(),
                 git: Box::new(git_url),

crates/uv-workspace/src/pyproject.rs

@@ -1056,6 +1056,18 @@ impl<'de> Deserialize<'de> for Source {
                 ));
             }
 
+            match git.scheme() {
+                "https" | "ssh" | "file" => {}
+                unsupported => {
+                    return Err(serde::de::Error::custom(format!(
+                        "Unsupported git URL scheme `{}:` in `{}`, \
+                        only `https:`, `ssh:` and `file:` are supported",
+                        unsupported.to_string(),
+                        git.clone(),
+                    )))
+                }
+            }
+
             // At most one of `rev`, `tag`, or `branch` may be set.
             match (rev.as_ref(), tag.as_ref(), branch.as_ref()) {
                 (None, None, None) => {}

crates/uv/tests/it/edit.rs

@@ -9743,3 +9743,21 @@ fn repeated_index_cli_reversed() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn add_unsupported_git_scheme() -> Result<()> {
+    let context = TestContext::new("3.12");
+
+    context.init().arg(".").assert().success();
+
+    uv_snapshot!(context.filters(), context.add().arg("git+fantasy://ferris/dreams/of/urls@7701ffcbae245819b828dc5f885a5201158897ef"), @r###"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Unsupported git URL scheme `fantasy:` in `fantasy://ferris/dreams/of/urls`, only `https:`, `ssh:` and `file:` are supported
+    "###);
+
+    Ok(())
+}

crates/uv/tests/it/pip_install.rs

@@ -8776,3 +8776,27 @@ fn no_sources_workspace_discovery() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn unknown_git_schema() {
+    let context = TestContext::new("3.12");
+    // Reverse direction: Check that we switch back to the workspace package with `--upgrade`.
+    uv_snapshot!(context.filters(), context.pip_install()
+        .arg("git+fantasy:/foo"), @r###"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Git operation failed
+      Caused by: failed to clone into: [CACHE_DIR]/git-v0/db/e97623e3dc7167a2
+      Caused by: process didn't exit successfully: `/usr/bin/git fetch --force --update-head-ok 'fantasy:/foo' '+HEAD:refs/remotes/origin/HEAD'` (exit status: 128)
+    --- stderr
+    ssh: Could not resolve hostname fantasy: Name or service not known
+    fatal: Could not read from remote repository.
+
+    Please make sure you have the correct access rights
+    and the repository exists.
+    "###
+    );
+}

crates/uv/tests/it/sync.rs

@@ -7615,3 +7615,37 @@ fn sync_locked_script() -> Result<()> {
 
     Ok(())
 }
+
+#[test]
+fn unsupported_git_scheme() -> Result<()> {
+    let context = TestContext::new_with_versions(&["3.12"]);
+
+    let pyproject_toml = context.temp_dir.child("pyproject.toml");
+    pyproject_toml.write_str(indoc! {r#"
+        [project]
+        name = "foo"
+        version = "0.1.0"
+        requires-python = ">=3.12"
+        dependencies = ["foo"]
+
+        [tool.uv.sources]
+        # `c:/...` looks like an absolute path, but this field requires a URL such as `file:///...`.
+        foo = { git = "c:/home/ferris/projects/foo", rev = "7701ffcbae245819b828dc5f885a5201158897ef" }
+        "#},
+    )?;
+
+    uv_snapshot!(context.filters(), context.sync(), @r###"
+    success: false
+    exit_code: 2
+    ----- stdout -----
+
+    ----- stderr -----
+    error: Failed to parse: `pyproject.toml`
+      Caused by: TOML parse error at line 9, column 7
+      |
+    9 | foo = { git = "c:/home/ferris/projects/foo", rev = "7701ffcbae245819b828dc5f885a5201158897ef" }
+      |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+    Unsupported git URL scheme `c:` in `c:/home/ferris/projects/foo`, only `https:`, `ssh:` and `file:` are supported
+    "###);
+    Ok(())
+}