Build backend: Normalize glob paths (#13465)

Unlike OS APIs, glob inclusion checks don't work when there are relative path elements such as `./`. We normalize the path before using it for the glob. Fixes #13407
2025-10-14 12:29:04 +00:00 · 2025-05-15 17:19:02 +02:00 · 2025-05-15 17:19:02 +02:00 · 18a1f0d9db
commit 18a1f0d9db
parent 7a83f51de2
3 changed files with 94 additions and 21 deletions
--- a/crates/uv-build-backend/src/lib.rs
+++ b/crates/uv-build-backend/src/lib.rs
@ -85,8 +85,9 @@ pub enum Error {
        module_name: Identifier,
        paths: Vec<PathBuf>,
    },
-    #[error("Absolute module root is not allowed: `{}`", _0.display())]
-    AbsoluteModuleRoot(PathBuf),
+    /// Either an absolute path or a parent path through `..`.
+    #[error("Module root must be inside the project: `{}`", _0.user_display())]
+    InvalidModuleRoot(PathBuf),
    #[error("Inconsistent metadata between prepare and build step: `{0}`")]
    InconsistentSteps(&'static str),
    #[error("Failed to write to {}", _0.user_display())]
@ -203,12 +204,10 @@ fn find_roots(
    relative_module_root: &Path,
    module_name: Option<&Identifier>,
 ) -> Result<(PathBuf, PathBuf), Error> {
-    if relative_module_root.is_absolute() {
-        return Err(Error::AbsoluteModuleRoot(
-            relative_module_root.to_path_buf(),
-        ));
+    let src_root = source_tree.join(uv_fs::normalize_path(relative_module_root));
+    if !src_root.starts_with(source_tree) {
+        return Err(Error::InvalidModuleRoot(relative_module_root.to_path_buf()));
    }
-    let src_root = source_tree.join(relative_module_root);

    let module_name = if let Some(module_name) = module_name {
        module_name.clone()
@ -288,6 +287,7 @@ mod tests {
    /// source tree -> wheel
    /// and a build with
    /// source tree -> source dist -> wheel.
+    #[derive(Debug, PartialEq, Eq)]
    struct BuildResults {
        source_dist_list_files: FileList,
        source_dist_filename: SourceDistFilename,
@ -694,4 +694,73 @@ mod tests {
        Version: 1.0.0
        "###);
    }
+
+    /// Check that non-normalized paths for `module-root` work with the glob inclusions.
+    #[test]
+    fn test_glob_path_normalization() {
+        let src = TempDir::new().unwrap();
+        fs_err::write(
+            src.path().join("pyproject.toml"),
+            indoc! {r#"
+            [project]
+            name = "two-step-build"
+            version = "1.0.0"
+
+            [build-system]
+            requires = ["uv_build>=0.5.15,<0.6"]
+            build-backend = "uv_build"
+
+            [tool.uv.build-backend]
+            module-root = "./"
+            "#
+            },
+        )
+        .unwrap();
+
+        fs_err::create_dir_all(src.path().join("two_step_build")).unwrap();
+        File::create(src.path().join("two_step_build").join("__init__.py")).unwrap();
+
+        let dist = TempDir::new().unwrap();
+        let build1 = build(src.path(), dist.path());
+
+        assert_snapshot!(build1.source_dist_contents.join("\n"), @r"
+        two_step_build-1.0.0/
+        two_step_build-1.0.0/PKG-INFO
+        two_step_build-1.0.0/pyproject.toml
+        two_step_build-1.0.0/two_step_build
+        two_step_build-1.0.0/two_step_build/__init__.py
+        ");
+
+        assert_snapshot!(build1.wheel_contents.join("\n"), @r"
+        two_step_build-1.0.0.dist-info/
+        two_step_build-1.0.0.dist-info/METADATA
+        two_step_build-1.0.0.dist-info/RECORD
+        two_step_build-1.0.0.dist-info/WHEEL
+        two_step_build/
+        two_step_build/__init__.py
+        ");
+
+        // A path with a parent reference.
+        fs_err::write(
+            src.path().join("pyproject.toml"),
+            indoc! {r#"
+            [project]
+            name = "two-step-build"
+            version = "1.0.0"
+
+            [build-system]
+            requires = ["uv_build>=0.5.15,<0.6"]
+            build-backend = "uv_build"
+
+            [tool.uv.build-backend]
+            module-root = "two_step_build/.././"
+            "#
+            },
+        )
+        .unwrap();
+
+        let dist = TempDir::new().unwrap();
+        let build2 = build(src.path(), dist.path());
+        assert_eq!(build1, build2);
+    }
 }
--- a/crates/uv-build-backend/src/source_dist.rs
+++ b/crates/uv-build-backend/src/source_dist.rs
@ -79,12 +79,10 @@ fn source_dist_matcher(

    // The wheel must not include any files included by the source distribution (at least until we
    // have files generated in the source dist -> wheel build step).
-    let import_path = &settings
-        .module_root
-        .join(module_name.as_ref())
+    let import_path = uv_fs::normalize_path(&settings.module_root.join(module_name.as_ref()))
        .portable_display()
        .to_string();
-    includes.push(format!("{}/**", globset::escape(import_path)));
+    includes.push(format!("{}/**", globset::escape(&import_path)));
    for include in includes {
        let glob = PortableGlobParser::Uv
            .parse(&include)
@ -92,7 +90,7 @@ fn source_dist_matcher(
                field: "tool.uv.build-backend.source-include".to_string(),
                source: err,
            })?;
-        include_globs.push(glob.clone());
+        include_globs.push(glob);
    }

    // Include the Readme
@ -101,11 +99,11 @@ fn source_dist_matcher(
        .as_ref()
        .and_then(|readme| readme.path())
    {
+        let readme = uv_fs::normalize_path(readme);
        trace!("Including readme at: `{}`", readme.user_display());
-        include_globs.push(
-            Glob::new(&globset::escape(&readme.portable_display().to_string()))
-                .expect("escaped globset is parseable"),
-        );
+        let readme = readme.portable_display().to_string();
+        let glob = Glob::new(&globset::escape(&readme)).expect("escaped globset is parseable");
+        include_globs.push(glob);
    }

    // Include the license files
@ -122,13 +120,19 @@ fn source_dist_matcher(

    // Include the data files
    for (name, directory) in settings.data.iter() {
+        let directory = uv_fs::normalize_path(Path::new(directory));
+        trace!(
+            "Including data ({}) at: `{}`",
+            name,
+            directory.user_display()
+        );
+        let directory = directory.portable_display().to_string();
        let glob = PortableGlobParser::Uv
-            .parse(&format!("{}/**", globset::escape(directory)))
+            .parse(&format!("{}/**", globset::escape(&directory)))
            .map_err(|err| Error::PortableGlob {
                field: format!("tool.uv.build-backend.data.{name}"),
                source: err,
            })?;
-        trace!("Including data ({name}) at: `{directory}`");
        include_globs.push(glob);
    }

--- a/crates/uv-build-backend/src/wheel.rs
+++ b/crates/uv-build-backend/src/wheel.rs
@ -268,10 +268,10 @@ pub fn build_editable(
    let mut wheel_writer = ZipDirectoryWriter::new_wheel(File::create(&wheel_path)?);

    debug!("Adding pth file to {}", wheel_path.user_display());
-    if settings.module_root.is_absolute() {
-        return Err(Error::AbsoluteModuleRoot(settings.module_root.clone()));
+    let src_root = source_tree.join(&settings.module_root);
+    if !src_root.starts_with(source_tree) {
+        return Err(Error::InvalidModuleRoot(settings.module_root.clone()));
    }
-    let src_root = source_tree.join(settings.module_root);

    let module_name = if let Some(module_name) = settings.module_name {
        module_name