Avoid calling normalize_path with relative paths that extend beyond the current directory (#3013)

## Summary It turns out that `normalize_path` (sourced from Cargo) has a subtle bug. If you pass it a relative path that traverses beyond the root, it silently drops components. So, e.g., passing `../foo/bar`, it will just drop the leading `..` and return `foo/bar`. This PR encodes that behavior as a `Result` and avoids using it in such cases. Closes https://github.com/astral-sh/uv/issues/3012.
2025-11-01 12:24:15 +00:00 · 2024-04-12 14:48:03 -04:00 · 2024-04-12 14:48:03 -04:00 · c43757ad4c
commit c43757ad4c
parent d2da575c41
8 changed files with 80 additions and 14 deletions
--- a/crates/uv-interpreter/src/interpreter.rs
+++ b/crates/uv-interpreter/src/interpreter.rs
@ -488,12 +488,10 @@ impl InterpreterInfo {
    /// unless the Python executable changes, so we use the executable's last modified
    /// time as a cache key.
    pub(crate) fn query_cached(executable: &Path, cache: &Cache) -> Result<Self, Error> {
-        let executable_bytes = executable.as_os_str().as_encoded_bytes();
-
        let cache_entry = cache.entry(
            CacheBucket::Interpreter,
            "",
-            format!("{}.msgpack", digest(&executable_bytes)),
+            format!("{}.msgpack", digest(&executable)),
        );

        let modified = Timestamp::from_path(uv_fs::canonicalize_executable(executable)?)?;