diff --git a/Cargo.toml b/Cargo.toml index 817c5c62b..704a99f5f 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -75,7 +75,7 @@ uv-workspace = { path = "crates/uv-workspace" } anstream = { version = "0.6.15" } anyhow = { version = "1.0.89" } arcstr = { version = "1.2.0" } -astral-tokio-tar = { version = "0.5.1" } +astral-tokio-tar = { version = "0.5.2" } async-channel = { version = "2.3.1" } async-compression = { version = "0.4.12", features = ["bzip2", "gzip", "xz", "zstd"] } async-trait = { version = "0.1.82" } diff --git a/crates/uv-extract/src/stream.rs b/crates/uv-extract/src/stream.rs index bed8f43bf..f7fc797d7 100644 --- a/crates/uv-extract/src/stream.rs +++ b/crates/uv-extract/src/stream.rs @@ -236,6 +236,7 @@ pub async fn untar_gz( ) .set_preserve_mtime(false) .set_preserve_permissions(false) + .set_allow_external_symlinks(false) .build(); Ok(untar_in(archive, target.as_ref()).await?) } @@ -255,6 +256,7 @@ pub async fn untar_bz2( ) .set_preserve_mtime(false) .set_preserve_permissions(false) + .set_allow_external_symlinks(false) .build(); Ok(untar_in(archive, target.as_ref()).await?) } @@ -274,6 +276,7 @@ pub async fn untar_zst( ) .set_preserve_mtime(false) .set_preserve_permissions(false) + .set_allow_external_symlinks(false) .build(); Ok(untar_in(archive, target.as_ref()).await?) } @@ -293,6 +296,7 @@ pub async fn untar_xz( ) .set_preserve_mtime(false) .set_preserve_permissions(false) + .set_allow_external_symlinks(false) .build(); untar_in(archive, target.as_ref()).await?; Ok(()) @@ -311,6 +315,7 @@ pub async fn untar( tokio_tar::ArchiveBuilder::new(&mut reader as &mut (dyn tokio::io::AsyncRead + Unpin)) .set_preserve_mtime(false) .set_preserve_permissions(false) + .set_allow_external_symlinks(false) .build(); untar_in(archive, target.as_ref()).await?; Ok(())