Disallow writing symlinks outside the source distribution target directory

2025-07-07 13:25:00 +00:00 · 2025-03-17 22:27:14 -04:00 · 2025-03-17 22:27:14 -04:00 · fe1d913c8d
commit fe1d913c8d
parent e0f81f0d4a
3 changed files with 10 additions and 5 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -164,9 +164,9 @@ dependencies = [

 [[package]]
 name = "astral-tokio-tar"
-version = "0.5.1"
+version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "65152cbda42e8ab5ecff69e8811e8333d69188c7d5c41e3eedb8d127e3f23b27"
+checksum = "1abb2bfba199d9ec4759b797115ba6ae435bdd920ce99783bb53aeff57ba919b"
 dependencies = [
 "filetime",
 "futures-core",
@ -697,7 +697,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "117725a109d387c937a1533ce01b450cbde6b88abceea8473c4d7a85853cda3c"
 dependencies = [
 "lazy_static",
- "windows-sys 0.48.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@ -6118,7 +6118,7 @@ version = "0.1.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf221c93e13a30d793f7645a0e7762c55d169dbb0a49671918a2319d289b10bb"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.59.0",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -73,7 +73,7 @@ uv-workspace = { path = "crates/uv-workspace" }
 anstream = { version = "0.6.15" }
 anyhow = { version = "1.0.89" }
 arcstr = { version = "1.2.0" }
-astral-tokio-tar = { version = "0.5.1" }
+astral-tokio-tar = { version = "0.5.2" }
 async-channel = { version = "2.3.1" }
 async-compression = { version = "0.4.12", features = ["bzip2", "gzip", "xz", "zstd"] }
 async-trait = { version = "0.1.82" }
--- a/crates/uv-extract/src/stream.rs
+++ b/crates/uv-extract/src/stream.rs
@ -213,6 +213,7 @@ pub async fn untar_gz<R: tokio::io::AsyncRead + Unpin>(
    )
    .set_preserve_mtime(false)
    .set_preserve_permissions(false)
+    .set_allow_external_symlinks(false)
    .build();
    Ok(untar_in(archive, target.as_ref()).await?)
 }
@ -232,6 +233,7 @@ pub async fn untar_bz2<R: tokio::io::AsyncRead + Unpin>(
    )
    .set_preserve_mtime(false)
    .set_preserve_permissions(false)
+    .set_allow_external_symlinks(false)
    .build();
    Ok(untar_in(archive, target.as_ref()).await?)
 }
@ -251,6 +253,7 @@ pub async fn untar_zst<R: tokio::io::AsyncRead + Unpin>(
    )
    .set_preserve_mtime(false)
    .set_preserve_permissions(false)
+    .set_allow_external_symlinks(false)
    .build();
    Ok(untar_in(archive, target.as_ref()).await?)
 }
@ -270,6 +273,7 @@ pub async fn untar_xz<R: tokio::io::AsyncRead + Unpin>(
    )
    .set_preserve_mtime(false)
    .set_preserve_permissions(false)
+    .set_allow_external_symlinks(false)
    .build();
    untar_in(archive, target.as_ref()).await?;
    Ok(())
@ -288,6 +292,7 @@ pub async fn untar<R: tokio::io::AsyncRead + Unpin>(
        tokio_tar::ArchiveBuilder::new(&mut reader as &mut (dyn tokio::io::AsyncRead + Unpin))
            .set_preserve_mtime(false)
            .set_preserve_permissions(false)
+            .set_allow_external_symlinks(false)
            .build();
    untar_in(archive, target.as_ref()).await?;
    Ok(())