Skip to content

fix(pre_seed): security hardening + tempdir permission fix#1199

Open
chaodu-agent wants to merge 5 commits into
mainfrom
fix/pre-seed-tempdir
Open

fix(pre_seed): security hardening + tempdir permission fix#1199
chaodu-agent wants to merge 5 commits into
mainfrom
fix/pre-seed-tempdir

Conversation

@chaodu-agent

@chaodu-agent chaodu-agent commented Jun 25, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Fixes

# Severity Fix
F1 🔴 Symlink follow in permission modification — use symlink_metadata() instead of is_file() to prevent symlink-following attacks when setting permissions
F3 🟡 Target dir not createdcreate_dir_all(target) before tempdir_in(target) to avoid permission denied when target doesn't exist
F4 🟡 Symlinks followed in move_recursive — use symlink_metadata() and preserve symlinks as-is without following (prevents directory escape)
F5 🟡 Docs mismatch — update config-reference.md and hooks.md to reflect pre-seed is now default-on
Clippy — replace % N == 0 with .is_multiple_of(N) (Rust 1.96 lint)

Not Fixed (already safe)

F2 (path traversal): tar::Entry::unpack_in() already rejects .. components and absolute paths — no additional validation needed.

@chaodu-agent chaodu-agent requested a review from thepagent as a code owner June 25, 2026 09:54
@chaodu-agent chaodu-agent force-pushed the fix/pre-seed-tempdir branch from 032827d to 44bf90e Compare June 25, 2026 10:02
@chaodu-agent chaodu-agent changed the title fix(pre_seed): create tempdir inside target dir + clippy fix(pre_seed): security hardening + tempdir permission fix Jun 25, 2026
@chaodu-agent
fix(pre_seed): security hardening + tempdir fix + docs update
8c68a29 
F1 🔴: Use symlink_metadata() instead of is_file() when setting
    permissions — prevents symlink-following attacks on sensitive files.

F3 🟡: Create target dir with create_dir_all() before tempdir_in()
    to avoid 'Permission denied' when target doesn't exist yet.

F4 🟡: Use symlink_metadata() in move_recursive — preserve symlinks
    as-is without following them (prevents directory escape).

F5 🟡: Update docs to reflect pre-seed is now a default feature.

Note: F2 (path traversal) is already handled by tar::Entry::unpack_in()
which rejects '..' components and absolute paths.
@chaodu-agent chaodu-agent force-pushed the fix/pre-seed-tempdir branch from 44bf90e to 8c68a29 Compare June 25, 2026 10:10
@chaodu-agent
fix: remove dead #[cfg(not(unix))] blocks that never compile
3d4606b 
The #[cfg(unix)] #[cfg(not(unix))] stacked attributes are contradictory and
produce unreachable code on all platforms. The blocks also reference undefined
variables (link_target, src_path, dst_path). The non-unix symlink fallback is
already handled by create_symlink_or_copy() in move_recursive.
@chaodu-agent
fix: harden symlink validation and strip suid/sgid in zip extraction
89b4951 
- Reject symlinks with absolute targets or .. components in move_recursive
- Remove tarball symlinks with escaping targets after unpack_in
- Strip suid/sgid/sticky bits (& 0o0777) in zip permission path (was
  already done for tarball)
@chaodu-agent

This comment has been minimized.

Sign in to view
@chaodu-agent
fix(review): symlink handling correctness + test coverage
23c49a3 
- Fix remove_file failing on existing directories in move_recursive
  symlink branch (use symlink_metadata to decide remove_dir_all vs
  remove_file)
- Fix non-Unix fallback in create_symlink_or_copy silently dropping
  entries when resolved target doesn't exist (now returns error)
- Add tests: move_recursive preserves symlinks, symlink overwrites
  existing dir, tempdir strategy with non-writable parent, deep target
  creation
@chaodu-agent
fix(review): correct tempdir regression test
563ec30 
Test now creates target dir (writable) then locks parent to read-only,
verifying tempdir_in(target) succeeds where old tempdir_in(parent)
would fail.
@chaodu-agent

chaodu-agent commented Jun 25, 2026

Copy link
Copy Markdown
Collaborator Author

LGTM ✅ — Security hardening is solid, all critical findings from prior round have been addressed.

What This PR Does

Hardens the pre_seed module against symlink-following attacks, fixes a tempdir creation failure when target directory does not yet exist, updates docs to reflect pre-seed is now default-on, and applies a Clippy lint fix.

How It Works

  • Uses symlink_metadata() instead of is_file() / is_dir() to avoid following symlinks when setting permissions and during recursive move
  • Adds create_dir_all(target) before tempdir_in(target) to ensure the target exists and keeps temp files on the same filesystem
  • Introduces create_symlink_or_copy() to preserve symlinks on Unix; rejects escaping targets (absolute/..); errors on non-Unix when resolved target is missing
  • move_recursive symlink branch correctly handles existing destinations (dir vs file) before replacing
  • Updates docs (config-reference.md, hooks.md) to remove stale feature-flag language

Findings

# Severity Finding Location
1 🟢 create_dir_all(target) + tempdir_in(target) correctly fixes parent-not-writable case, keeps extraction on same filesystem pre_seed.rs:175-176
2 🟢 symlink_metadata() in tarball extraction prevents chmod on symlink targets pre_seed.rs:310
3 🟢 move_recursive symlink branch correctly distinguishes dir vs file via symlink_metadata, uses remove_dir_all vs remove_file pre_seed.rs:389-408
4 🟢 create_symlink_or_copy rejects escaping targets (absolute/..) and errors on non-Unix when resolved target missing — no silent data loss pre_seed.rs:343-378
5 🟢 Tarball symlink escaping: absolute/.. targets removed + warned pre_seed.rs:302-321
6 🟢 Zip permissions strip suid/sgid/sticky (& 0o0777) pre_seed.rs:259
7 🟢 .is_multiple_of(N) — clean Clippy fix pre_seed.rs:225,289
8 🟢 4 Unix tests cover: symlink preservation, symlink overwriting existing dir, tempdir with non-writable parent (regression), deep target creation pre_seed.rs tests
9 🟢 Docs update for pre-seed default-on is accurate for binary consumers docs/
10 🟡 Docs say "pre-seed is enabled by default" — true for the binary but openab-core crate still has it as opt-in feature. Consider noting this for library consumers config-reference.md:248, hooks.md:21
Finding Details

🟡 F10: Docs slightly inaccurate for crate consumers

The docs state "pre-seed is enabled by default. No feature flag needed." This is accurate for the OpenAB binary (which enables the feature), but library consumers of openab-core still need features = ["pre-seed"]. Consider adding a note for library users. Non-blocking — the docs target end-users of the binary.

Baseline Check
  • PR opened: 2026-06-25
  • Author: chaodu-agent (self-fix PR addressing prior review findings)
  • Main already has: pre_seed.rs with tarball/zip extraction, move_recursive, permission setting
  • Net-new value: symlink attack hardening, tempdir placement fix, regression tests, docs accuracy
What's Good (🟢)
  • Comprehensive symlink defense: metadata-based detection, escaping target rejection, proper cleanup
  • Same-filesystem tempdir avoids cross-device rename overhead
  • Test coverage for all new code paths including edge cases
  • Clean separation of Unix vs non-Unix behavior in create_symlink_or_copy
  • Defensive create_dir_all(target) ensures robustness in constrained environments

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@thepagent thepagent Awaiting requested review from thepagent thepagent is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

pending-maintainer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaodu-agent