Merged
Conversation
github-actions
bot
added
core
…E-2025-48387 Add `crates/exarch-core/tests/security/cve_regression.rs` with 11 integration tests covering three missing CVE attack vectors and Windows backslash path handling: - CVE-2024-12718: Python tarfile `filter='data'` bypass via `./..`-prefixed paths. Archives are constructed at the raw byte level (bypassing the `tar` crate's path sanitiser) to reproduce attacker-controlled inputs. Three tests cover the `./../../etc/passwd`, `foo/./bar/../../../` pattern, and a parameterised variant table. - CVE-2024-12905: tar-fs symlink chain escape. Two tests verify that a symlink pointing outside the destination is rejected under default config (SecurityViolation) and with `allow_symlinks = true` (SymlinkEscape). A third test covers a deeper symlink chain (`a/b/link -> ../../../../outside`). - CVE-2025-48387: tar-fs hardlink traversal outside destination. Three tests cover default config rejection (SecurityViolation), enabled-hardlinks rejection (HardlinkEscape), and absolute hardlink target rejection. - Windows backslash path handling: on Windows the `\`-separated paths with `..` components are rejected as traversal; on Unix the same byte sequences are treated as single-component filenames and land safely inside the destination. Wire up the new module by adding `mod security;` to `crates/exarch-core/tests/integration_tests.rs`. The workspace-root `tests/security/` directory was previously orphaned (no package Cargo.toml attaches those files to a test binary). Closes #74
bug-ops
force-pushed
the
test-add-missing-cve-regressio
branch
from
735df97 to
86d6beb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
crates/exarch-core/tests/security/cve_regression.rswith 11 integration tests for three missing CVE attack vectors and Windows backslash path handlingmod security;incrates/exarch-core/tests/integration_tests.rs(the workspace-roottests/security/was previously orphaned — no package attached those files to a test binary)CVE coverage
filter='data'bypass via./..-prefixed pathslink -> ../outside)\separator on Unix vs Windows)Archives containing raw
..path components are constructed at the byte level (make_raw_tarhelper) to reproduce attacker-controlled inputs, since safe TAR builder APIs refuse to add..components.Test plan
cargo +nightly fmt --all -- --checkpassescargo clippy --all-targets --all-features --workspace -- -D warningspassescargo nextest run --workspace --all-features --exclude exarch-python --exclude exarch-node --lib --bins— 540 tests passcargo test --package exarch-core --test integration_tests --all-features— 20 tests pass (9 existing + 11 new)Closes #74