fix(sevenz): restore allow_absolute_paths for 7z with sevenz-rust2 0.21.1#375
Merged
Conversation
…olute_paths for 7z sevenz-rust2 0.21.1 adds a path-safety check inside decompress_with_extract_fn that blocks absolute-path entries before our callback runs. This breaks the allow_absolute_paths flag for 7z archives because EntryValidator never sees those entries. Switch extract_with_callback to use ArchiveReader::for_each_entries directly. That API has no built-in path check, so our EntryValidator remains the sole and authoritative guard for path security (traversal, absolute paths, symlinks). Also bumps anyhow (UB fix in Error::downcast_mut), napi, napi-derive, and sevenz-rust2 to their latest patch releases via Cargo.lock. Fixes #374
github-actions
Bot
added
core
5 tasks
bug-ops
added a commit
that referenced
this pull request
Jun 29, 2026
…, #365) (#377) On Unix, entry names containing `\` (e.g. `..\..\\x`) were treated as a single path component by std's PathBuf, bypassing traversal detection in SafePath::validate. The upstream sevenz-rust2 safe_join that previously rejected these was removed in #375 when switching to for_each_entries. Add `formats::common::normalize_entry_name` that replaces `\` with `/` before PathBuf construction. Apply it in all three 7z entry-name sites: the extraction pre-validation loop, the extraction callback, and the list/verify path in inspection/list.rs. This ensures extract, list, and verify all agree on traversal detection. ZIP is unaffected (zip crate handles Windows paths internally via enclosed_name). TAR is correctly left un-normalized (`\` is a legal Unix filename character in TAR). Closes #376 Closes #365
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
anyhow1.0.102→1.0.103 (fixes UB inError::downcast_mut),napi3.9.3→3.9.4,napi-derive3.5.6→3.5.7,sevenz-rust20.20.0→0.21.1 (security fix: path traversal in 7z)sevenz-rust20.21.1 upgrade (chore(deps): bump the minor-and-patch group with 4 updates #374)Root cause
sevenz-rust20.21.1 added a path-safety check insidedecompress_with_extract_fnthat rejects entries whose resolved path escapes the destination directory. The check fires before the caller's extraction callback is invoked, soEntryValidatornever sees absolute-path entries. This broketest_7z_absolute_path_with_flag_writes_to_destacross all platforms.Fix
Switch
extract_with_callbackto callArchiveReader::for_each_entriesdirectly. That lower-level API has no built-in path check, soEntryValidatorremains the sole authoritative guard for path security (traversal prevention, absolute-path stripping, symlink rejection). All existing security properties are preserved.Test plan
cargo nextest run -p exarch-core -- test_7z_absolute_path— all 3 tests passcargo nextest run --workspace --all-features --exclude exarch-python --exclude exarch-node— 931/931 passcargo +nightly fmt --all -- --check— cleancargo clippy --workspace --all-targets --all-features -- -D warnings— clean