Skip to content

component manifest paths can escape the toolchain install prefix #4943

Description

@cachebag

manifest.in component paths appear to be trusted after decoding. ComponentPart::decode() converts the path string directly into a PathBuf, and transaction operations only guard with relpath.is_relative(). However, paths containing parent components like ../outside are still relative.

Those paths are later joined with the install prefix via InstallPrefix::abs_path(), so a component manifest entry such as:

file:../outside-file

can target a path outside the toolchain directory during install. Those paths are persisted into component manifests and can later be used during uninstall; rollback also uses the recorded transaction paths.

path: PathBuf::from(path_str.as_ref()),

assert!(relpath.is_relative());
let abs_path = ChangedItem::dest_abs_path(&self.prefix, component, &relpath)?;
utils::rename("component", src, &abs_path, self.permit_copy_rename)?;

Ideally, component manifest paths should be confined to the toolchain install prefix. Absolute paths, prefix paths, empty paths, and paths containing .. should be rejected as corrupt component manifests.

It may also be worth validating that the package source path stays under the extracted package root.

Ref:

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions