rust: correctly validate symlinks with relative directory references

indygreg · indygreg · commit ef75ffdc1762 · 2024-02-24T18:04:28.000-08:00
We never had these before. But I plan on adding them as part of shipping
the terminfo database. This change is needed to avoid false validation
errors if there are symlinks with e.g. `/../` in them.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -14,11 +14,12 @@ flate2 = "1.0.28"
 futures = "0.3.30"
 goblin = "0.8.0"
 hex = "0.4.3"
+normalize-path = "0.2.1"
 object = "0.32.2"
 octocrab = { version = "0.19.0", features = ["rustls"] }
 once_cell = "1.19.0"
 rayon = "1.8.1"
-reqwest = {version = "0.11.24", features = ["rustls"] }
+reqwest = { version = "0.11.24", features = ["rustls"] }
 scroll = "0.12.0"
 semver = "1.0.22"
 serde_json = "1.0.114"
diff --git a/src/validation.rs b/src/validation.rs
@@ -6,6 +6,7 @@ use {
     crate::{json::*, macho::*},
     anyhow::{anyhow, Context, Result},
     clap::ArgMatches,
+    normalize_path::NormalizePath,
     object::{
         elf::{
             FileHeader32, FileHeader64, ET_DYN, ET_EXEC, STB_GLOBAL, STB_WEAK, STV_DEFAULT,
@@ -1675,7 +1676,9 @@ fn validate_distribution(
         seen_paths.insert(path.clone());
 
         if let Some(link_name) = entry.link_name()? {
-            seen_symlink_targets.insert(path.parent().unwrap().join(link_name));
+            let target = path.parent().unwrap().join(link_name).normalize();
+
+            seen_symlink_targets.insert(target);
         }
 
         // If this path starts with a path referenced in wanted_python_paths,
