fix(internal/fetch): add support for symlink extraction#6321
Merged
Conversation
Contributor
There was a problem hiding this comment.
Code Review
This pull request adds support for extracting symlinks from tarballs in extractTarball and introduces a new error errUnsupportedFileType for unsupported tar header types. It also updates and expands the test suite to verify these changes, including testing for specific error types and symlink extraction. However, a critical security vulnerability was identified: extracting symlinks without validation poses a path traversal (Zip Slip) risk. You should validate that both the target path and the symlink's target do not resolve to paths outside the destination directory.
jskeet
approved these changes
Jun 5, 2026
jskeet
left a comment
Contributor
There was a problem hiding this comment.
Mostly fine (thanks!) - just two questions.
jskeet
approved these changes
Jun 5, 2026
jskeet
left a comment
Contributor
There was a problem hiding this comment.
I think this is probably okay, even though it's overly restrictive - if we get any tarballs which fail due to having a file like "a..b" (as a symlink target) we can address it at that point.
jskeet
pushed a commit
that referenced
this pull request
Jun 9, 2026
🤖 I have created a release *beep* *boop* --- ## [0.17.0](v0.16.0...v0.17.0) (2026-06-09) ### Features * **internal/cache:** add `BinDirectory` and `LIBRARIAN_BIN` override ([#6315](#6315)) ([ac43e52](ac43e52)), closes [#5850](#5850) [#6199](#6199) * **librarian:** add `Discovery` field to Swift config ([#6320](#6320)) ([2ee0a36](2ee0a36)) * **nodejs:** update gapic generator to v4.12.0 ([#6341](#6341)) ([fae4158](fae4158)) * **sidekick/rust:** use consolidated `LroRecorder` in tracing decorator ([#6259](#6259)) ([0d318a9](0d318a9)) * **sidekick/swift:** generate `with` helper ([#6309](#6309)) ([36d2aa1](36d2aa1)) * **sidekick/swift:** map-based pagination ([#6268](#6268)) ([082e996](082e996)) ### Bug Fixes * **internal/command:** look up executables in custom path environments ([#6273](#6273)) ([7278ace](7278ace)), closes [#6271](#6271) * **internal/fetch:** add support for symlink extraction ([#6321](#6321)) ([7fa61e4](7fa61e4)), closes [#6313](#6313) * **internal/librarian/java:** allow omitting ReleasedVersion with fill and tidy ([#6274](#6274)) ([9552dcd](9552dcd)), closes [#6244](#6244) * **internal/librarian:** disable API path derive for Java ([#6287](#6287)) ([bb3119f](bb3119f)) * **librarian/internal/java:** explicitly list released_version as config ([5917f20](5917f20)) * **librarian/swift:** configuration fields ([#6316](#6316)) ([a1bd1c2](a1bd1c2)) * **nodejs:** manually create symlinks during librarian install ([#6314](#6314)) ([bbdc773](bbdc773)), closes [#6312](#6312) * **nodejs:** remove google/cloud/common_resources.proto after generation ([#6333](#6333)) ([6a9e325](6a9e325)), closes [#6024](#6024) * **python:** avoid adding to existing core lib ([#6324](#6324)) ([9ebe312](9ebe312)) * **sidekick/rust:** fix tracing template generation for discovery-based LROs ([#6258](#6258)) ([33ef923](33ef923)) * **sidekick/swift:** warnings in snippets ([#6284](#6284)) ([23bfa8d](23bfa8d)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: release-please[bot] <55107282+release-please[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
extractTarballfunction has been refactored to support extracting symlink headers (tar.TypeSymlink) viaos.Symlink.It now also explicitly rejects unsupported file types (like block devices) by returning a new
errUnsupportedFileTypeerror instead of silently skipping them.Unit tests have been added to verify successful symlink extraction (TestExtractTarball_Symlink) and correct error handling of unsupported files. The existing
TestExtractTarball_PathErrorhas been fixed to resolve compilation errors and to correctly assert*fs.PathErrorusing errors.As.Fixes #6313