[ci-fix] Needs review: Accept UnauthorizedAccessException or IOException in Tar chained-symlink traversal test on Windows (refs #130177)#130231
Draft
github-actions[bot] wants to merge 1 commit into
Conversation
…ink test on Windows The ExtractToDirectory_RejectsChainedSymlinkDirectoryTraversal_WithNestedFile test intermittently fails on Windows (~0.25%) because the colliding directory creation during a rejected traversal can surface as IOException instead of UnauthorizedAccessException depending on extraction ordering. Both exceptions mean the traversal was rejected; the post-extraction assertions still verify nothing escaped the destination. Refs #130177 Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
Tagging subscribers to this area: @dotnet/area-system-formats-tar |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Workflow artifact: ci-fix
Artifact kind: help
Linked KBE: #130177
Note
This is an AI/Copilot-generated best-effort fix attempt that I could not fully validate (no clr+libs baseline build was possible in this environment). It is a starting point for a maintainer, not a finished change. Please review the analysis below before merging.
Root cause (best analysis)
TarFile_ExtractToDirectory_File_Tests.ExtractToDirectory_RejectsChainedSymlinkDirectoryTraversal_WithNestedFilefails intermittently on Windows only (~0.25% of runs, seen across many unrelated PR builds), with:The test builds a malicious archive whose chained symlinks (
a/b -> .,a/b/c -> .,a/b/c/d -> ../../outside) attempt to escape the destination, then asserts that extraction throws. On Windows the rejection normally surfaces asUnauthorizedAccessException(attempting to traverse a directory symlink), but depending on the order in which the colliding entries are materialized, the same rejection can surface fromDirectory.CreateDirectoryasIOException("a file or directory with the same name already exists"). Both exceptions mean the traversal was rejected before anything escaped — the post-extraction assertions (outside/andpwned.txtnot created) already guarantee the security property and are not part of the failure.The
Assert.Throws<UnauthorizedAccessException>is therefore over-specified: it pins one of two equally-safe rejection paths.Attempted fix
On the Windows branch, accept either
UnauthorizedAccessExceptionorIOException(still requiring that extraction throws). The non-Windows branch and the security post-conditions are unchanged, so the test keeps validating that the traversal is blocked and that nothing escapes the destination.What is unverified / where I need help
IOExceptionpath is genuinely always a safe rejection (i.e. never a case where the malicious file is partially written) — the existingAssert.False(... outside/pwned.txt ...)checks suggest it is, but a Tar owner should confirm this is the intended contract rather than a symptom of a deeper extraction-ordering bug worth fixing in the product.Validation
dotnet build /t:test src/libraries/System.Formats.Tar/tests/System.Formats.Tar.Tests.csproj— not run because a fullclr+libsbaseline build (prerequisite for the test host) exceeds this environment's time budget and background builds are unavailable.Assert.ThrowsAny,OperatingSystem.IsWindows, C# type patterns).Evidence
Help wanted
area-System.Formats.Tar):@karelz,@dotnet/area-system-formats-tarFiled by
ci-failure-fix. Comment here or on the workflow file to suggest changes;ci-failure-scan-feedbackreads in-scope feedback daily and opens (or updates) a PR with prompt edits.Note
🔒 Integrity filter blocked 6 items
The following items were blocked because they don't meet the GitHub integrity level.
search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".search_issues: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".issue_read: has lower integrity than agent requires. The agent cannot read data with integrity below "approved".To allow these resources, lower
min-integrityin your GitHub frontmatter: