Skip to content

Revert symlink target restrictions added in f942a706#28692

Closed
fmeum wants to merge 1 commit intobazelbuild:masterfrom
fmeum:revert-f942a706a39f9803e5611b1973172ece361197ac
Closed

Revert symlink target restrictions added in f942a706#28692
fmeum wants to merge 1 commit intobazelbuild:masterfrom
fmeum:revert-f942a706a39f9803e5611b1973172ece361197ac

Conversation

@fmeum
Copy link
Copy Markdown
Collaborator

@fmeum fmeum commented Feb 17, 2026

Description

Motivation

This breaks real use cases (bazelbuild/bazel-worker-api#21) and isn't security relevant as symlinks are created last and the way they are created doesn't itself follow symlinks.

Build API Changes

No

Checklist

  • I have added tests for the new use cases (if any).
  • I have updated the documentation (if applicable).

Release Notes

RELNOTES: Symlinks in .tar files can again contain up-level references. Symlinks in .zip files can again refer to absolute paths.

@fmeum
Revert symlink target restrictions added in f942a70
1aad5c2 
This breaks real use cases (bazelbuild/bazel-worker-api#21) and isn't security relevant as symlinks are created last and the way they are created doesn't itself follow symlinks.
@fmeum
Copy link
Copy Markdown
Collaborator Author

fmeum commented Feb 17, 2026

@meteorcloudy @meisterT These are the changes we should probably revert (see the linked issue). I won't have time for this today, but we should rewrite the test to simulate a more realistic "symlink attack" by e.g. creating a symlink to some absolute path and then trying to overwrite that file with another file or symlink via the symlink.

@fmeum
Copy link
Copy Markdown
Collaborator Author

fmeum commented Feb 17, 2026

@bazel-io fork 9.0.1

@fmeum
Copy link
Copy Markdown
Collaborator Author

fmeum commented Feb 17, 2026

@bazel-io fork 9.1.0

This was referenced Feb 17, 2026
Closed
Closed
@fmeum fmeum mentioned this pull request Feb 17, 2026
Closed
mbland added a commit to EngFlow-Academy/bzlmod-bootcamp that referenced this pull request Feb 18, 2026
@mbland
Fix bazel_worker_api, test_framework.sh breakages
dd52638 
Bumping bazel_worker_api to v0.0.10 resolves
bazelbuild/bazel-worker-api#21 (see also bazelbuild/bazel#28692):

```txt
ERROR: external/bazel_tools/tools/build_defs/repo/http.bzl:200:45:
  An error occurred during the fetch of repository 'bazel_worker_api+':

Traceback (most recent call last):
  File "external/bazel_tools/tools/build_defs/repo/http.bzl",
  line 200, column 45, in _http_archive_impl
    download_info = ctx.download_and_extract(

Error in download_and_extract: java.io.IOException: Error extracting
  external/bazel_worker_api+/temp685257769505461943/bazel-worker-api-v0.0.6.tar.gz
  to external/bazel_worker_api+/temp685257769505461943:
  Tar entries cannot refer to files outside of their directory:
  external/bazel_worker_api+/temp685257769505461943/bazel-worker-api-v0.0.6.tar.gz
  has a link bazel-worker-api-0.0.6/proto/.bazelversion
  pointing to ../.bazelversion
```

Regarding the `test_framework.sh` breakage on macOS, Bazel 9.0.0 flipped
`--incompatible_strict_action_env` to `true`.

- https://bazel.build/versions/8.5.0/reference/command-line-reference#flag--incompatible_strict_action_env
- https://bazel.build/versions/9.0.0/reference/command-line-reference#flag--incompatible_strict_action_env
- bazelbuild/bazel#26587
- bazelbuild/bazel@60c5a03

This caused `test_framework.sh` to use `/bin/bash`, instead of any newer
Bash on the user's `PATH`. On macOS, `/bin/bash` is version
3.2.57(1)-release, and it failed with an unbound variable error when the
`SKIPPED` array was empty:

```txt
../rules_magic+/test/test_framework.sh: line 176:
  SKIPPED[@]: unbound variable
```

Bash 4.4 fixes the empty array behavior, which is why the error didn't
appear earlier while testing with Bash 5 in the `PATH`:

- https://cgit.git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?id=3ba697465bc74fab513a26dea700cc82e9f4724e#n878
- https://stackoverflow.com/a/7577209

The workaround was to check the length of `SKIPPED` before expanding it
as part of an argument list to a function call.
mbland added a commit to EngFlow-Academy/bzlmod-bootcamp that referenced this pull request Feb 18, 2026
@mbland
Fix bazel_worker_api, test_framework.sh breakages
eafdc61 
Bumping bazel_worker_api to v0.0.10 resolves
bazelbuild/bazel-worker-api#21 (see also bazelbuild/bazel#28692):

```txt
ERROR: external/bazel_tools/tools/build_defs/repo/http.bzl:200:45:
  An error occurred during the fetch of repository 'bazel_worker_api+':

Traceback (most recent call last):
  File "external/bazel_tools/tools/build_defs/repo/http.bzl",
  line 200, column 45, in _http_archive_impl
    download_info = ctx.download_and_extract(

Error in download_and_extract: java.io.IOException: Error extracting
  external/bazel_worker_api+/temp685257769505461943/bazel-worker-api-v0.0.6.tar.gz
  to external/bazel_worker_api+/temp685257769505461943:
  Tar entries cannot refer to files outside of their directory:
  external/bazel_worker_api+/temp685257769505461943/bazel-worker-api-v0.0.6.tar.gz
  has a link bazel-worker-api-0.0.6/proto/.bazelversion
  pointing to ../.bazelversion
```

Regarding the `test_framework.sh` breakage on macOS, Bazel 9.0.0 flipped
`--incompatible_strict_action_env` to `true`.

- https://github.com/bazelbuild/bazel/releases/tag/9.0.0
- bazelbuild/bazel#26587
- bazelbuild/bazel@60c5a03
- https://bazel.build/versions/9.0.0/reference/command-line-reference#flag--incompatible_strict_action_env
- https://bazel.build/versions/8.5.0/reference/command-line-reference#flag--incompatible_strict_action_env

This caused `test_framework.sh` to use `/bin/bash`, instead of any newer
Bash on the user's `PATH`. On macOS, `/bin/bash` is version
3.2.57(1)-release, and it failed with an unbound variable error when the
`SKIPPED` array was empty:

```txt
../rules_magic+/test/test_framework.sh: line 176:
  SKIPPED[@]: unbound variable
```

Bash 4.4 fixes the empty array behavior, which is why the error didn't
appear earlier while testing with Bash 5 in the `PATH`:

- https://cgit.git.savannah.gnu.org/cgit/bash.git/tree/CHANGES?id=3ba697465bc74fab513a26dea700cc82e9f4724e#n878
- https://stackoverflow.com/a/7577209

Temporarily setting `--noincompatible_strict_action_env` in `.bazelrc`
indeed resolved the error. The permanent workaround is to check the
length of `SKIPPED` before expanding it as part of an argument list to a
function call.
@meteorcloudy
Copy link
Copy Markdown
Member

meteorcloudy commented Feb 18, 2026

Thanks, but we don't need to fork this issue for 9.0.1 and 9.1.0 as the original change is only available at HEAD and a few rolling releases.

@fmeum
Copy link
Copy Markdown
Collaborator Author

fmeum commented Feb 18, 2026

Sorry, didn't see that Mike was this quick of an adopter. :-)

@meisterT
Copy link
Copy Markdown
Member

meisterT commented Feb 18, 2026

Can you help me understand what the legitimate use of uplink/absolute paths is in tar archives (I don't immediately see it from the linked issue).

@fmeum
Copy link
Copy Markdown
Collaborator Author

fmeum commented Feb 18, 2026
edited
Loading

Release archives from git repos tend to contain such symlinks for .bazelrc and .bazelversion in subdirectories that are themselves Bazel modules. When you use them with strip_prefix to get only a submodule, you run into this issue.

In the linked issue, the up-level reference even stays within the repo.

An alternative would be to "sanitize" such symlinks to a target such as bazel_rewrote_this_uplevel_symlink.

mbland added a commit to EngFlow-Academy/bzlmod-bootcamp that referenced this pull request Feb 18, 2026
@mbland
Bump bazel_worker_api to v0.0.10
11fe675 
Resolves bazelbuild/bazel-worker-api#21 (see also
bazelbuild/bazel#28692):

```txt
ERROR: external/bazel_tools/tools/build_defs/repo/http.bzl:200:45:
  An error occurred during the fetch of repository 'bazel_worker_api+':

Traceback (most recent call last):
  File "external/bazel_tools/tools/build_defs/repo/http.bzl",
  line 200, column 45, in _http_archive_impl
    download_info = ctx.download_and_extract(

Error in download_and_extract: java.io.IOException: Error extracting
  external/bazel_worker_api+/temp685257769505461943/bazel-worker-api-v0.0.6.tar.gz
  to external/bazel_worker_api+/temp685257769505461943:
  Tar entries cannot refer to files outside of their directory:
  external/bazel_worker_api+/temp685257769505461943/bazel-worker-api-v0.0.6.tar.gz
  has a link bazel-worker-api-0.0.6/proto/.bazelversion
  pointing to ../.bazelversion
```
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 21, 2026

Thank you for contributing to the Bazel repository! This pull request has been marked as stale since it has not had any activity in the last 30 days. It will be closed in the next 30 days unless any other activity occurs. If you think this PR is still relevant and should stay open, please post any comment here and the PR will no longer be marked as stale.

@github-actions github-actions Bot added the stale Issues or PRs that are stale (no activity for 30 days) label Mar 21, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 20, 2026

This pull request has been automatically closed due to inactivity. If you're still interested in pursuing this, please post @bazelbuild/triage in a comment here and we'll take a look. Thanks!

@github-actions github-actions Bot closed this Apr 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@meisterT meisterT Awaiting requested review from meisterT

Assignees

No one assigned

Labels

stale Issues or PRs that are stale (no activity for 30 days)

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fmeum @meteorcloudy @meisterT