[Issue 21234] New: Import expression can read files outside of -J path in case of symlink/hardlink

d-bugmail at puremagic.com d-bugmail at puremagic.com
Thu Sep 10 10:35:12 UTC 2020 

https://issues.dlang.org/show_bug.cgi?id=21234

          Issue ID: 21234
           Summary: Import expression can read files outside of -J path in
                    case of symlink/hardlink
           Product: D
           Version: D2
          Hardware: x86
                OS: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: dmd
          Assignee: nobody at puremagic.com
          Reporter: andrey.zherikov at gmail.com

I did 4 tests to understand how symlinks and hardlinks are treated on Posix
(Ubuntu 20.04 in my case) and Windows (Windows 10 build 19041.450) inside -J
path. The results are:
 - If a hardlink points to outside of -J path then import("file") reads it on
both Windows and Posix;
 - If a symlink points to outside of -J path then import("file") reads it on
Windows and rejects on Posix.

So this brings up few questions:
 - Should there be a parity between Windows and Posix in treating of symlinks?
 - Should there be a parity in treating of symlinks and hardlinks?
 - What are security concerns to disallow symlinks to external files on Posix?
Is it feasible to remove this restriction to make it consistent across
platforms?
 - Should DMD reject hardlinks that point outside of -J path? (I'm not sure
that it's easy to implement or even possible)
 - Does providing -J option to DMD mean user's consent to use the content of
specified directory regardless to the type of this content? There is legitimate
use case IMO when one creates a "working" directory to be passed to -J option
that intentionally contains symlinks to external files (e.g. specific files in
some git repo).

(See references [1] and [2] regarding symlink/hardlink support on Windows)


Testcase used here:
====== test.d
void main()
{
    pragma(msg, import("file"));
}
====== file
hello
======

Steps to reproduce: symlink on Ubuntu
======
$ rm -rf foo/; mkdir foo; ln -s ../file foo/file

$ ls -li file foo/file
74551 -rwxr--r-- 2 andrey andrey 6 Sep 10 04:43 file
73336 lrwxrwxrwx 1 andrey andrey 7 Sep 10 06:12 foo/file -> ../file

$ dmd -Jfoo -run test.d
test.d(3): Error: file "file" cannot be found or not in a path specified with
-J
test.d(3):        while evaluating pragma(msg, import("file"))
======

Steps to reproduce: hardlink on Ubuntu
======
$ rm -rf foo/; mkdir foo; ln file foo/file

$ ls -li file foo/file
74551 -rwxr--r-- 3 andrey andrey 6 Sep 10 04:43 file
74551 -rwxr--r-- 3 andrey andrey 6 Sep 10 04:43 foo/file

$ dmd -Jfoo -run test.d
hello
======

Steps to reproduce: symlink on Windows (use cmd in admin mode)
======
>rmdir /s /q foo & mkdir foo & mklink foo\file ..\file
symbolic link created for foo\file <<===>> ..\file

>dir file foo\file
 Directory of C:\link-test
09/10/2020  05:08 AM                 6 file
 Directory of C:\link-test\foo
09/10/2020  06:21 AM    <SYMLINK>      file [..\file]

>dmd -Jfoo -run test.d
hello
======

Steps to reproduce: hardlink on Windows (use cmd in admin mode)
======
>rmdir /s /q foo & mkdir foo & mklink /h foo\file file
Hardlink created for foo\file <<===>> file

>dir file foo\file
 Directory of C:\link-test
09/10/2020  05:08 AM                 6 file
 Directory of C:\link-test\foo
09/10/2020  05:08 AM                 6 file

C:\link-test>dmd -Jfoo -run test.d
hello
======


References:
[1]
https://docs.microsoft.com/en-us/windows/win32/fileio/hard-links-and-junctions
[2] https://docs.microsoft.com/en-us/windows/win32/fileio/symbolic-links

--

More information about the Digitalmars-d-bugs mailing list