Skip to content

[8.6.0] Prevent InvalidPathException in rctx.download_and_extract #28164

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
iancha1992 merged 1 commit into from
Jan 6, 2026
Merged

[8.6.0] Prevent InvalidPathException in rctx.download_and_extract #28164

iancha1992 merged 1 commit into from
Jan 6, 2026

Conversation

@bazel-io
Copy link
Member

@bazel-io bazel-io commented Jan 5, 2026

Fixes #28121

Closes #28128.

PiperOrigin-RevId: 852374394
Change-Id: I4390a6c0581cc955494bf3be549b0ca9efd48c7b

Commit 5578c00

@fmeum @bazel-io
Prevent InvalidPathException in rctx.download_and_extract
dc40b1e 
Fixes bazelbuild#28121

Closes bazelbuild#28128.

PiperOrigin-RevId: 852374394
Change-Id: I4390a6c0581cc955494bf3be549b0ca9efd48c7b
@bazel-io bazel-io requested a review from a team as a code owner January 5, 2026 19:05
@bazel-io bazel-io added team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file. awaiting-review PR is awaiting review from an assigned reviewer labels Jan 5, 2026
@bazel-io bazel-io requested a review from Wyverald January 5, 2026 19:05
@bazel-io bazel-io mentioned this pull request Jan 5, 2026
Closed
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jan 5, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to prevent InvalidPathException when downloading and extracting files by sanitizing the filename derived from the URL. The approach is to replace characters that are not filesystem-safe with an underscore. The core logic change is sound, and a new test case has been added to verify the fix for a filename containing a colon. However, the sanitization is incomplete and can still lead to InvalidPathException on Windows. I've left a comment with details and a suggestion to make the fix more robust.

src/main/java/com/google/devtools/build/lib/bazel/repository/downloader/DownloadManager.java
return output.getRelative(basename);
// The basename may contain characters that aren't legal in a path with all file systems. Those
// characters won't matter for type determination.
return output.getRelative(FS_UNSAFE_CHARS.replaceFrom(basename, '_'));
Copy link

@gemini-code-assist gemini-code-assist bot Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

This sanitization is a good step, but it's incomplete and can still lead to InvalidPathException on Windows in a couple of cases:

  1. Filenames ending with a dot: Windows does not allow filenames to end with a period. For example, if basename is myfile., it will pass through the current filter, but Path.getRelative("myfile.") will fail on Windows.
  2. Reserved filenames: Windows reserves certain filenames, such as CON, PRN, AUX, NUL, and COM1-COM9, LPT1-LPT9. These names are invalid regardless of extension (e.g., CON.txt is invalid). If basename is CON.zip, it will not be sanitized and will cause an error on Windows.

I'd recommend enhancing the sanitization to handle these cases. Here's a suggestion to address the trailing dot issue and prevent an empty basename, which is the more straightforward of the two to fix:

    String sanitized = FS_UNSAFE_CHARS.replaceFrom(basename, '_');
    sanitized = CharMatcher.is('.').trimTrailingFrom(sanitized);
    if (sanitized.isEmpty()) {
      sanitized = "temp";
    }
    return output.getRelative(sanitized);

@iancha1992 iancha1992 enabled auto-merge January 5, 2026 20:05
@iancha1992 iancha1992 added this pull request to the merge queue Jan 6, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Jan 6, 2026
@iancha1992 iancha1992 added this pull request to the merge queue Jan 6, 2026
Merged via the queue into bazelbuild:release-8.6.0 with commit 373ece7 Jan 6, 2026
47 checks passed
@github-actions github-actions bot removed the awaiting-review PR is awaiting review from an assigned reviewer label Jan 6, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Wyverald Wyverald Wyverald approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

team-ExternalDeps External dependency handling, remote repositiories, WORKSPACE file.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@bazel-io @Wyverald @iancha1992 @fmeum