Skip to content

Improve path handling in extractor#6290

Merged
swissspidy merged 1 commit intomainfrom
fix/extractor
Mar 26, 2026
Merged

Improve path handling in extractor#6290
swissspidy merged 1 commit intomainfrom
fix/extractor

Conversation

@swissspidy
Copy link
Copy Markdown
Member

@swissspidy swissspidy commented Mar 25, 2026

No description provided.

Copilot AI review requested due to automatic review settings March 25, 2026 21:15
@swissspidy swissspidy requested a review from a team as a code owner March 25, 2026 21:15
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 25, 2026

Hello! 👋

Thanks for opening this pull request! Please check out our contributing guidelines. We appreciate you taking the initiative to contribute to this project.

Contributing isn't limited to just code. We encourage you to contribute in the way that best fits your abilities, by writing tutorials, giving a demo at your local meetup, helping other users with their support questions, or revising our documentation.

Here are some useful Composer commands to get you started:

  • composer install: Install dependencies.
  • composer test: Run the full test suite.
  • composer phpcs: Check for code style violations.
  • composer phpcbf: Automatically fix code style violations.
  • composer phpunit: Run unit tests.
  • composer behat: Run behavior-driven tests.

To run a single Behat test, you can use the following command:

# Run all tests in a single file
composer behat features/some-feature.feature

# Run only a specific scenario (where 123 is the line number of the "Scenario:" title)
composer behat features/some-feature.feature:123

You can find a list of all available Behat steps in our handbook.

@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Mar 25, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the Extractor class by implementing more robust and secure path handling mechanisms. The changes focus on ensuring that file operations, particularly extraction and directory removal, correctly resolve file paths and prevent unintended actions outside designated directories, thereby enhancing the overall stability and security of the extraction process.

Highlights

  • Enhanced Tarball Path Resolution: The extract_tarball method now uses realpath() to resolve tarball paths to their absolute form, improving reliability and security by explicitly validating the file's existence and readability.
  • Improved Directory Removal Safety: The rmdir method was updated to prevent directory traversal vulnerabilities by strictly ensuring that only files and directories within the specified base directory are removed, issuing a warning and skipping removal for any files found outside this scope.
  • Removed Unused Helper Function: The path_is_relative private static method was removed as its functionality is no longer required after the path handling improvements.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@codecov
Copy link
Copy Markdown

codecov bot commented Mar 25, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 86.66667% with 2 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
php/WP_CLI/Extractor.php 86.66% 2 Missing ⚠️

📢 Thoughts on this report? Let us know!

gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request refactors path handling in php/WP_CLI/Extractor.php to enhance security and robustness. Key changes include using realpath() for tarball extraction, which also allowed for the removal of the path_is_relative function. Additionally, the rmdir function was updated with a stricter security check to prevent directory traversal vulnerabilities. However, a high-severity issue was identified in the rmdir function's path validation: using getPathname() instead of getRealPath() could lead to incorrect comparisons against the canonical base directory, potentially bypassing the intended security check.

Copilot AI reviewed Mar 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refines path handling in WP_CLI\Extractor, aiming to make archive extraction and temporary-directory cleanup more robust and consistent across environments.

Changes:

  • Resolve tarball paths via realpath() before invoking tar, and align tarball validation error messaging.
  • Harden Extractor::rmdir() by checking that deleted entries are within the intended base directory.
  • Remove the now-unused relative-path helper.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@swissspidy swissspidy merged commit 1045989 into main Mar 26, 2026
69 checks passed
@swissspidy swissspidy deleted the fix/extractor branch March 26, 2026 06:20
@swissspidy swissspidy added this to the 3.0.0 milestone Mar 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

command:cli-utils scope:framework

Projects

None yet

Milestone

3.0.0

Development

Successfully merging this pull request may close these issues.

2 participants

@swissspidy