Struct HardlinkTracker 

pub struct HardlinkTracker { /* private fields */ }

Tracks hardlink targets during extraction.

Hardlinks in archives can be used for attacks:

1. Link to files outside the extraction directory
2. Create multiple hardlinks to the same file (resource exhaustion)
3. Link to sensitive files (if absolute paths allowed)

This tracker ensures:

• Hardlinks are allowed in the security configuration
• Targets are relative paths
• Targets resolve within the destination directory
• Duplicate hardlinks are detected

Two-Pass Validation

Hardlinks require two-pass validation:

1. First pass (during validation): Track target paths, verify they’re within bounds
2. Second pass (after extraction): Verify targets actually exist

This is necessary because hardlink targets may appear later in the archive.

Examples

use exarch_core::SecurityConfig;
use exarch_core::security::HardlinkTracker;
use exarch_core::types::DestDir;
use exarch_core::types::SafePath;
use std::path::Path;
use std::path::PathBuf;

let dest = DestDir::new(PathBuf::from("/tmp"))?;
let mut config = SecurityConfig::default();
config.allowed.hardlinks = true;

let mut tracker = HardlinkTracker::new();
let link = SafePath::validate(&PathBuf::from("link"), &dest, &config)?;
let target = Path::new("target.txt");

tracker.validate_hardlink(&link, target, &dest, &config)?;

Implementations

impl HardlinkTracker

pub fn new() -> Self

Creates a new hardlink tracker.

pub fn validate_hardlink( &mut self, link_path: &SafePath, target: &Path, dest: &DestDir, config: &SecurityConfig, ) -> Result<()>

Validates that a hardlink target is safe and tracks it.

Performance

Typical execution time: ~1-5 μs (HashMap insert + path validation)

Errors

Returns an error if:

• Hardlinks are not allowed in configuration
• Target is an absolute path
• Target would escape the destination directory

Examples

use exarch_core::SecurityConfig;
use exarch_core::security::HardlinkTracker;
use exarch_core::types::DestDir;
use exarch_core::types::SafePath;
use std::path::Path;
use std::path::PathBuf;

let dest = DestDir::new(PathBuf::from("/tmp"))?;
let mut config = SecurityConfig::default();
config.allowed.hardlinks = true;

let mut tracker = HardlinkTracker::new();
let link = SafePath::validate(&PathBuf::from("link"), &dest, &config)?;
let target = Path::new("target.txt");

tracker.validate_hardlink(&link, target, &dest, &config)?;

pub fn count(&self) -> usize

Returns the number of tracked hardlinks.

pub fn has_target(&self, target: &Path) -> bool

Checks if a target path has been seen before.

Trait Implementations

impl Debug for HardlinkTracker

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl Default for HardlinkTracker

fn default() -> HardlinkTracker

Returns the “default value” for a type.