pub struct EntryValidator<'a> { /* private fields */ }Expand description
Orchestrates security validation for archive entries.
This type maintains state across entry validations:
- Quota tracking (file count, total size)
- Compression ratio monitoring (zip bomb detection)
- Hardlink target tracking
§Lifecycle
- Create with
EntryValidator::new(&config, &dest) - For each entry, call
validate_entry() - After all entries processed, call
finish()for final report
§Examples
use exarch_core::SecurityConfig;
use exarch_core::security::EntryValidator;
use exarch_core::types::DestDir;
use exarch_core::types::EntryType;
use std::path::Path;
use std::path::PathBuf;
let dest = DestDir::new(PathBuf::from("/tmp"))?;
let config = SecurityConfig::default();
let mut validator = EntryValidator::new(&config, &dest);
// Validate a file entry
let entry = validator.validate_entry(
Path::new("foo/bar.txt"),
&EntryType::File,
1024, // uncompressed size
Some(512), // compressed size
Some(0o644), // mode
)?;
let report = validator.finish();
println!("Validated {} files", report.files_validated);OPT-H004: Validator uses references to avoid cloning config and dest.
This eliminates 1 clone per extraction (SecurityConfig + DestDir).
Implementations§
Source§impl<'a> EntryValidator<'a>
impl<'a> EntryValidator<'a>
Sourcepub fn new(config: &'a SecurityConfig, dest: &'a DestDir) -> Self
pub fn new(config: &'a SecurityConfig, dest: &'a DestDir) -> Self
Creates a new entry validator with the given security configuration.
Sourcepub fn validate_entry(
&mut self,
path: &Path,
entry_type: &EntryType,
uncompressed_size: u64,
compressed_size: Option<u64>,
mode: Option<u32>,
) -> Result<ValidatedEntry>
pub fn validate_entry( &mut self, path: &Path, entry_type: &EntryType, uncompressed_size: u64, compressed_size: Option<u64>, mode: Option<u32>, ) -> Result<ValidatedEntry>
Validates an archive entry.
This method orchestrates all security validations:
- Path validation (traversal, depth, banned components)
- Quota checking (file size, count, total size)
- Compression ratio validation (zip bomb detection)
- Type-specific validation (symlink, hardlink, permissions)
§Performance
Typical execution time per entry:
- Regular file (non-existing): ~1-2 μs
- Regular file (existing): ~10-50 μs (canonicalization)
- Symlink: ~10-50 μs (target resolution)
- Hardlink: ~5-10 μs (tracking update)
§Errors
Returns an error if any validation fails. Common errors:
ExtractionError::PathTraversal- Path escapes destinationExtractionError::QuotaExceeded- Size or count limits exceededExtractionError::ZipBomb- Compression ratio too highExtractionError::SymlinkEscape- Symlink target escapesExtractionError::HardlinkEscape- Hardlink target escapesExtractionError::InvalidPermissions- Dangerous permissions
§Examples
use exarch_core::SecurityConfig;
use exarch_core::security::EntryValidator;
use exarch_core::types::DestDir;
use exarch_core::types::EntryType;
use std::path::Path;
use std::path::PathBuf;
let dest = DestDir::new(PathBuf::from("/tmp"))?;
let config = SecurityConfig::default();
let mut validator = EntryValidator::new(&config, &dest);
let entry = validator.validate_entry(
Path::new("file.txt"),
&EntryType::File,
1024,
None,
Some(0o644),
)?;Sourcepub fn finish(self) -> ValidationReport
pub fn finish(self) -> ValidationReport
Finishes validation and returns a summary report.
This consumes the validator and returns statistics about the validation process.
Auto Trait Implementations§
impl<'a> Freeze for EntryValidator<'a>
impl<'a> RefUnwindSafe for EntryValidator<'a>
impl<'a> Send for EntryValidator<'a>
impl<'a> Sync for EntryValidator<'a>
impl<'a> Unpin for EntryValidator<'a>
impl<'a> UnwindSafe for EntryValidator<'a>
Blanket Implementations§
Source§impl<T> BorrowMut<T> for Twhere
T: ?Sized,
impl<T> BorrowMut<T> for Twhere
T: ?Sized,
Source§fn borrow_mut(&mut self) -> &mut T
fn borrow_mut(&mut self) -> &mut T
Mutably borrows from an owned value. Read more