pub fn extract_safe(source: impl Read, target: &Path) -> Result<(), Error>Expand description
Extract a .tar.gz archive from source into target, rejecting
any entry that would escape the target or is not a regular file/directory.
§Pre-extraction checks
Before iterating entries, this function:
- Canonicalizes
target(caller must create it first). - Walks every ancestor of
targetup to the filesystem root and verifies none is a symlink. - Lists every direct child of
targetand verifies none is a symlink.
§Per-entry checks
For each entry:
- Only
RegularandDirectorytypes are accepted; all others (symlinks, hardlinks, devices, etc.) are rejected. - Path components are scanned:
..,RootDir, andPrefixare rejected. - Absolute paths are rejected.
- A lexical prefix check confirms the resolved path stays within
target(case-insensitive on Windows).