Bump remove_dir_all from 0.7.0 to 0.8.0

[dependabot[bot]]

Bumps remove_dir_all from 0.7.0 to 0.8.0.

Changelog

Sourced from remove_dir_all's changelog.

0.8.0

Security changes

• Fix TOCTOU race conditions both inside the implementation of functions and the contract: functions now only operate on directories. Callers wanting to process the contents of a symlink (e.g. for remove_dir_contents) should resolve the symlink themselves. This is an API break from 0.7.0, but the previous behaviour was insecure.

  This is due to the same code pattern as caused CVE-2022-21658 in Rust itself: it was possible to trick a privileged process doing a recursive delete in an attacker controlled directory into deleting privileged files, on all operating systems.

  For instance, consider deleting a tree called 'etc' in a parent directory called 'p'. Between calling remove_dir_all("a") and remove_dir_all("a") actually starting its work, the attacker can move 'p' to 'p-prime', and replace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc' which is actually /etc, and now your system is broken. There are some mitigations for this exact scenario, such as CWD relative file lookup, but they are not guaranteed - any code using absolute paths will not have that protection in place.

  The same attack could be performed at any point in the directory tree being deleted: if 'a' contains a child directory called 'etc', attacking the deletion by replacing 'a' with a link is possible.

  The new code in this release mitigates the attack within the directory tree being deleted by using file-handle relative operations: to open 'a/etc', the path 'etc' relative to 'a' is opened, where 'a' is represented by a file descriptor (Unix) or handle (Windows). With the exception of the entry points into the directory deletion logic, this is robust against manipulation of the directory hierarchy, and remove_dir_all will only delete files and directories contained in the tree it is deleting.

  The entry path however is a challenge - as described above, there are some potential mitigations, but since using them must be done by the calling code, it is hard to be confident about the security properties of the path based interface.

  The new extension trait RemoveDir provides an interface where it is much harder to get it wrong.

  somedir.remove_dir_contents("name-of-child").

  Callers can then make their own security evaluation about how to securely get a directory handle. That is still not particularly obvious, and we're going to follow up with a helper of some sort (probably in the fs_at crate). Once that is available, the path based entry points will get deprecated.

... (truncated)

Commits

• e1066ef Release 0.8.0
• 7247a8b Merge pull request from GHSA-mc8h-8q98-g5hr
• be7a410 Update windows-sys requirement from 0.42.0 to 0.45.0 (#52)
• 6ebf7f0 Use SPDX license format (#50)
• 48e2043 Remove unused num_cpus dependency (#48)
• 720ca0e Update windows-sys to 0.42.0 (#47)
• 8b66129 Migrate from winapi to windows-sys. (#42)
• d224855 Make parallelism a default-on feature (#38)
• 08037c9 Remove nightly feature (#37)
• d8e02e6 Update env_logger requirement from 0.8.1 to 0.9.0 (#32)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rust-lang/crater/network/alerts).

[Mark-Simulacrum]

@bors r+

[bors]

:pushpin: Commit cc7db67b357ea05ddee8714066525c28f73c07ec has been approved by Mark-Simulacrum

It is now in the queue for this repository.

[bors]

:hourglass: Testing commit cc7db67b357ea05ddee8714066525c28f73c07ec with merge 9250f54eadd0e5aa67981db6d3a4d8ed3d19d9d3...

[bors]

:sunny: Test successful - checks-actions Approved by: Mark-Simulacrum Pushing 9250f54eadd0e5aa67981db6d3a4d8ed3d19d9d3 to master...