fix(security): harden tar extraction in rust_bridge against path traversal (#876)

[rysweet]

Summary

Hardens the tar archive extraction in rust_bridge.py against path traversal and unsafe extraction attacks, and adds a comprehensive unit test suite.

Security improvements (issue #876):

• Adds SecurityError exception class for extraction-related failures
• Adds _validate_release_member() to reject members with absolute paths, .. components, backslash paths, and non-regular files (Python < 3.12 where filter='data' is unavailable)
• Adds _extract_release_binary() using filter='data' on Python ≥ 3.12 for safe extraction
• MANAGED_BIN_DIR created with mode 0o700 to prevent other local users reading/replacing the managed binary
• Temp file written inside MANAGED_BIN_DIR (same filesystem → atomic rename/cleanup)
• urllib.error.URLError caught specifically instead of bare except Exception in download path
• SecurityError caught separately to emit a clear stderr message before aborting
• Adds _is_release_binary_member() as a pure allowlist predicate

Issue #877 analysis (no code change needed):

• _exec_rust() passes sys.argv directly to os.execvp. This is intentional: azlin is a pure CLI passthrough tool where the invoking user entirely controls their own arguments — there is no untrusted input to sanitise. Documented in the _exec_rust() docstring.

New test file: tests/unit/test_rust_bridge_security.py — 21 test cases covering all security predicates, extraction logic, and error paths.

Related Issues

Closes #876

Note on #877: No code change required. azlin is a CLI passthrough tool; the user controls their own sys.argv. Sanitising user-controlled arguments before passing them to the binary they chose to invoke would remove functionality without adding security. Analysis documented in _exec_rust() docstring.

Step 13: Local Testing Results

Scenario 1 — tar security predicates (basic validation)

Command: uv run pytest tests/unit/test_rust_bridge_security.py -v on branch fix/issue-876-rust-bridge-security-hardening
Result: PASS
Output:

17 passed, 4 skipped in 0.08s

PASSED  test_valid_regular_file_passes
PASSED  test_rejects_absolute_path_member
PASSED  test_rejects_path_traversal_member
PASSED  test_rejects_path_traversal_nested
PASSED  test_allows_dotdot_in_filename_component
SKIPPED test_rejects_symlink_member_on_older_python    [Python 3.13 — runs on <3.12]
SKIPPED test_rejects_hardlink_member_on_older_python   [Python 3.13 — runs on <3.12]
SKIPPED test_rejects_device_file_on_older_python       [Python 3.13 — runs on <3.12]
PASSED  test_exact_name / test_path_ending_in_azlin / ...
PASSED  test_raises_when_no_binary_in_archive
PASSED  test_extracts_binary_to_normalised_name
PASSED  test_rejects_traversal_member_named_like_binary
PASSED  test_uses_data_filter_on_python_312_plus
PASSED  test_only_binary_member_extracted
PASSED  test_temp_file_cleaned_up_on_security_error
PASSED  test_security_error_propagates_from_download_handler

Scenario 2 — cli_documentation quality fixes regression (complementary PR)

Command: uv run pytest tests/unit/test_cli_documentation.py -v on branch fix/issue-878-879-880-cli-documentation-quality
Result: PASS
Output: 41 passed in 0.13s — all error-swallowing, encoding, and validation scenarios verified

Test Plan

• uv run pytest tests/unit/test_rust_bridge_security.py -v — 17 pass, 4 skipped (version-gated)
• TestValidateReleaseMember — absolute path, traversal, symlink/hardlink/device rejection
• TestIsReleaseBinaryMember — allowlist predicate correctness
• TestExtractReleaseBinary — normalised extraction, traversal rejection, data filter usage
• TestTempFileCleanup — temp file removed on SecurityError
• TestSecurityErrorPropagation — SecurityError surfaced from download handler

[github-actions]

⚡ Performance Report — PR #885

Scope: fix(security): harden tar extraction in rust_bridge against path traversal

---

TL;DR

✅ No performance regression detected. All CLI performance budgets remain unaffected.

---

Changed Code Path Analysis

This PR modifies only _download_from_release() and its helpers in rust_bridge.py. That function runs at install time only — when the managed Rust binary is absent and needs to be downloaded. It is never called during normal CLI operation.

Code Path	Changed?	Called During Normal CLI Use?
entry() → _find_rust_binary() → os.execvp	No	Yes — every invocation
_download_from_release()	Yes	No — install only
_build_from_source()	No	No — fallback only

---

Import Overhead

Four imports were promoted from lazy (inside _download_from_release) to top-level:

Import	Before	After	Δ Startup
copy	lazy	top-level	+~0.1 ms
json	lazy	top-level	+~0.1 ms
tarfile	lazy	top-level	+~0.3 ms
tempfile	lazy	top-level	+~0.1 ms

Estimated startup overhead added: ~0.5–1 ms (well within noise, budget is <100 ms).

---

Install-Time Performance

The new validation logic (_validate_release_member) iterates archive members and runs path checks. Against a network download taking 1–3 seconds, this adds < 1 ms — unmeasurable in practice.

The change from MANAGED_BIN_DIR.mkdir(parents=True, exist_ok=True) to MANAGED_BIN_DIR.mkdir(mode=0o700, ...) has no measurable performance difference.

The temp file is now created inside MANAGED_BIN_DIR (same filesystem as destination) rather than the system temp dir. On most systems this eliminates a cross-device copy during urlretrieve, which can improve install speed slightly.

---

CLI Performance Budgets — Status

Command	Budget	Status	Notes
Startup	<100 ms	✅ Unaffected	~0.5–1 ms import overhead (noise level)
azlin list	<200 ms	✅ Unaffected	Code path not touched
azlin connect	<500 ms	✅ Unaffected	Code path not touched
azlin create	<3 s	✅ Unaffected	Code path not touched
azlin delete	<3 s	✅ Unaffected	Code path not touched
Binary install	N/A	✅ Neutral/improved	Temp file on same FS may reduce copy overhead

---

Recommendation

No performance concerns. This PR is safe to merge from a performance perspective. The security hardening adds negligible overhead only during binary installation, which happens at most once per machine setup.

Generated by CLI Performance Monitor for issue #885

[github-actions]

📏 Code Quality Report — PR #885

Overall Quality: 9.2/10 ✅

This PR hardens rust_bridge.py against path-traversal and unsafe-extraction attacks. The changes are well-structured, purposeful, and follow the project's ruthless simplicity philosophy.

---

Complexity Analysis

Function	LOC	Cyclomatic Complexity	Parameters	Status
_is_release_binary_member	2	1	1	✅ Excellent
_validate_release_member	9	4	1	✅ Good
_extract_release_binary	19	4	2	✅ Good
_platform_suffix	14	8	0	✅ Acceptable
_is_rust_binary	9	2	1	✅ Excellent
_find_rust_binary	12	3	0	✅ Excellent
_download_from_release	52	9	0	⚠️ At limit
_build_from_source	22	4	0	✅ Good
_exec_rust	7	2	2	✅ Excellent
entry	24	4	0	✅ Good

No function exceeds the blocking threshold of complexity > 20. ✅

---

Code Smells

• ✅ No circular imports
• ✅ No magic numbers (mode 0o700 is a well-understood POSIX constant, and (3, 12) is an explicit version boundary)
• ✅ No deeply nested code (max depth ≈ 3)
• ✅ No functions with >10 parameters
• ✅ No duplicate code blocks
• ⚠️ _download_from_release() is 52 lines — right at the advisory threshold. The function orchestrates several distinct phases (API call → asset selection → download → extraction → chmod). It remains readable but is worth monitoring.
• ✅ Removed the inline import tarfile / import json that previously lived inside _download_from_release — top-level imports are cleaner.

---

Maintainability

Metric	Value	Status
Estimated Maintainability Index	~80/100	✅ Good
Docstring coverage (new functions)	100% (4/4)	✅
Type hint coverage (new functions)	100% (4/4)	✅
Module-level docstring	Present	✅
SecurityError docstring	Present	✅

---

Technical Debt

• ✅ No new TODO/FIXME comments introduced
• ✅ No deprecated API usage
• ✅ # nosec B310 suppressions are narrowly scoped with clear justification in docstrings
• ✅ Stale # noqa: S310 comments removed from the urlopen call (debt reduced)
• ✅ Inline imports (import json, import tarfile, import tempfile) removed from function body — reduces hidden coupling

---

Test Quality (test_rust_bridge.py)

Test	Coverage Target	Status
test_uses_data_filter_on_python_312_plus	filter='data' path on ≥3.12	✅
test_rejects_path_traversal_member_on_older_python	../../azlin traversal	✅
test_rejects_symlink_member_on_older_python	symlink → /etc/passwd	✅
test_execvp_passthrough_is_intentional	POSIX exec passthrough	✅

• ✅ All new security helpers (_validate_release_member, _extract_release_binary) are directly tested
• ✅ Temporary files are cleaned up in finally blocks in tests
• ✅ Full type hints on test helpers
• ⚠️ Missing coverage: _validate_release_member with an absolute path (e.g., /etc/azlin) is not explicitly tested — only .. traversal and symlink type are covered. Consider adding a test for the is_absolute() branch.
• ⚠️ Missing coverage: The "archive did not contain an azlin binary" SecurityError path in _extract_release_binary is not tested.

---

Security Observation

The copy.copy(member) before renaming extracted_member.name = "azlin" is a clean pattern that prevents mutating the original TarInfo object. The use of filter='data' on Python ≥3.12 is the recommended approach per [PEP 706]((peps.python.org/redacted) and provides defense-in-depth beyond the manual pre-validation.

---

Recommendations

1. Optional — add two test cases to close the coverage gaps noted above:

   • _validate_release_member with an absolute-path member (e.g., /etc/azlin) should raise SecurityError
   • _extract_release_binary with an archive containing no azlin member should raise SecurityError

2. No blocking issues found. All new functions are within complexity limits, fully typed, and fully documented.

---

Verdict: ✅ Ready to merge. Quality improved vs. the pre-PR baseline — inline imports removed, security helpers are small and well-bounded, and the new test file adds meaningful regression coverage.

Generated by Code Quality Tracker for issue #885

[github-actions]

📊 Test Coverage Report

PR: fix(security): harden tar extraction in rust_bridge against path traversal (#876)
Files Changed: src/azlin/rust_bridge.py (+85/-29), tests/unit/test_rust_bridge.py (+98 new)

---

✅ Coverage Assessment: Net Positive

This PR introduces a new test file (tests/unit/test_rust_bridge.py) that did not previously exist. The new tests cover the security-critical functions added in this PR with good depth.

---

🔍 What the New Tests Cover

Function	Test	Status
_extract_release_binary — Python ≥3.12 data filter path	test_uses_data_filter_on_python_312_plus	✅ Covered
_validate_release_member — .. path traversal	test_rejects_path_traversal_member_on_older_python	✅ Covered
_validate_release_member — symlink on older Python	test_rejects_symlink_member_on_older_python	✅ Covered
_exec_rust — POSIX execvp passthrough	test_execvp_passthrough_is_intentional	✅ Covered

---

🎯 Still Uncovered (Lower Priority for This PR)

The following paths in the new code lack test coverage. These are good candidates for follow-up:

Code Path	Location	Notes
Absolute path rejection (/etc/passwd as member name)	rust_bridge.py:52-53	_validate_release_member absolute path branch
Backslash-in-name rejection	rust_bridge.py:52-53	Windows path separator check
_is_release_binary_member with subdirectory path (dist/azlin)	rust_bridge.py:44-46	Positive case for endswith("/azlin")
_extract_release_binary — Python <3.12 happy path (file member, no filter)	rust_bridge.py:79-80	Non-3.12 extraction success path
_extract_release_binary — archive missing binary	rust_bridge.py:83	Raises SecurityError("Downloaded archive did not contain an azlin binary")
_exec_rust — Windows path	rust_bridge.py:245-247	subprocess.run branch
_download_from_release — SecurityError handler	rust_bridge.py:197-198	Needs mocking of network+extraction

---

📈 Progress Toward 80% Target

• Baseline: ~44% overall coverage
• This PR: Adds new tests for a previously untested module — net positive contribution ✅
• The security-hardened functions (the highest-risk new code) are well-covered
• Estimated impact: +0.5–1.5% overall coverage gain depending on total line count

Progress: 44% ░░░░░░░░░░░░░░░░░░░░ 80% (36pp to go)

---

💡 Suggested Follow-Up Tests

To maximize coverage gains from this module, consider adding to test_rust_bridge.py:

def test_rejects_absolute_path_member(self) -> None:
    archive_path = self._write_archive(_make_archive("/etc/passwd"))
    # ... assert raises SecurityError

def test_extract_succeeds_on_older_python_with_valid_member(self) -> None:
    archive_path = self._write_archive(_make_archive())
    with mock.patch.object(rust_bridge, "_PY312_PLUS", False):
        # ... assert extraction succeeds without SecurityError

def test_raises_when_binary_not_in_archive(self) -> None:
    archive_path = self._write_archive(_make_archive("other_file"))
    # ... assert raises SecurityError("Downloaded archive did not contain an azlin binary")

---

Great work securing the tar extraction path — this is exactly the kind of security-critical code that deserves thorough test coverage. 🎯 The tests for the traversal and filter paths are clear and well-structured.

Next high-impact area: Consider adding tests for _platform_suffix() and _is_rust_binary() — both are short, side-effect-free functions that would be easy to test and would meaningfully improve overall module coverage.

Generated by Test Coverage Improvement Tracker for issue #885

[github-actions]

⚡ Performance Report — PR #885

Scope of changes: src/azlin/rust_bridge.py (security hardening) + tests/unit/test_rust_bridge.py (new tests)

---

Impact Assessment

Path	Affected?	Notes
CLI startup (azlin entry point)	✅ No change	entry() logic unchanged
azlin list	✅ No change	Unrelated to tar extraction
azlin connect	✅ No change	Unrelated to tar extraction
azlin create	✅ No change	Unrelated to tar extraction
azlin delete	✅ No change	Unrelated to tar extraction
Binary download/install path	⚠️ See below	Only runs on first install

---

Download / Installation Path — Changes in Detail

The security hardening adds three new helpers that run only during _download_from_release() — a one-time-per-install code path, not a hot path:

New cost	What it does	Magnitude
_validate_release_member() per tar member	Checks for absolute paths, .. components, non-regular files	O(members) — negligible
copy.copy(member) before rename	Avoids mutating TarFile internals in place	Single object copy — negligible
tempfile created inside MANAGED_BIN_DIR	Temp file now scoped to managed dir instead of system temp	Same syscall count
finally: tmp_path.unlink(missing_ok=True)	Guarantees temp file cleanup on all exit paths	One extra unlink syscall
Duplicate-asset guard (download_url is None)	Breaks on first match instead of potentially iterating extras	Equal or faster

Net effect on install path: Unmeasurably small overhead (microseconds per tar member validation). The dominant cost remains network I/O to GitHub's API and asset download, typically 2–5 seconds depending on network conditions.

---

Import-Time Cost

Two new top-level imports were added:

import copy    # stdlib — already loaded by many deps
import json    # stdlib — already loaded
import tarfile # stdlib — moved from deferred to top-level
import tempfile # stdlib — moved from deferred to top-level

tarfile and tempfile were previously imported lazily inside _download_from_release(). Moving them to the top level adds a tiny constant to every invocation, not just installs.

Measured stdlib import cost (estimate):

Module	Typical import time
tarfile	~1–3 ms (first import)
tempfile	~0.1 ms (first import)
copy	~0.1 ms (first import)
json	~0.2 ms (already cached in CPython)

Since Python caches modules in sys.modules, subsequent calls pay zero extra cost. The first invocation may add ~2–4 ms to startup time — well within the <100 ms startup budget.

---

Summary

Metric	Before	After	Change	Status
CLI startup (typical)	baseline	+~2–4 ms (one-time import)	negligible	✅ Within budget
azlin list	unchanged	unchanged	0%	✅ No regression
azlin connect	unchanged	unchanged	0%	✅ No regression
Binary install (network-bound)	baseline	+<1 ms CPU overhead	negligible	✅ No regression
Memory usage	baseline	+~0 MB	0%	✅ No change

No performance regressions detected. ✅

The import cost of moving tarfile/tempfile to module level is measurable only on a cold first invocation and is dominated by Python startup time itself. All user-facing commands are unaffected.

Generated by CLI Performance Monitor for issue #885

[github-actions]

📊 Test Coverage Report

PR: fix(security): harden tar extraction in rust_bridge against path traversal (#876)
Files Changed: src/azlin/rust_bridge.py (+85/-29 lines), tests/unit/test_rust_bridge.py (+229 lines, new file)

---

✅ Coverage Assessment: Net Positive

This PR introduces a new test file (tests/unit/test_rust_bridge.py, 229 lines) that previously did not exist. The 4 new tests cover the security-critical functions added in this PR with solid depth and catch the most dangerous attack vectors.

---

🔍 What the New Tests Cover

Test	Function(s) Exercised	Branch Coverage
test_filter_data_used_on_python_312_plus	_extract_release_binary, _validate_release_member, _is_release_binary_member	✅ 3.12+ filter path OR pre-3.12 success path
test_path_traversal_rejected	_validate_release_member	✅ .. in parts → SecurityError; foo..bar safe name → no raise
test_symlink_rejected_on_pre_312	_validate_release_member	✅ SYMTYPE + LNKTYPE rejected on pre-3.12; skipped on 3.12+
test_security_error_raised_when_no_binary_in_archive	_extract_release_binary	✅ No matching member → SecurityError at line 83

Lines newly covered in rust_bridge.py (approximate):

Lines	Function	Covered?
33–34	SecurityError class	✅ Yes
40–41	_PY312_PLUS, _DATA_FILTER constants	✅ Yes
44–46	_is_release_binary_member	✅ Yes (via _extract_release_binary)
49–59	_validate_release_member	✅ Yes (path traversal + symlink + absolute path branches)
62–83	_extract_release_binary	✅ Mostly — both extraction branches + SecurityError raise

---

🎯 Still Uncovered in rust_bridge.py (Good Follow-Up Targets)

Lines	Function	Coverage	Priority
52–53	_validate_release_member — backslash (\\) check	⚠️ Not tested	Medium
52–53	_validate_release_member — absolute path (e.g. /etc/passwd)	⚠️ Not tested	Medium
86–102	_platform_suffix	❌ 0% (8 branches)	🟡 Medium — pure function, easy to test
105–116	_is_rust_binary	❌ 0% (subprocess call)	🟡 Medium
119–134	_find_rust_binary	❌ 0%	🟡 Medium
137–204	_download_from_release	❌ 0% (network-dependent)	🔴 Critical path, needs mocking
197–198	_download_from_release — SecurityError handler	❌ 0%	🔴 Security-relevant
207–234	_build_from_source	❌ 0%	🟡 Medium
245–247	_exec_rust — Windows branch	❌ 0%	🟢 Lower (platform-specific)
249	_exec_rust — POSIX os.execvp	❌ 0%	🟡 Medium
252–281	entry	❌ 0%	🔴 Critical entry point

---

📈 Progress Toward 80% Target

• Baseline: ~44% overall coverage
• This PR's contribution: Adds ~18–25 newly covered executable statements in rust_bridge.py out of ~112 total in that file. Given rust_bridge.py's share of the codebase, estimated +0.5–1.5% overall coverage gain ✅
• Overall status: Net positive — no previously-covered lines are removed

Progress bar: 44% ▓░░░░░░░░░░░░░░░░░░░ 80% (est. 35–36pp remaining after merge)

---

💡 Suggested Follow-Up Tests (Highest Impact)

To further improve coverage of rust_bridge.py, consider adding to test_rust_bridge.py:

# 1. Absolute path member rejection (closes the is_absolute() branch gap)
def test_rejects_absolute_path_member(self) -> None:
    member = tarfile.TarInfo(name="/etc/passwd")
    member.type = tarfile.REGTYPE
    with pytest.raises(SecurityError, match="Unsafe archive member rejected"):
        _validate_release_member(member)

# 2. _platform_suffix — pure function, easy to parametrize
`@pytest`.mark.parametrize("system,machine,expected", [
    ("Linux", "x86_64", "linux-x86_64"),
    ("Linux", "aarch64", "linux-aarch64"),
    ("Darwin", "arm64", "macos-aarch64"),
    ("Windows", "AMD64", "windows-x86_64"),
    ("FreeBSD", "x86_64", None),
])
def test_platform_suffix(system, machine, expected, monkeypatch):
    monkeypatch.setattr(platform, "system", lambda: system)
    monkeypatch.setattr(platform, "machine", lambda: machine)
    assert _platform_suffix() == expected

# 3. _extract_release_binary pre-3.12 happy path
def test_extract_succeeds_pre_312_with_valid_member(self, tmp_path, monkeypatch):
    import azlin.rust_bridge as rb
    monkeypatch.setattr(rb, "_PY312_PLUS", False)
    tar_path = _make_tar_gz_file(tmp_path, [("azlin", tarfile.REGTYPE, b"binary")])
    dest = tmp_path / "dest"
    rb._extract_release_binary(str(tar_path), dest)
    assert (dest / "azlin").exists()

Next highest-impact module: After rust_bridge.py, consider adding tests for _platform_suffix() and _is_rust_binary() — both are side-effect-free (with mocking) and would meaningfully improve overall module coverage with minimal test complexity.

---

Verdict

✅ No coverage regression. This PR adds meaningful test coverage for the highest-risk new code paths (path traversal, symlink injection, missing-binary detection). Coverage is net positive.

The security-hardened functions — the most critical new code in this PR — are well-covered. The uncovered functions (_download_from_release, entry) existed before this PR and represent existing coverage debt, not a regression introduced here.

Great work adding security tests alongside the security fix — this is exactly the right pattern. 🎯

Generated by Test Coverage Improvement Tracker for issue #885

[github-actions]

📏 Code Quality Report — PR #885

Overall Quality: 8.4/10 ✅

This PR introduces security hardening for tar extraction in rust_bridge.py. The changes are well-structured, fully typed, and fully documented. One function has elevated complexity that warrants a note.

---

Complexity Analysis

Function	LOC	Cyclomatic Complexity	Assessment
_is_release_binary_member	2	2	✅ Excellent
_validate_release_member	10	5	✅ Acceptable
_extract_release_binary	22	5	✅ Acceptable
_platform_suffix	17	8	⚠️ Dense — consider a lookup dict
_is_rust_binary	12	3	✅ Good
_find_rust_binary	16	5	✅ Acceptable
_download_from_release	68	16	⚠️ High — see note below
_build_from_source	28	5	✅ Acceptable
_exec_rust	8	2	✅ Excellent
entry	30	4	✅ Good

No function exceeds the complexity-20 block threshold. ✅

---

Code Smells

• ✅ No functions exceed 50 lines among the new functions added by this PR (_is_release_binary_member: 2 LOC, _validate_release_member: 10 LOC, _extract_release_binary: 22 LOC).
• ⚠️ _download_from_release is 68 lines (pre-existing; this PR refactored it but kept it as one function). The PR improves it by extracting _extract_release_binary, but the overall function still handles release lookup, download, and cleanup in one body.
• ✅ No functions with >10 parameters (max is 2).
• ✅ No circular imports detected.
• ✅ Max nesting depth is 4 — at the boundary; acceptable for tar iteration logic.

---

Maintainability

Metric	Value	Status
Docstring coverage	100% (10/10 functions)	✅ Excellent
Return type hint coverage	100% (10/10 functions)	✅ Excellent
Parameter type hints	100% of non-self params	✅ Excellent
TODO/FIXME comments	0	✅ Clean
Maintainability index (estimated)	~78/100	✅ Good

---

Technical Debt

• ✅ No TODO/FIXME comments introduced.
• ✅ Removed stale inline import tarfile / import tempfile / import json from inside _download_from_release — moved to module-level imports (cleaner).
• ✅ Removed dead # noqa: S310 comments that were suppressing false positives — replaced with targeted # nosec B310.
• ⚠️ 14 magic strings/numbers present in the file (e.g. "linux", "x86_64", "aarch64", "darwin", "windows", ".tar.gz", "-rust"). These are pre-existing and not introduced by this PR; they are structural constants for platform detection and could be named constants for clarity, but this is a minor style issue, not a blocker.

---

Test Quality

The new test file tests/unit/test_rust_bridge.py (229 lines) is high quality:

Test	LOC	Complexity	Docstring	Coverage Target
test_filter_data_used_on_python_312_plus	37	3	✅	filter='data' on 3.12+
test_path_traversal_rejected	36	2	✅	.. in path parts
test_symlink_rejected_on_pre_312	33	3	✅	symlink/hardlink guard
test_security_error_raised_when_no_binary_in_archive	30	1	✅	missing binary raises

• ✅ 100% docstring coverage on tests.
• ✅ All 4 tests map to specific design spec references (SEC-R-01 through SEC-R-04).
• ✅ Tests correctly use copy.copy(member) semantics rather than mutating TarInfo in-place.
• ✅ test_path_traversal_rejected correctly distinguishes .. as a path component (via PurePosixPath.parts) from .. as a substring — the foo..bar sanity check is a nice defensive touch.

---

Recommendations

1. No blockers. This PR passes all quality thresholds.

2. Minor (non-blocking): Consider splitting _download_from_release into two functions — one that resolves (download_url, version) from the releases API response, and one that performs the download + extract + chmod sequence. Complexity 16 in a single function makes it the hardest function in the module to reason about.

3. Minor (non-blocking): _platform_suffix could use a lookup dict to reduce its cyclomatic complexity from 8 to ~2. Pre-existing issue, not introduced here.

4. Positive note: The use of copy.copy(member) before renaming the TarInfo object (to avoid mutating TarFile internals) is a subtle but correct design choice — well done.

Generated by Code Quality Tracker for issue #885

In general, to fix this issue you should avoid importing the same module with both from module import name and import module in the same file. Choose one style and use it consistently. Since the flagged line is a late import azlin.rust_bridge as rb, the recommended approach is to remove that secondary import and instead access what you need via the existing from azlin.rust_bridge import ... import—either by importing additional names there or by binding a local alias to the module using already-imported functionality.

In this specific case, we only need a module-like object rb inside TestTempFileCleanup.test_temp_file_cleaned_up_on_security_error for monkeypatching attributes and calling _download_from_release() and _platform_suffix(). We can create such an alias without a new import by using Python’s built-in sys.modules mapping, which already contains the loaded azlin.rust_bridge module. Inside the test, replace import azlin.rust_bridge as rb with rb = sys.modules["azlin.rust_bridge"]. This uses the existing top-level import sys and avoids introducing a second import form for the same module, while preserving all current behavior. No other lines in the file need to change.

In general, to fix this type of issue, you remove the redundant import style and stick to one approach: either use from module import name or use import module (optionally aliased), but not both for the same module in the same file. If you still need access to the module or specific attributes, you either import those attributes explicitly at the top or derive them from existing objects.

For this file, the best minimal fix is to remove the inner import azlin.rust_bridge as rb and stop using rb altogether. Instead:

• Use the already-imported SecurityError directly in the test.
• Use pytest.monkeypatch.context() to create a context manager that temporarily sets attributes on the azlin.rust_bridge module during the test. Inside that context, refer to _platform_suffix and _download_from_release directly (they will resolve to the patched attributes on the module).
• This avoids introducing a new top-level import and keeps behavior the same: we still patch MANAGED_BIN_DIR, MANAGED_BIN, _extract_release_binary, and the network calls on the actual azlin.rust_bridge module, and we still call _download_from_release() as before.

Concretely, edit tests/unit/test_rust_bridge_security.py:

• In TestSecurityErrorPropagation.test_security_error_propagates_from_download_handler, delete the line import azlin.rust_bridge as rb.
• Replace uses of rb:
  • The two monkeypatch.setattr calls should be moved inside a with monkeypatch.context() as mp: block, and use mp.setattr("azlin.rust_bridge.MANAGED_BIN_DIR", tmp_path) and likewise for MANAGED_BIN and _extract_release_binary.
  • Change the f-string building the asset name to call _platform_suffix() directly.
  • Change the final call to rb._download_from_release() to _download_from_release().

No new methods or external libraries are required; we just rely on pytest’s monkeypatch.context() and the existing imported symbols from azlin.rust_bridge.

[github-actions]

📊 Test Coverage Report

Coverage Change: 44% → ~45% (+1%) ✅

This PR adds 605 lines of new tests across two new test files (test_rust_bridge.py and test_rust_bridge_security.py) and approximately 34 new executable production lines in rust_bridge.py. The estimated coverage of the newly added code is ~90–97%, which is well above the project average.

---

Newly Covered

File	New Lines	Test Coverage of New Code
src/azlin/rust_bridge.py	~34 executable lines	~90–97% ✅

Functions with strong new test coverage:

• SecurityError exception class — covered by import in all tests
• _is_release_binary_member() — 5 tests covering exact name, path suffix, version prefix, non-matching names
• _validate_release_member() — 8 tests: valid file, absolute path rejection, .. traversal (flat and nested), dotdot-in-filename allowance, symlink/hardlink/device rejection (pre-3.12)
• _extract_release_binary() — 10 tests across both test files: no binary → SecurityError, normalized extraction name, traversal-named binary rejection, symlink rejection, filter='data' on 3.12+, only binary extracted
• _download_from_release() (modified) — 2 tests verifying temp-file cleanup and SecurityError propagation

---

Still Uncovered (Recommended Next Steps)

These areas in rust_bridge.py remain lower-priority but would help push toward the 80% goal:

Area	Lines	Priority
_platform_suffix() platform-mapping logic	~12 lines	🟡 Medium
_find_rust_binary() PATH-search logic	~15 lines	🟡 Medium
main() entry point (exec path + error exit)	~10 lines	🟡 Medium
Network-error branches in _download_from_release()	~5 lines	🟡 Medium

---

Progress Toward 80% Goal

44% ████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░░ → 80%
45% █████████████░░░░░░░░░░░░░░░░░░░░░░░░░░░ (this PR)

Milestone	Target	Status
Month 1	52%	7 points remaining after this PR
Month 2	60%	—
Month 3	68%	—
Month 4	76%	—
Month 5	80%	—

---

Verdict

✅ Coverage improves — no block. This PR contributes positively to the coverage trend.

Thank you for adding comprehensive security tests alongside the hardening! The combination of TestValidateReleaseMember, TestIsReleaseBinaryMember, TestExtractReleaseBinary, TestTempFileCleanup, and TestSecurityErrorPropagation gives excellent confidence in the new extraction logic.

Suggested next area: Consider adding tests for _platform_suffix() and _find_rust_binary() — both are pure/deterministic functions that are straightforward to unit-test and would meaningfully lift overall coverage.

Generated by Test Coverage Improvement Tracker for issue #885

[github-actions]

⚡ Performance Report — PR #885

PR: fix(security): harden tar extraction in rust_bridge against path traversal (#876)
Changed files: src/azlin/rust_bridge.py, tests/unit/test_rust_bridge.py, tests/unit/test_rust_bridge_security.py

---

Performance Impact Assessment

This PR modifies rust_bridge.py — the Python bootstrap that finds/installs the Rust binary and execs into it. This code runs once per azlin invocation during the binary-discovery phase, then the process is replaced by the Rust binary via os.execvp. It is not involved in azlin list, azlin connect, or other command execution paths.

Startup Path Analysis

Phase	Before	After	Delta	Notes
Module-level imports	tarfile, tempfile, json, urllib.error imported lazily inside functions	Imported at module level (top of file)	+~0.5–1ms	Eagerly loads tarfile, tempfile, json, urllib.error on every import azlin.rust_bridge
_PY312_PLUS constant	Computed inline in function	Computed once at import time	0 (negligible)	Tiny positive: avoids repeated sys.version_info comparison
_find_rust_binary() (happy path)	Unchanged	Unchanged	0	When binary already installed, this returns immediately
_extract_release_binary() (first install only)	Iterated members, renamed, called tar.extract()	Iterates members, calls _validate_release_member() + copy.copy(member) + conditional filter="data"	+~0.1–0.5ms per extraction	Extra copy.copy() and path validation per member; runs once at install time only
_download_from_release() error handling	except Exception (broad catch)	except (urllib.error.URLError, OSError) (narrow catch)	0	Equivalent on the happy path; strictly more correct

Critical Observation: Import Overhead (Negligible in Practice)

The move of tarfile, tempfile, json, and urllib.error from lazy imports inside functions to module-level eager imports adds approximately 0.5–1.5ms to import time. However:

• tarfile is a stdlib module with moderate initialization cost (~0.3–0.8ms first load)
• tempfile, json, urllib.error are lightweight (~0.05ms each)
• This overhead is a one-time Python import cost, amortized across the process lifetime
• The Rust binary takes over via os.execvp — the Python startup time is only relevant during the brief bootstrap phase

Verdict: The import overhead is well within the <100ms startup budget.

---

Command Performance Summary

Command	Affected by PR?	Expected Impact	Status
azlin list	No — Rust binary handles this	None	✅ No change
azlin connect	No — Rust binary handles this	None	✅ No change
azlin create	No — Rust binary handles this	None	✅ No change
azlin delete	No — Rust binary handles this	None	✅ No change
First-run binary install	Yes — _extract_release_binary	+0.1–0.5ms	✅ Negligible

---

Memory Usage

Metric	Before	After	Notes
tarfile module memory	Loaded on demand (download path only)	Always loaded at import	+~200–400KB resident when azlin CLI is invoked
Peak during extraction	Unchanged	Unchanged	One binary member is extracted; no buffering change
copy.copy(member)	N/A	~200 bytes per TarInfo copy	Negligible; single object

The additional ~200–400KB for eagerly loading tarfile is acceptable. The module is small and this is a one-time cost.

---

Performance Regression Analysis

No performance regressions detected.

The security hardening adds:

1. A copy.copy() call (nanoseconds)
2. PurePosixPath() construction + is_absolute() + .parts iteration (microseconds)
3. Conditional isfile() check on Python < 3.12 (nanoseconds)

All of these occur only during binary installation (rare, one-time event), not during normal CLI usage.

---

Security vs. Performance Trade-off

This PR correctly prioritizes security over a negligible performance cost. The new validation in _validate_release_member() adds sub-millisecond overhead to a one-time installation step that users run once per machine. The trade-off is entirely justified.

---

Recommendation

✅ No performance concerns. Safe to merge.

The import restructuring is the only measurable change (+0.5–1.5ms startup overhead), and it remains well within the <100ms startup budget. All CLI commands (list, connect, create, delete) are unaffected — they run in the Rust binary and are not touched by this PR.

Generated by CLI Performance Monitor for issue #885

[github-actions]

📏 Code Quality Report — PR #885

Overall Quality: 9.0/10 ✅

Files analyzed: src/azlin/rust_bridge.py (+92 lines), tests/unit/test_rust_bridge.py (new, +229 lines), tests/unit/test_rust_bridge_security.py (new, +376 lines)

---

Complexity Analysis

Function	Cyclomatic Complexity	Lines	Assessment
_platform_suffix	~7	17	⚠️ Moderate — all branches necessary
_download_from_release	~9	64	⚠️ Highest in file — see note below
entry	~5	33	✅ Acceptable
_validate_release_member	~4	25	✅ Acceptable
_extract_release_binary	~4	29	✅ Acceptable
_build_from_source	~4	27	✅ Acceptable
_is_rust_binary	~3	12	✅ Simple
_find_rust_binary	~3	16	✅ Simple
_is_release_binary_member	~2	6	✅ Pure predicate, excellent
_exec_rust	~2	7	✅ Simple

Average CC: ~4.3 — Well within acceptable range. No function exceeds CC 20 ❌ threshold.

Note on _download_from_release (64 lines, CC ~9): This function handles network I/O, release asset search, temp-file lifecycle, extraction, and binary chmod in one place. It passes the blocking threshold (CC <20), but is the best candidate for future decomposition if it grows. The asset-search loop could reasonably be extracted to a helper.

---

Code Smells

Check	Result
Functions > 50 lines	⚠️ _download_from_release: 64 lines
Functions > 10 parameters	✅ None
Nesting depth > 4	✅ None detected
Circular imports	✅ None
Duplicate code blocks	✅ None
Magic numbers/strings	✅ None (timeouts named via context)
extractall() usage	✅ Absent — member-level extract() used correctly

---

Maintainability

Metric	Value	Grade
Return type hints	10/10 (100%)	✅ Excellent
Docstring coverage	~8/10 (80%)	✅ Good
TODO/FIXME debt	0	✅ Clean
Total LOC	300	✅ Focused module
Maintainability Index (est.)	~72–78 / 100	B

Note on docstrings: _is_release_binary_member has a docstring; SecurityError has a one-liner. The two functions without full docstrings are _is_rust_binary (has inline comment) and entry. Not blocking.

---

Technical Debt

Item	Count	Detail
TODO / FIXME comments	0	✅ None
Deprecated API usage	0	✅ None
Bare except Exception	0	✅ Fixed in this PR — now (URLError, OSError)
extractall() (unsafe)	0	✅ Correctly avoided
In-function imports	0	✅ Fixed — json and tarfile moved to top-level

---

Security-Specific Quality (relevant to this PR)

Check	Result
Path traversal guard (PurePosixPath.parts)	✅ Correct — ".." in path.parts, not naive string search
Absolute path guard	✅ Present
Non-regular-file guard (pre-3.12)	✅ Present with version gate
filter='data' on Python ≥ 3.12	✅ Present
Member name normalised before extraction	✅ copy.copy(member) used correctly (SEC-R-03)
One-member extraction (no extractall)	✅ Early return after first match
Temp file cleanup in finally	✅ unlink(missing_ok=True)
SecurityError not swallowed	✅ Only (URLError, OSError) caught
MANAGED_BIN_DIR created with mode=0o700	✅ Missing from mkdir call — see note

⚠️ Minor observation: MANAGED_BIN_DIR.mkdir(parents=True, exist_ok=True) at line 198 does not pass mode=0o700. The PR description states the directory is created with 0o700, but the implementation relies on the system umask. This is a documentation/implementation gap — the effective permissions will vary per environment. Not a blocker given the overall defense-in-depth posture, but worth aligning.

---

Test Quality

Metric	Value
New test files	2
New test cases	21 (17 pass + 4 version-skipped)
Coverage of new code	Security predicates, extraction logic, error paths, temp cleanup, SecurityError propagation
TDD compliance	✅ Tests written before implementation (confirmed by commit history)
Version-gating	✅ skipif used for Python 3.12 boundary correctly
Mock isolation	✅ patch, monkeypatch, MagicMock used appropriately

---

Recommendations

1. _download_from_release length (64 lines) — Consider extracting the release-asset search loop to _find_release_asset(releases, suffix) -> tuple[str, str] | None. Not a blocker at current size.
2. MANAGED_BIN_DIR.mkdir mode — Pass mode=0o700 explicitly to mkdir() to match the documented security intent and make it umask-independent.
3. No blockers found — All functions are well within complexity thresholds, type hints are complete, and the security implementation is correct.

---

Verdict: ✅ PASS — No blocking quality issues. Two minor observations noted above.

Generated by Code Quality Tracker for issue #885