Checklist
What happened?
Two separate correctness gaps in the package validation and query layer:
-
Symlink target validation missing (rattler_cache): validate_package_soft_link_entry only checked
that a path was a symlink. It never inspected the target. This means broken symlinks (dangling
targets) and symlinks that escape the package root (via ../../ or absolute paths like /etc/passwd)
were silently accepted as valid.
-
features and license_family not parsed in MatchSpec (rattler_conda_types): The bracket-key
parser contained a TODO comment for these two fields. Any spec using python[license_family=MIT] or
python[features=feature1] returned InvalidBracketKey instead of populating the field. PackageRecord
carries both fields, but they could never be matched against.
Additional Context
No response
Checklist
What happened?
Two separate correctness gaps in the package validation and query layer:
Symlink target validation missing (rattler_cache): validate_package_soft_link_entry only checked
that a path was a symlink. It never inspected the target. This means broken symlinks (dangling
targets) and symlinks that escape the package root (via ../../ or absolute paths like /etc/passwd)
were silently accepted as valid.
features and license_family not parsed in MatchSpec (rattler_conda_types): The bracket-key
parser contained a TODO comment for these two fields. Any spec using python[license_family=MIT] or
python[features=feature1] returned InvalidBracketKey instead of populating the field. PackageRecord
carries both fields, but they could never be matched against.
Additional Context
No response