Validate package files in mix hex.build (#1153)

* Validate package files in mix hex.build

* Temporarily vendor tarball create validation

* Delegate package file validation to hex_core

* Sync root-relative tarball source validation

* Vendor updated hex_core tarball files

Author: ericmj

lib/hex/tar.ex

@@ -14,7 +14,11 @@ defmodule Hex.Tar do
         filename -> String.to_charlist(filename)
       end)
 
-    case :mix_hex_tarball.create(metadata, files) do
+    config =
+      :mix_hex_core.default_config()
+      |> Map.put(:tarball_files_root, File.cwd!() |> String.to_charlist())
+
+    case :mix_hex_tarball.create(metadata, files, config) do
       {:ok, %{tarball: tarball} = result} ->
         if output != :memory, do: File.write!(output, tarball)
         result

src/mix_hex_core.erl

@@ -68,6 +68,11 @@
 %% * `tarball_max_uncompressed_size' - Maximum size of uncompressed package tarball, defaults to
 %%   `134_217_728' (128 MiB). Set to `infinity' to not enforce the limit.
 %%
+%% * `tarball_files_root' - Root directory for source files when creating tarballs.
+%%   Required for filesystem source paths, which must be relative and must resolve inside
+%%   this root after following symlinks. Set to `undefined' when all tarball contents are
+%%   provided as binaries and no filesystem source paths are used (default: `undefined').
+%%
 %% * `docs_tarball_max_size' - Maximum size of docs tarball, defaults to
 %%   `16_777_216' (16 MiB). Set to `infinity' to not enforce the limit.
 %%
@@ -110,6 +115,7 @@
     repo_verify => boolean(),
     repo_verify_origin => boolean(),
     send_100_continue => boolean(),
+    tarball_files_root => file:filename() | undefined,
     tarball_max_size => pos_integer() | infinity,
     tarball_max_uncompressed_size => pos_integer() | infinity,
     docs_tarball_max_size => pos_integer() | infinity,
@@ -136,6 +142,7 @@ default_config() ->
         repo_verify => true,
         repo_verify_origin => true,
         send_100_continue => true,
+        tarball_files_root => undefined,
         tarball_max_size => 16 * 1024 * 1024,
         tarball_max_uncompressed_size => 128 * 1024 * 1024,
         docs_tarball_max_size => 16 * 1024 * 1024,