Merge branch 'main' into date-positional-set-format

aguimaraes · web-flow · commit ee67c4a20fe4 · 2026-05-05T18:53:38.000-04:00
diff --git a/.github/workflows/benchmarks.yml b/.github/workflows/benchmarks.yml
@@ -48,6 +48,7 @@ jobs:
           uu_shuf,
           uu_sort,
           uu_split,
+          uu_tee,
           uu_timeout,
           uu_tsort,
           uu_unexpand,
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -430,7 +430,7 @@ memchr = "2.7.2"
 memmap2 = "0.9.4"
 nix = { version = "0.31.2", default-features = false }
 nom = "8.0.0"
-notify = { version = "=8.2.0", features = ["macos_kqueue"] }
+notify = { version = "8.2.0", features = ["macos_kqueue"] }
 num-bigint = "0.4.4"
 num-prime = "0.5.0"
 num-traits = "0.2.19"
diff --git a/renovate.json b/renovate.json
@@ -1,6 +1,5 @@
 {
 	"extends": [
 		"config:recommended"
-	],
-	"updatePinnedDependencies": false
+	]
 }
diff --git a/src/uu/chmod/src/chmod.rs b/src/uu/chmod/src/chmod.rs
@@ -519,9 +519,18 @@ impl Chmoder {
                     .handle_symlink_during_safe_recursion(&entry_path, dir_fd, &entry_name)
                     .and(r);
             } else {
-                // For regular files and directories, chmod them
+                // For regular files and directories, chmod them.
+                // Always use NoFollow: we already confirmed via stat that the entry
+                // is not a symlink, so this prevents TOCTOU races where an attacker
+                // replaces the entry with a symlink between stat and chmod.
                 r = self
-                    .safe_chmod_file(&entry_path, dir_fd, &entry_name, meta.mode() & 0o7777)
+                    .safe_chmod_file(
+                        &entry_path,
+                        dir_fd,
+                        &entry_name,
+                        meta.mode() & 0o7777,
+                        SymlinkBehavior::NoFollow,
+                    )
                     .and(r);
 
                 // Recurse into subdirectories using the existing directory fd
@@ -555,13 +564,23 @@ impl Chmoder {
         // During recursion, determine behavior based on traversal mode
         match self.traverse_symlinks {
             TraverseSymlinks::All => {
-                // Follow all symlinks during recursion
+                // Follow all symlinks during recursion.
+                // NOTE: This path-based stat + Follow is only reachable when the user
+                // explicitly specifies -L (--dereference). In that case the user has
+                // consciously opted in to following symlinks, so a path-based stat
+                // followed by Follow is the intended behavior and not a TOCTOU concern.
                 // Check if the symlink target is a directory, but handle dangling symlinks gracefully
                 match fs::metadata(path) {
                     Ok(meta) if meta.is_dir() => self.walk_dir_with_context(path, false),
                     Ok(meta) => {
                         // It's a file symlink, chmod it using safe traversal
-                        self.safe_chmod_file(path, dir_fd, entry_name, meta.mode() & 0o7777)
+                        self.safe_chmod_file(
+                            path,
+                            dir_fd,
+                            entry_name,
+                            meta.mode() & 0o7777,
+                            self.dereference.into(),
+                        )
                     }
                     Err(_) => {
                         // Dangling symlink, chmod it without dereferencing
@@ -584,13 +603,13 @@ impl Chmoder {
         dir_fd: &DirFd,
         entry_name: &std::ffi::OsStr,
         current_mode: u32,
+        symlink_behavior: SymlinkBehavior,
     ) -> UResult<()> {
         // Calculate the new mode using the helper method
         let (new_mode, _) = self.calculate_new_mode(current_mode, file_path.is_dir())?;
 
         // Use safe traversal to change the mode
-        let follow_symlinks = self.dereference;
-        if let Err(_e) = dir_fd.chmod_at(entry_name, new_mode, follow_symlinks.into()) {
+        if let Err(_e) = dir_fd.chmod_at(entry_name, new_mode, symlink_behavior) {
             if self.verbose {
                 println!(
                     "failed to change mode of {} to {new_mode:o}",
diff --git a/src/uu/nohup/src/nohup.rs b/src/uu/nohup/src/nohup.rs
@@ -137,42 +137,29 @@ fn replace_fds() -> UResult<()> {
 }
 
 fn find_stdout() -> UResult<File> {
-    match OpenOptions::new()
-        .create(true)
-        .append(true)
-        .open(Path::new(NOHUP_OUT))
-    {
-        Ok(t) => {
-            show_error!(
-                "{}",
-                translate!("nohup-ignoring-input-appending-output", "path" => NOHUP_OUT.quote())
-            );
-            Ok(t)
-        }
-        Err(e1) => {
-            let Ok(home) = env::var("HOME") else {
-                return Err(NohupError::OpenFailed(*FAILURE_CODE, e1).into());
-            };
-            let mut homeout = PathBuf::from(home);
-            homeout.push(NOHUP_OUT);
-            let homeout_str = homeout.to_str().unwrap();
-            match OpenOptions::new().create(true).append(true).open(&homeout) {
-                Ok(t) => {
-                    show_error!(
-                        "{}",
-                        translate!("nohup-ignoring-input-appending-output", "path" => homeout_str.quote())
-                    );
-                    Ok(t)
-                }
-                Err(e2) => {
-                    Err(
-                        NohupError::OpenFailed2(*FAILURE_CODE, e1, homeout_str.to_string(), e2)
-                            .into(),
-                    )
-                }
-            }
-        }
-    }
+    try_open_nohup_file(NOHUP_OUT).or_else(|e1| {
+        let Ok(home) = env::var("HOME") else {
+            return Err(NohupError::OpenFailed(*FAILURE_CODE, e1).into());
+        };
+
+        let home_out = PathBuf::from(home).join(NOHUP_OUT);
+        let home_out = home_out.to_str().unwrap();
+
+        try_open_nohup_file(home_out).map_err(|e2| {
+            NohupError::OpenFailed2(*FAILURE_CODE, e1, home_out.to_string(), e2).into()
+        })
+    })
+}
+
+fn try_open_nohup_file(path: &str) -> std::io::Result<File> {
+    let file = OpenOptions::new().create(true).append(true).open(path)?;
+
+    show_error!(
+        "{}",
+        translate!("nohup-ignoring-input-appending-output", "path" => path.quote())
+    );
+
+    Ok(file)
 }
 
 #[cfg(target_vendor = "apple")]
diff --git a/src/uu/tee/Cargo.toml b/src/uu/tee/Cargo.toml
@@ -24,9 +24,17 @@ clap = { workspace = true }
 uucore = { workspace = true, features = ["libc", "parser", "signals"] }
 fluent = { workspace = true }
 
-[target.'cfg(unix)'.dev-dependencies]
-rustix = { workspace = true }
+[dev-dependencies]
+divan = { workspace = true }
+rustix = { workspace = true, features = ["stdio", "fs"] }
+tempfile = { workspace = true }
+uucore = { workspace = true, features = ["benchmark"] }
 
 [[bin]]
 name = "tee"
 path = "src/main.rs"
+
+
+[[bench]]
+name = "tee_bench"
+harness = false
diff --git a/src/uu/tee/benches/tee_bench.rs b/src/uu/tee/benches/tee_bench.rs
@@ -0,0 +1,27 @@
+#[cfg(unix)]
+use divan::{Bencher, black_box};
+#[cfg(unix)]
+use uu_tee::uumain;
+#[cfg(unix)]
+use uucore::benchmark::{run_util_function, setup_test_file};
+
+#[cfg(unix)]
+#[divan::bench(args = [10_000_000])]
+fn tee_stdin_file(bencher: Bencher, size_bytes: usize) {
+    let data = vec![b'a'; size_bytes];
+    let file_path = setup_test_file(&data);
+    let file = std::fs::File::open(file_path).unwrap();
+    let stdin_bak = rustix::io::dup(rustix::stdio::stdin()).unwrap();
+
+    bencher.bench_local(|| {
+        use rustix::stdio::dup2_stdin;
+        rustix::fs::seek(&file, rustix::fs::SeekFrom::Start(0)).unwrap();
+        dup2_stdin(&file).unwrap(); // should be 1 thread
+        black_box(run_util_function(uumain, &[]));
+        dup2_stdin(&stdin_bak).unwrap(); // should be 1 thread
+    });
+}
+
+fn main() {
+    divan::main();
+}
diff --git a/src/uu/yes/src/yes.rs b/src/uu/yes/src/yes.rs
@@ -9,14 +9,13 @@ use clap::{Arg, ArgAction, Command, builder::ValueParser};
 use std::ffi::OsString;
 use std::io::{self, Write};
 use uucore::error::{UResult, USimpleError, strip_errno};
-use uucore::format_usage;
-use uucore::translate;
+#[cfg(any(target_os = "linux", target_os = "android"))]
+use uucore::pipes::MAX_ROOTLESS_PIPE_SIZE;
+use uucore::{format_usage, translate};
 
 #[cfg(any(target_os = "linux", target_os = "android"))]
 const PAGE_SIZE: usize = 4096;
 #[cfg(any(target_os = "linux", target_os = "android"))]
-use uucore::pipes::MAX_ROOTLESS_PIPE_SIZE;
-#[cfg(any(target_os = "linux", target_os = "android"))]
 const BUF_SIZE: usize = MAX_ROOTLESS_PIPE_SIZE;
 // it's possible that using a smaller or larger buffer might provide better performance
 #[cfg(not(any(target_os = "linux", target_os = "android")))]
@@ -116,6 +115,7 @@ pub fn exec(mut bytes: Vec<u8>) -> io::Result<()> {
 #[cfg(any(target_os = "linux", target_os = "android"))]
 pub fn exec(mut bytes: Vec<u8>) -> io::Result<()> {
     use uucore::pipes::{pipe, splice, tee};
+
     let aligned = PAGE_SIZE.is_multiple_of(bytes.len());
     repeat_content_to_capacity(&mut bytes);
     let bytes = bytes.as_slice();
diff --git a/src/uucore/src/lib/features/safe_traversal.rs b/src/uucore/src/lib/features/safe_traversal.rs
diff --git a/util/check-safe-traversal.sh b/util/check-safe-traversal.sh

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,5 @@`
`1`	`1`	`{`
`2`	`2`	`"extends": [`
`3`	`3`	`"config:recommended"`
`4`		`- ],`
`5`		`- "updatePinnedDependencies": false`
	`4`	`+ ]`
`6`	`5`	`}`