merge release to master#1314
Merged
Merged
Conversation
…npack5Async) Agent-Logs-Url: https://github.com/adamhathcock/sharpcompress/sessions/7f2fcb59-4a41-4b27-ab32-17afec510b5e Co-authored-by: adamhathcock <527620+adamhathcock@users.noreply.github.com>
…sync-api Fix sync methods called in async RAR unpacker paths (Unpack29Async, U…
…to-master # Conflicts: # src/SharpCompress/Common/ExtractionMethods.Async.cs # src/SharpCompress/Common/ExtractionMethods.cs
Contributor
There was a problem hiding this comment.
Pull request overview
This PR merges release changes into master, focusing on tightening extraction path traversal protections (Zip Slip) and improving async behavior in the RAR unpackers, with new/expanded tests to prevent regressions.
Changes:
- Refactors extraction helpers to centralize destination-path normalization and “stay within destination directory” enforcement.
- Updates RAR (V1 + V2017) async unpack paths to use async buffer/table operations and adds new async-read correctness tests.
- Adds new security tests covering directory/file traversal attempts across multiple extraction APIs.
Reviewed changes
Copilot reviewed 34 out of 34 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| tests/SharpCompress.Test/Security/ZipSlip.cs | Adds a Zip Slip regression test using malicious ZIP directory entries. |
| tests/SharpCompress.Test/Security/ExtractionPathTraversalTests.cs | Adds theory-based traversal tests across Reader/Archive sync+async APIs. |
| tests/SharpCompress.Test/Rar/RarReaderAsyncTests.cs | Adds test ensuring async RAR reader doesn’t use sync stream operations. |
| tests/SharpCompress.Test/Rar/RarArchiveTests.cs | Adds sync coverage for recently changed RAR unpackers. |
| tests/SharpCompress.Test/Rar/RarArchiveAsyncTests.cs | Adds async coverage for recently changed RAR unpackers. |
| tests/SharpCompress.Test/packages.lock.json | Updates locked dependencies/RID-specific sections for the test project. |
| tests/SharpCompress.Test/Mocks/AsyncOnlyStream.cs | Refactors wrapper to a primary-constructor form (used by async I/O tests). |
| src/SharpCompress/Utility.cs | Introduces Utility.PathComparison for OS-appropriate path comparisons. |
| src/SharpCompress/Readers/IReaderExtensions.cs | Routes reader extraction through the new entry-based extraction helpers. |
| src/SharpCompress/Readers/IAsyncReaderExtensions.cs | Routes async reader extraction through new entry-based async helpers; adjusts file-open callback usage. |
| src/SharpCompress/IO/AsyncBinaryReader.cs | Minor expression-bodied refactor for async read/skip helpers. |
| src/SharpCompress/Compressors/Rar/UnpackV2017/Unpack.unpack20_async.cs | Converts final table/buffer operations to async equivalents and adds async last-table read helper. |
| src/SharpCompress/Compressors/Rar/UnpackV2017/Unpack.unpack15_async.cs | Updates buffer flush calls to async. |
| src/SharpCompress/Compressors/Rar/UnpackV2017/Unpack.cs | Replaces Char property with ReadChar() and adds ReadCharAsync(...). |
| src/SharpCompress/Compressors/Rar/UnpackV1/Unpack50.Async.cs | Switches table/filter/buffer operations to async equivalents. |
| src/SharpCompress/Compressors/Rar/UnpackV1/Unpack20.Async.cs | Converts last-table read and buffer write to async equivalents. |
| src/SharpCompress/Compressors/Rar/UnpackV1/Unpack15.Async.cs | Updates buffer flush calls to async. |
| src/SharpCompress/Compressors/Rar/UnpackV1/Unpack.cs | Replaces Char property with ReadChar(). |
| src/SharpCompress/Compressors/Rar/UnpackV1/Unpack.Async.cs | Adds async implementations for tables/end-of-block/VM code paths and PPM interactions. |
| src/SharpCompress/Compressors/Rar/IRarUnpack.cs | Updates interface to expose ReadChar() + ReadCharAsync(...) instead of Char. |
| src/SharpCompress/Compressors/PPMd/H/RangeCoder.cs | Adds async initialization and moves to ReadChar/ReadCharAsync model. |
| src/SharpCompress/Compressors/PPMd/H/ModelPPM.cs | Adds DecodeInitAsync(...) and updates sync init to use ReadChar(). |
| src/SharpCompress/Common/Rar/AsyncMarkingBinaryReader.cs | Wraps incomplete-read failures with clearer InvalidFormatException message. |
| src/SharpCompress/Common/IEntryExtensions.cs | Adds entry-based sync extraction helpers with centralized destination-path checks. |
| src/SharpCompress/Common/IEntryExtensions.Async.cs | Adds entry-based async extraction helpers matching sync behavior/validation. |
| src/SharpCompress/Common/DirectoryManagement.cs | New helper for destination directory normalization + traversal enforcement. |
| src/SharpCompress/Archives/IAsyncArchiveExtensions.cs | Uses new entry extraction core to handle dirs/files consistently and enforce traversal checks. |
| src/SharpCompress/Archives/IArchiveExtensions.cs | Same as async: uses new entry extraction core for consistent validation. |
| src/SharpCompress/Archives/IArchiveEntryExtensions.cs | Re-routes archive-entry extraction APIs through new entry-based helpers. |
| src/SharpCompress/Common/ExtractionMethods.cs | Removed; functionality moved into IEntryExtensions + DirectoryManagement. |
| src/SharpCompress/Common/ExtractionMethods.Async.cs | Removed; functionality moved into IEntryExtensions.Async + DirectoryManagement. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This was referenced May 28, 2026
tonycknight
pushed a commit
to tonycknight/microbroker
that referenced
this pull request
May 31, 2026
Updated [SharpCompress](https://github.com/adamhathcock/sharpcompress) from 0.48.1 to 0.49.0. <details> <summary>Release notes</summary> _Sourced from [SharpCompress's releases](https://github.com/adamhathcock/sharpcompress/releases)._ ## 0.49.0 This should contain a lot of write async fixes and some breaking API changes that fix previous broke `net48` usage ## What's Changed * Rename IWriteableArchiveFactory.cs to IWritableArchiveFactory.cs by @Copilot in adamhathcock/sharpcompress#1244 * Some API clean up from GPT 5.4 by @adamhathcock in adamhathcock/sharpcompress#1243 * Release to master by @adamhathcock in adamhathcock/sharpcompress#1267 * Fix three BLAKE2sp correctness bugs and eliminate allocations in hot path by @coderb in adamhathcock/sharpcompress#1266 * Corrected async examples. by @dlemstra in adamhathcock/sharpcompress#1277 * Fix setting invalid access time fails extraction by @aromaa in adamhathcock/sharpcompress#1279 * Fix incorrect code examples in docs for sync/async usage by @Copilot in adamhathcock/sharpcompress#1280 * Replace APPNOTE.TXT contents with reference link note by @puk06 in adamhathcock/sharpcompress#1286 * Release to Master by @adamhathcock in adamhathcock/sharpcompress#1274 * update docs for tar gap analysis and XZ usage by @adamhathcock in adamhathcock/sharpcompress#1288 * Add a PooledMemoryStream to avoid allocating by @adamhathcock in adamhathcock/sharpcompress#1275 * fix: Change LeaveStreamOpen default from true to false by @puk06 in adamhathcock/sharpcompress#1293 * Fix usage of ReaderOptions and pre-defined values by @adamhathcock in adamhathcock/sharpcompress#1295 * Enforce seekable, readable and writable on streams by @adamhathcock in adamhathcock/sharpcompress#1297 * Add ArchiveInformation record for consolidated archive detection and capability inspection by @Copilot in adamhathcock/sharpcompress#1299 * merge release to master by @adamhathcock in adamhathcock/sharpcompress#1314 * Some clean up and test clean up by @adamhathcock in adamhathcock/sharpcompress#1321 * Finish Write Async by @adamhathcock in adamhathcock/sharpcompress#1323 * More complete Tar implementation: USTAR, PAX, etc. by @adamhathcock in adamhathcock/sharpcompress#1289 * Add Polysharp and adjustments that do not break legacy frameworks by @adamhathcock in adamhathcock/sharpcompress#1330 * Fix null `IVolume.FileName` for single-volume file-based archives by @Copilot in adamhathcock/sharpcompress#1333 * Add skills by @adamhathcock in adamhathcock/sharpcompress#1332 * add AOT smoke and missing tests by @adamhathcock in adamhathcock/sharpcompress#1334 ## New Contributors * @dlemstra made their first contribution in adamhathcock/sharpcompress#1277 * @aromaa made their first contribution in adamhathcock/sharpcompress#1279 * @puk06 made their first contribution in adamhathcock/sharpcompress#1286 **Full Changelog**: adamhathcock/sharpcompress@0.48.1...0.49.0 ## 0.49.0-beta.140 ## What's Changed * Add Polysharp and adjustments that do not break legacy frameworks by @adamhathcock in adamhathcock/sharpcompress#1330 **Full Changelog**: adamhathcock/sharpcompress@0.49.0-beta.136...0.49.0-beta.140 ## 0.49.0-beta.136 ## What's Changed * Rename IWriteableArchiveFactory.cs to IWritableArchiveFactory.cs by @Copilot in adamhathcock/sharpcompress#1244 * Some API clean up from GPT 5.4 by @adamhathcock in adamhathcock/sharpcompress#1243 * Release to master by @adamhathcock in adamhathcock/sharpcompress#1267 * Fix three BLAKE2sp correctness bugs and eliminate allocations in hot path by @coderb in adamhathcock/sharpcompress#1266 * Corrected async examples. by @dlemstra in adamhathcock/sharpcompress#1277 * Fix setting invalid access time fails extraction by @aromaa in adamhathcock/sharpcompress#1279 * Fix incorrect code examples in docs for sync/async usage by @Copilot in adamhathcock/sharpcompress#1280 * Replace APPNOTE.TXT contents with reference link note by @puk06 in adamhathcock/sharpcompress#1286 * Release to Master by @adamhathcock in adamhathcock/sharpcompress#1274 * update docs for tar gap analysis and XZ usage by @adamhathcock in adamhathcock/sharpcompress#1288 * Add a PooledMemoryStream to avoid allocating by @adamhathcock in adamhathcock/sharpcompress#1275 * fix: Change LeaveStreamOpen default from true to false by @puk06 in adamhathcock/sharpcompress#1293 * Fix usage of ReaderOptions and pre-defined values by @adamhathcock in adamhathcock/sharpcompress#1295 * Enforce seekable, readable and writable on streams by @adamhathcock in adamhathcock/sharpcompress#1297 * Add ArchiveInformation record for consolidated archive detection and capability inspection by @Copilot in adamhathcock/sharpcompress#1299 * merge release to master by @adamhathcock in adamhathcock/sharpcompress#1314 * Some clean up and test clean up by @adamhathcock in adamhathcock/sharpcompress#1321 * Finish Write Async by @adamhathcock in adamhathcock/sharpcompress#1323 * More complete Tar implementation: USTAR, PAX, etc. by @adamhathcock in adamhathcock/sharpcompress#1289 ## New Contributors * @dlemstra made their first contribution in adamhathcock/sharpcompress#1277 * @aromaa made their first contribution in adamhathcock/sharpcompress#1279 * @puk06 made their first contribution in adamhathcock/sharpcompress#1286 **Full Changelog**: adamhathcock/sharpcompress@0.48.1...0.49.0-beta1 Commits viewable in [compare view](adamhathcock/sharpcompress@0.48.1...0.49.0). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced May 31, 2026
tonycknight
pushed a commit
to tonycknight/discorss
that referenced
this pull request
Jun 1, 2026
Updated [SharpCompress](https://github.com/adamhathcock/sharpcompress) from 0.48.1 to 0.49.1. <details> <summary>Release notes</summary> _Sourced from [SharpCompress's releases](https://github.com/adamhathcock/sharpcompress/releases)._ ## 0.49.1 ## What's Changed * Close writable entry streams during async archive disposal by @Copilot in adamhathcock/sharpcompress#1338 * Restore `WriteToDirectoryAsync` progress callbacks for solid 7z archives by @Copilot in adamhathcock/sharpcompress#1340 * Try to fix global.json to avoid churn in locks by @adamhathcock in adamhathcock/sharpcompress#1341 * Fix tar archive enumeration after fully reading entry streams by @adamhathcock in adamhathcock/sharpcompress#1342 **Full Changelog**: adamhathcock/sharpcompress@0.49.0...0.49.1 ## 0.49.0 This should contain a lot of write async fixes and some breaking API changes that fix previous broke `net48` usage ## What's Changed * Rename IWriteableArchiveFactory.cs to IWritableArchiveFactory.cs by @Copilot in adamhathcock/sharpcompress#1244 * Some API clean up from GPT 5.4 by @adamhathcock in adamhathcock/sharpcompress#1243 * Release to master by @adamhathcock in adamhathcock/sharpcompress#1267 * Fix three BLAKE2sp correctness bugs and eliminate allocations in hot path by @coderb in adamhathcock/sharpcompress#1266 * Corrected async examples. by @dlemstra in adamhathcock/sharpcompress#1277 * Fix setting invalid access time fails extraction by @aromaa in adamhathcock/sharpcompress#1279 * Fix incorrect code examples in docs for sync/async usage by @Copilot in adamhathcock/sharpcompress#1280 * Replace APPNOTE.TXT contents with reference link note by @puk06 in adamhathcock/sharpcompress#1286 * Release to Master by @adamhathcock in adamhathcock/sharpcompress#1274 * update docs for tar gap analysis and XZ usage by @adamhathcock in adamhathcock/sharpcompress#1288 * Add a PooledMemoryStream to avoid allocating by @adamhathcock in adamhathcock/sharpcompress#1275 * fix: Change LeaveStreamOpen default from true to false by @puk06 in adamhathcock/sharpcompress#1293 * Fix usage of ReaderOptions and pre-defined values by @adamhathcock in adamhathcock/sharpcompress#1295 * Enforce seekable, readable and writable on streams by @adamhathcock in adamhathcock/sharpcompress#1297 * Add ArchiveInformation record for consolidated archive detection and capability inspection by @Copilot in adamhathcock/sharpcompress#1299 * merge release to master by @adamhathcock in adamhathcock/sharpcompress#1314 * Some clean up and test clean up by @adamhathcock in adamhathcock/sharpcompress#1321 * Finish Write Async by @adamhathcock in adamhathcock/sharpcompress#1323 * More complete Tar implementation: USTAR, PAX, etc. by @adamhathcock in adamhathcock/sharpcompress#1289 * Add Polysharp and adjustments that do not break legacy frameworks by @adamhathcock in adamhathcock/sharpcompress#1330 * Fix null `IVolume.FileName` for single-volume file-based archives by @Copilot in adamhathcock/sharpcompress#1333 * Add skills by @adamhathcock in adamhathcock/sharpcompress#1332 * add AOT smoke and missing tests by @adamhathcock in adamhathcock/sharpcompress#1334 ## New Contributors * @dlemstra made their first contribution in adamhathcock/sharpcompress#1277 * @aromaa made their first contribution in adamhathcock/sharpcompress#1279 * @puk06 made their first contribution in adamhathcock/sharpcompress#1286 **Full Changelog**: adamhathcock/sharpcompress@0.48.1...0.49.0 ## 0.49.0-beta.140 ## What's Changed * Add Polysharp and adjustments that do not break legacy frameworks by @adamhathcock in adamhathcock/sharpcompress#1330 **Full Changelog**: adamhathcock/sharpcompress@0.49.0-beta.136...0.49.0-beta.140 ## 0.49.0-beta.136 ## What's Changed * Rename IWriteableArchiveFactory.cs to IWritableArchiveFactory.cs by @Copilot in adamhathcock/sharpcompress#1244 * Some API clean up from GPT 5.4 by @adamhathcock in adamhathcock/sharpcompress#1243 * Release to master by @adamhathcock in adamhathcock/sharpcompress#1267 * Fix three BLAKE2sp correctness bugs and eliminate allocations in hot path by @coderb in adamhathcock/sharpcompress#1266 * Corrected async examples. by @dlemstra in adamhathcock/sharpcompress#1277 * Fix setting invalid access time fails extraction by @aromaa in adamhathcock/sharpcompress#1279 * Fix incorrect code examples in docs for sync/async usage by @Copilot in adamhathcock/sharpcompress#1280 * Replace APPNOTE.TXT contents with reference link note by @puk06 in adamhathcock/sharpcompress#1286 * Release to Master by @adamhathcock in adamhathcock/sharpcompress#1274 * update docs for tar gap analysis and XZ usage by @adamhathcock in adamhathcock/sharpcompress#1288 * Add a PooledMemoryStream to avoid allocating by @adamhathcock in adamhathcock/sharpcompress#1275 * fix: Change LeaveStreamOpen default from true to false by @puk06 in adamhathcock/sharpcompress#1293 * Fix usage of ReaderOptions and pre-defined values by @adamhathcock in adamhathcock/sharpcompress#1295 * Enforce seekable, readable and writable on streams by @adamhathcock in adamhathcock/sharpcompress#1297 * Add ArchiveInformation record for consolidated archive detection and capability inspection by @Copilot in adamhathcock/sharpcompress#1299 * merge release to master by @adamhathcock in adamhathcock/sharpcompress#1314 * Some clean up and test clean up by @adamhathcock in adamhathcock/sharpcompress#1321 * Finish Write Async by @adamhathcock in adamhathcock/sharpcompress#1323 * More complete Tar implementation: USTAR, PAX, etc. by @adamhathcock in adamhathcock/sharpcompress#1289 ## New Contributors * @dlemstra made their first contribution in adamhathcock/sharpcompress#1277 * @aromaa made their first contribution in adamhathcock/sharpcompress#1279 * @puk06 made their first contribution in adamhathcock/sharpcompress#1286 **Full Changelog**: adamhathcock/sharpcompress@0.48.1...0.49.0-beta1 Commits viewable in [compare view](adamhathcock/sharpcompress@0.48.1...0.49.1). </details> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This was referenced Jun 1, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.