Skip to content

fix(microsoft-fast-build): add depth limit and symlink guard to locator walk#7416

Merged
janechu merged 6 commits intomainfrom
users/janechu/fix/fast-build-locator-depth-limit
Apr 9, 2026
Merged

fix(microsoft-fast-build): add depth limit and symlink guard to locator walk#7416
janechu merged 6 commits intomainfrom
users/janechu/fix/fast-build-locator-depth-limit

Conversation

@janechu
Copy link
Copy Markdown
Collaborator

@janechu janechu commented Apr 9, 2026
edited
Loading

Pull Request

📖 Description

walk_html_files in locator.rs previously recursed into directories without any depth limit and followed symlinks unconditionally. On a filesystem with symlink cycles this would loop forever; on an unusually deep directory tree it risked a stack overflow.

  • Introduces MAX_DIR_DEPTH = 50. The walk returns silently (without error) once this depth is exceeded.
  • Splits walk_html_files into a thin public wrapper and a private walk_html_files_inner that carries the current depth counter.
  • Skips symlinks via path.is_symlink() before recursing, breaking any cycle at its first back-edge.

DESIGN.md (from_patterns section) and README.md (Locator setup section) updated to document the 50-level limit and symlink behaviour.

📑 Test Plan

All existing tests pass. The locator tests exercise glob pattern scanning across the tests/fixtures/ directory.

✅ Checklist

General

  • I have included a change request file using $ npm run change
  • I have added tests for my changes.
  • I have tested my changes.
  • I have updated the project documentation to reflect my changes.
  • I have read the CONTRIBUTING documentation and followed the standards for this project.

@janechu
fix(microsoft-fast-build): add depth limit and symlink guard to locat…
474dd9c 
…or walk

walk_html_files previously recurse into directories without limit and
followed symlinks unconditionally. On a filesystem with symlink cycles this
would loop forever; on an unusually deep directory tree it risked a stack
overflow.

Changes:
- Introduce MAX_DIR_DEPTH = 50 constant. The walk returns early (without
  error) once this depth is exceeded.
- Split walk_html_files into a thin public wrapper and a private
  walk_html_files_inner that carries the depth counter.
- Skip symlinks via path.is_symlink() before recursing, breaking any
  cycle at its first back-edge.

Updated DESIGN.md (from_patterns section) and README.md (Locator setup
section) to document the 50-level depth limit and symlink behaviour.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@janechu janechu marked this pull request as ready for review April 9, 2026 17:30
@janechu janechu requested a review from Copilot April 9, 2026 17:32
Copilot AI reviewed Apr 9, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds safeguards to @microsoft/fast-build’s Locator filesystem scan to avoid infinite recursion on symlink cycles and cap recursion depth, with accompanying documentation updates.

Changes:

  • Add MAX_DIR_DEPTH and a depth-tracking inner walk to bound recursive directory traversal.
  • Skip symlink entries during the directory walk to avoid symlink-cycle loops.
  • Document the depth limit and symlink behavior in README and DESIGN docs.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File Description
crates/microsoft-fast-build/src/locator.rs Introduces a max-depth guard and symlink skipping in the recursive HTML file walker.
crates/microsoft-fast-build/README.md Documents the recursion depth limit and symlink-skipping behavior for Locator::from_patterns.
crates/microsoft-fast-build/DESIGN.md Updates from_patterns design notes to reflect the bounded walk and symlink handling.

janechu and others added 4 commits April 9, 2026 10:59
@janechu
fix: address review comments on locator depth limit PR
1026774 
- Use entry.file_type()? instead of path.is_symlink() + path.is_dir()
  to avoid extra syscalls and TOCTOU window
- Add locator_walk test suite with 4 tests:
  - depth within limit is discovered (depth 10)
  - depth beyond limit is NOT discovered (depth 52)
  - symlinked directories are skipped
  - symlink cycles terminate without hanging

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@janechu
chore: update Cargo.lock for tempfile dev-dependency
3d90806 
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@janechu
Merge branch 'main' into users/janechu/fix/fast-build-locator-depth-l…
b0ec742 
…imit
@janechu
Merge branch 'main' into users/janechu/fix/fast-build-locator-depth-l…
124fdfa 
…imit
@janechu janechu merged commit 998f795 into main Apr 9, 2026
12 of 14 checks passed
@janechu janechu deleted the users/janechu/fix/fast-build-locator-depth-limit branch April 9, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@chrisdholt chrisdholt Awaiting requested review from chrisdholt chrisdholt is a code owner

@radium-v radium-v Awaiting requested review from radium-v radium-v is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@janechu