Fix Cargo config file fetching from parent directories (#13790)

a-schur · web-flow · commit 130dbb9e1067 · 2026-01-05T22:58:58.000-06:00
Cargo searches for .cargo/config.toml hierarchically from the current directory up to the repository root. This fix implements the parent directory search functionality to properly locate config files that exist in parent directories. The implementation walks up the directory tree from the job directory, trying to fetch .cargo/config.toml (and the legacy .cargo/config) from each parent level until one is found or the repository root is reached. Closes #13523
diff --git a/cargo/lib/dependabot/cargo/file_fetcher.rb b/cargo/lib/dependabot/cargo/file_fetcher.rb
@@ -14,7 +14,7 @@
 # https://doc.rust-lang.org/cargo/reference/manifest.html#the-workspace-section
 module Dependabot
   module Cargo
-    class FileFetcher < Dependabot::FileFetchers::Base
+    class FileFetcher < Dependabot::FileFetchers::Base # rubocop:disable Metrics/ClassLength
       extend T::Sig
       extend T::Helpers
 
@@ -50,13 +50,11 @@ def fetch_files
         fetched_files << T.must(cargo_config) if cargo_config
         fetched_files << T.must(rust_toolchain) if rust_toolchain
         fetched_files += fetch_path_dependency_and_workspace_files
-        # If the main Cargo.toml uses workspace dependencies, ensure we have the workspace root
         parsed_manifest = parsed_file(cargo_toml)
         if uses_workspace_dependencies?(parsed_manifest) || workspace_member?(parsed_manifest)
           workspace_root = find_workspace_root(cargo_toml)
           fetched_files << workspace_root if workspace_root && !fetched_files.include?(workspace_root)
         end
-        # Filter excluded files from final collection
         fetched_files.reject do |file|
           Dependabot::FileFiltering.should_exclude_path?(file.name, "file from final collection", @exclude_paths)
         end.uniq
@@ -70,20 +68,17 @@ def fetch_files
       def fetch_path_dependency_and_workspace_files(files = nil)
         fetched_files = files || [cargo_toml]
         fetched_files += path_dependency_files(fetched_files)
-        fetched_files += fetched_files.flat_map { |f| workspace_files(f) }
+        @workspace_files ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependabot::DependencyFile]]))
+        fetched_files += fetched_files.flat_map do |f|
+          @workspace_files[f.name] ||= fetch_workspace_files(file: f, previously_fetched_files: [])
+        end
         updated_files = fetched_files.reject(&:support_file?).uniq
         updated_files += fetched_files.uniq.reject { |f| updated_files.map(&:name).include?(f.name) }
         return updated_files if updated_files == files
 
         fetch_path_dependency_and_workspace_files(updated_files)
       end
 
-      sig { params(cargo_toml: Dependabot::DependencyFile).returns(T::Array[Dependabot::DependencyFile]) }
-      def workspace_files(cargo_toml)
-        @workspace_files ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependabot::DependencyFile]]))
-        @workspace_files[cargo_toml.name] ||= fetch_workspace_files(file: cargo_toml, previously_fetched_files: [])
-      end
-
       sig { params(fetched_files: T::Array[Dependabot::DependencyFile]).returns(T::Array[Dependabot::DependencyFile]) }
       def path_dependency_files(fetched_files)
         @path_dependency_files ||= T.let({}, T.nilable(T::Hash[String, T::Array[Dependabot::DependencyFile]]))
@@ -442,15 +437,17 @@ def cargo_config
           fetch_support_file(".cargo/config")&.tap { |f| f.name = ".cargo/config.toml" },
           T.nilable(Dependabot::DependencyFile)
         )
+        @cargo_config ||= T.let(
+          fetch_cargo_config_from_parent_dirs,
+          T.nilable(Dependabot::DependencyFile)
+        )
       end
 
       sig { returns(T.nilable(Dependabot::DependencyFile)) }
       def rust_toolchain
         return @rust_toolchain if defined?(@rust_toolchain)
 
         @rust_toolchain = fetch_support_file("rust-toolchain")
-        # Per https://rust-lang.github.io/rustup/overrides.html the file can have a `.toml` extension,
-        # but the non-extension version is preferred. Renaming here to simplify finding it later in the code.
         @rust_toolchain ||= T.let(
           fetch_support_file("rust-toolchain.toml")&.tap { |f| f.name = "rust-toolchain" },
           T.nilable(Dependabot::DependencyFile)
@@ -459,9 +456,7 @@ def rust_toolchain
 
       sig { override.params(filename: T.any(Pathname, String)).returns(Dependabot::DependencyFile) }
       def load_cloned_file_if_present(filename)
-        file = super
-        file.name = Pathname.new(file.name).cleanpath.to_s.gsub(%r{^/+}, "")
-        file
+        super.tap { |f| f.name = Pathname.new(f.name).cleanpath.to_s.gsub(%r{^/+}, "") }
       end
 
       sig do
@@ -472,9 +467,45 @@ def load_cloned_file_if_present(filename)
         ).returns(Dependabot::DependencyFile)
       end
       def fetch_file_from_host(filename, type: "file", fetch_submodules: false)
-        file = super
-        file.name = Pathname.new(file.name).cleanpath.to_s.gsub(%r{^/+}, "")
-        file
+        super.tap { |f| f.name = Pathname.new(f.name).cleanpath.to_s.gsub(%r{^/+}, "") }
+      end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def fetch_cargo_config_from_parent_dirs
+        return nil if directory.empty?
+
+        # Count directory depth to determine how many levels to search up
+        depth = directory.split("/").count { |s| !s.empty? }
+        return nil if depth.zero?
+
+        # Try each parent directory level
+        depth.times do |i|
+          parent_path = ([".."] * (i + 1)).join("/")
+          config = try_fetch_config_at_path(parent_path)
+          return config if config
+        end
+
+        nil
+      end
+
+      sig { params(parent_path: String).returns(T.nilable(Dependabot::DependencyFile)) }
+      def try_fetch_config_at_path(parent_path)
+        [".cargo/config.toml", ".cargo/config"].each do |config_name|
+          full_path = File.join(parent_path, config_name)
+          Dependabot.logger.debug("Attempting to fetch config from: #{full_path}")
+          config = fetch_file_from_host(
+            full_path,
+            fetch_submodules: false
+          )
+          Dependabot.logger.debug("Successfully fetched config from: #{full_path}")
+          config.support_file = true
+          config.name = ".cargo/config.toml"
+          return config
+        rescue Dependabot::DependencyFileNotFound
+          Dependabot.logger.debug("No config found at: #{full_path}")
+          next
+        end
+        nil
       end
     end
   end
diff --git a/cargo/spec/dependabot/cargo/file_fetcher_spec.rb b/cargo/spec/dependabot/cargo/file_fetcher_spec.rb
@@ -148,6 +148,84 @@
     end
   end
 
+  context "with a config file at repository root and Cargo.toml in subdirectory" do
+    let(:source) do
+      Dependabot::Source.new(
+        provider: "github",
+        repo: "gocardless/bump",
+        directory: "my_dir"
+      )
+    end
+
+    let(:url) do
+      "https://api.github.com/repos/gocardless/bump/contents/my_dir/"
+    end
+
+    before do
+      # Mock the subdirectory listing (includes Cargo.toml and Cargo.lock)
+      stub_request(:get, "https://api.github.com/repos/gocardless/bump/contents/my_dir?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(
+          status: 200,
+          body: fixture("github", "contents_cargo_with_lockfile.json"),
+          headers: json_header
+        )
+
+      # Mock Cargo.toml in subdirectory
+      stub_request(:get, url + "Cargo.toml?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(
+          status: 200,
+          body: fixture("github", "contents_cargo_manifest.json"),
+          headers: json_header
+        )
+
+      # Mock Cargo.lock in subdirectory
+      stub_request(:get, url + "Cargo.lock?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(
+          status: 200,
+          body: fixture("github", "contents_cargo_lockfile.json"),
+          headers: json_header
+        )
+
+      # No config in subdirectory's .cargo directory
+      stub_request(:get, url + ".cargo?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(status: 404, headers: json_header)
+
+      stub_request(:get, url + ".cargo/config.toml?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(status: 404, headers: json_header)
+
+      stub_request(:get, url + ".cargo/config?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(status: 404, headers: json_header)
+
+      # Config at repository root
+      stub_request(:get, "https://api.github.com/repos/gocardless/bump/contents/.cargo?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(
+          status: 200,
+          body: fixture("github", "contents_cargo_dir.json"),
+          headers: json_header
+        )
+
+      stub_request(:get, "https://api.github.com/repos/gocardless/bump/contents/.cargo/config.toml?ref=sha")
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(
+          status: 200,
+          body: fixture("github", "contents_cargo_config.json"),
+          headers: json_header
+        )
+    end
+
+    it "fetches the Cargo.toml, Cargo.lock, and config.toml from root" do
+      expect(file_fetcher_instance.files.map(&:name))
+        .to match_array(%w(Cargo.lock Cargo.toml .cargo/config.toml))
+    end
+  end
+
   context "without a lockfile" do
     before do
       stub_request(:get, url + "?ref=sha")
@@ -825,6 +903,12 @@
       stub_request(:get, %r{#{Regexp.escape(url)}\w+/\.cargo\?ref=sha})
         .with(headers: { "Authorization" => "token token" })
         .to_return(status: 404, headers: json_header)
+      stub_request(:get, %r{#{Regexp.escape(url)}.*\.cargo/config\.toml\?ref=sha})
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(status: 404, headers: json_header)
+      stub_request(:get, %r{#{Regexp.escape(url)}.*\.cargo/config\?ref=sha})
+        .with(headers: { "Authorization" => "token token" })
+        .to_return(status: 404, headers: json_header)
 
       # All the manifest requests
       stub_request(:get, url + "detached_crate_fail_1/Cargo.toml?ref=sha")
