Allow ancestor traversal when loading package manifest outside of roots

rib · rib · commit be2503fd4d32 · 2025-06-06T11:54:17.000+01:00
As a special-case; unlike for configs and workspaces, this allows Cargo
to search all the way up to the root of the filesystem when loading a
package manifest, IFF Cargo is running outside of all configured root
directories.

This exception doesn't apply if Cargo is running within a configured
root directory.

This is a trade off between safety and convenience (+ backwards
compatibility) that ensures it is possible to unpack a package outside
of your home directory (such as `/tmp/my-package`) and then start a
build from a subdirectory like `/tmp/my-package/sub/dir` such that Cargo
will traverse parent directories looking for
`/tmp/my-package/Cargo.toml` but it will not try and load untrusted
configs under `/tmp/.cargo` or workspace manifests under
`/tmp/Cargo.toml` that could have been created by another user.

FIXME: If the first manifest loaded is in fact a workspace manifest
we need to make sure we add that as a root directory so that when
nested packages within the workspace are built they are able to find
their way back to the top of the workspace. Otherwise each nested
package build will be limited to the directory of the package.
diff --git a/src/cargo/core/workspace.rs b/src/cargo/core/workspace.rs
@@ -2024,7 +2024,7 @@ fn find_workspace_root_with_loader(
     gctx: &GlobalContext,
     mut loader: impl FnMut(&Path) -> CargoResult<Option<PathBuf>>,
 ) -> CargoResult<Option<PathBuf>> {
-    let search_route = gctx.find_manifest_search_route(manifest_path);
+    let search_route = gctx.find_workspace_manifest_search_route(manifest_path);
 
     // Check if there are any workspace roots that have already been found that would work
     {
diff --git a/src/cargo/util/context/mod.rs b/src/cargo/util/context/mod.rs
@@ -617,12 +617,10 @@ impl GlobalContext {
         Ok(())
     }
 
-    /// Find shortest route between `start` and one of the roots in [Self::sorted_roots].
-    ///
-    /// If no root is found then fallback to root == start so we only search one directory.
-    /// - This is a safety measure to reduce the risk of reading unsafe state from locations
-    ///   that are not owned by the user (for example building under `/tmp`).
-    fn find_search_route<P: AsRef<Path>>(&self, start: P) -> CargoResult<SearchRoute> {
+    fn find_nearest_root<P: AsRef<Path>>(
+        &self,
+        start: P,
+    ) -> CargoResult<Option<(PathBuf, PathBuf)>> {
         let start = start
             .as_ref()
             .canonicalize()
@@ -632,31 +630,33 @@ impl GlobalContext {
         let root = self
             .sorted_roots
             .iter()
-            .filter_map(|root| {
-                if start.starts_with(root) {
-                    tracing::debug!(
-                        "Found candidate search root {:?} for start {:?}",
-                        root,
-                        start
-                    );
-                    Some(root.clone())
-                } else {
-                    tracing::debug!(
-                        "Skipping candidate search root {:?} for start {:?}",
-                        root,
-                        start
-                    );
-                    None
-                }
-            })
-            .next();
+            .find(|root| start.starts_with(root))
+            .cloned();
+
+        if let Some(root) = root {
+            tracing::debug!("Found candidate root {:?}", root);
+            Ok(Some((start, root)))
+        } else {
+            tracing::debug!("No candidate root found for start {:?}", start);
+            Ok(None)
+        }
+    }
+
+    /// Find shortest route between `start` and one of the roots in [Self::sorted_roots].
+    ///
+    /// If no root is found then fallback to root == start so we only search one directory.
+    /// - This is a safety measure to reduce the risk of reading unsafe state from locations
+    ///   that are not owned by the user (for example building under `/tmp`).
+    fn find_search_route<P: AsRef<Path>>(&self, start: P) -> CargoResult<SearchRoute> {
+        let start = start.as_ref();
+        let route = self.find_nearest_root(&start)?;
 
         // Cargo no longer allows searching up to the root of the filesystem unless the root is
         // explicitly added to `sorted_roots`.
-        let root = root.unwrap_or_else(|| start.clone());
+        let route = route.unwrap_or_else(|| (start.to_owned(), start.to_owned()));
         Ok(SearchRoute {
-            start,
-            root: Some(root),
+            start: route.0,
+            root: Some(route.1),
         })
     }
 
@@ -711,7 +711,51 @@ impl GlobalContext {
         config_search_route
     }
 
-    pub fn find_manifest_search_route<P: AsRef<Path>>(&self, start: P) -> SearchRoute {
+    pub fn find_package_manifest_search_route<P: AsRef<Path>>(&self, start: P) -> SearchRoute {
+        tracing::trace!(
+            "Finding package manifest search route starting at {:?}",
+            start.as_ref()
+        );
+
+        let start = start
+            .as_ref()
+            .canonicalize()
+            .expect("failed to canonicalize path");
+        // Return the existing route if the start == path.
+        if let Some(route) = &*self.manifest_search_route.borrow() {
+            if route.start == start {
+                return route.clone();
+            }
+        }
+
+        // As a special case, we allow the traversal of parent directories, when
+        // outside of all root directories to find the package manifest.
+        //
+        // This is a trade off between safety and convenience, so it's e.g.
+        // possible to unpack a package under `/tmp` and start a build from
+        // `/tmp/my-package/sub/dir` and find `/tmp/my-package/Cargo.toml`, but
+        // not allow a potentially unsafe `/tmp/Cargo.toml` workspace to be loaded.
+        let manifest_search_route =
+            if let Some((start, root)) = self.find_nearest_root(&start).ok().flatten() {
+                SearchRoute {
+                    start,
+                    root: Some(root),
+                }
+            } else {
+                SearchRoute {
+                    start,
+                    root: None, // Allow searching up to the root of the filesystem.
+                }
+            };
+        *self.manifest_search_route.borrow_mut() = Some(manifest_search_route.clone());
+        manifest_search_route.clone()
+    }
+
+    pub fn find_workspace_manifest_search_route<P: AsRef<Path>>(&self, start: P) -> SearchRoute {
+        tracing::trace!(
+            "Finding workspace manifest search route starting at {:?}",
+            start.as_ref()
+        );
         let start = start
             .as_ref()
             .canonicalize()
diff --git a/src/cargo/util/important_paths.rs b/src/cargo/util/important_paths.rs
@@ -10,7 +10,7 @@ pub fn find_root_manifest_for_wd(gctx: &GlobalContext, cwd: &Path) -> CargoResul
     let invalid_cargo_toml_file_name = "cargo.toml";
     let mut invalid_cargo_toml_path_exists = false;
 
-    let search_route = gctx.find_manifest_search_route(cwd);
+    let search_route = gctx.find_package_manifest_search_route(cwd);
     for current in paths::ancestors(&search_route.start, search_route.root.as_deref()) {
         let manifest = current.join(valid_cargo_toml_file_name);
         if manifest.exists() {

Original file line number	Diff line number	Diff line change
`@@ -2024,7 +2024,7 @@ fn find_workspace_root_with_loader(`
`2024`	`2024`	`gctx: &GlobalContext,`
`2025`	`2025`	`mut loader: impl FnMut(&Path) -> CargoResult<Option<PathBuf>>,`
`2026`	`2026`	`) -> CargoResult<Option<PathBuf>> {`
`2027`		`- let search_route = gctx.find_manifest_search_route(manifest_path);`
	`2027`	`+ let search_route = gctx.find_workspace_manifest_search_route(manifest_path);`
`2028`	`2028`
`2029`	`2029`	`// Check if there are any workspace roots that have already been found that would work`
`2030`	`2030`	`{`