[rust] xz uncompressor for Firefox Linux nightlies

[bgermann]

User description

Description

Add a xz uncompressor.

Motivation and Context

Mozilla provides Linux nightlies in tar.xz archived now. Closes: #14831

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have read the contributing document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

---

PR Type

Enhancement

---

Description

• Added support for decompressing XZ files using the xz2 crate.
• Implemented a new function uncompress_xz to handle the extraction of XZ compressed files.
• Updated the uncompress function to include logic for handling XZ file extensions.
• Added the xz2 crate to the project's dependencies in Cargo.toml.

---

Changes walkthrough 📝

	Relevant files
Enhancement	files.rs Add XZ file decompression support in Rust                                rust/src/files.rs Added xz2 dependency for XZ file decompression. Introduced uncompress_xz function to handle XZ file extraction. Updated uncompress function to support XZ file format. +26/-0
Dependencies	Cargo.toml Add xz2 crate dependency for XZ support                                    rust/Cargo.toml Added xz2 crate to dependencies for XZ decompression. +1/-0

---

💡 PR-Agent usage: Comment /help "your question" on any pull request to receive relevant information

[qodo-merge-pro]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 Security concerns Path Traversal: The uncompress_xz function extracts files without properly validating paths from the archive. An attacker could potentially craft a malicious archive that writes files outside the target directory. The code should validate that all extracted paths remain within the target directory.

⚡ Recommended focus areas for review Error Handling The uncompress_xz function should validate the target directory path before creating directories and unpacking files to prevent path traversal attacks Memory Usage Reading entire XZ file into memory buffer could be problematic for large files. Consider using streaming approach instead Resource Cleanup File handles and decoders should be properly closed/dropped using Drop trait implementations or explicit cleanup

[qodo-merge-pro]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Score
Security	Prevent potential out-of-memory issues by limiting the size of decompressed data Add memory limit for buffer to prevent potential out-of-memory issues when decompressing large XZ files. rust/src/files.rs [353-354] -let mut buffer: Vec<u8> = Vec::new(); -xz_decoder.read_to_end(&mut buffer)?; +let mut buffer: Vec<u8> = Vec::with_capacity(10 * 1024 * 1024); // 10MB initial capacity +if xz_decoder.read_to_end(&mut buffer)? > 100 * 1024 * 1024 { // 100MB limit + return Err(Error::msg("XZ file too large")); +} Apply this suggestion Suggestion importance[1-10]: 9 Why: This is a critical security enhancement that prevents potential denial-of-service attacks through maliciously crafted XZ files that could exhaust system memory when decompressed.	9
Possible issue	Improve directory creation logic to handle race conditions and prevent potential failures Add a check for target directory existence before creating it to avoid potential race conditions and ensure proper error handling. rust/src/files.rs [356-364] -if !target.exists() { - for entry in archive.entries()? { - let mut entry_decoder = entry?; - let entry_path: PathBuf = entry_decoder.path()?.iter().skip(1).collect(); - let entry_target = target.join(entry_path); - fs::create_dir_all(entry_target.parent().unwrap())?; - entry_decoder.unpack(entry_target)?; +fs::create_dir_all(target)?; +for entry in archive.entries()? { + let mut entry_decoder = entry?; + let entry_path: PathBuf = entry_decoder.path()?.iter().skip(1).collect(); + let entry_target = target.join(entry_path); + if let Some(parent) = entry_target.parent() { + fs::create_dir_all(parent)?; } + entry_decoder.unpack(entry_target)?; } Apply this suggestion Suggestion importance[1-10]: 8 Why: The suggestion improves error handling and safety by ensuring the target directory exists before extraction and properly handling parent directory creation, reducing the risk of race conditions and failures in concurrent scenarios.	8

💡 Need additional feedback ? start a PR chat

[bgermann]

@VietND96 Are the two failing checks caused by the new crate dependency? Am I required to change anything?

[VietND96]

Looks like you missed to format code. Run ./scripts/format.sh once

[bgermann]

I have run the test and included the Bazel lock file change.

[bgermann]

Ah, and the import sorting is now fixed as well.

[bonigarcia]

@bgermann: Thanks a lot for reporting and contributing. I tested your code, and it works nicely. My only concern is that the new function uncompress_xz is almost identical to the existing uncompress_bz2, so it would be better to create a common function for both parameterizing the decoder (XzDecoder and BzDecoder respectively). Can you please make that change in your PR?

[bonigarcia]

Looks good to me, many thanks, @bgermann. I tested locally it and it works nicely. Some tests are failing in CI but the reason is other, so it can be merged. Thanks again!