diff --git a/.github/workflows/check.yaml b/.github/workflows/check.yaml index 260aaf0d..a748d354 100644 --- a/.github/workflows/check.yaml +++ b/.github/workflows/check.yaml @@ -35,7 +35,7 @@ jobs: - { os: windows-2025, py: pypy3.11 } steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - name: "🔄 Install the latest version of uv" @@ -68,7 +68,7 @@ jobs: shell: python - name: "📦 Upload coverage data" if: ${{ !startsWith(matrix.py, 'pypy')}} - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: include-hidden-files: true name: .coverage.${{ matrix.os }}.${{ matrix.py }} @@ -80,7 +80,7 @@ jobs: runs-on: ubuntu-24.04 needs: test steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - name: "🔄 Install the latest version of uv" @@ -94,7 +94,7 @@ jobs: env: UV_PYTHON_PREFERENCE: only-managed - name: "⬇️ Download coverage data" - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v7 with: path: .tox pattern: .coverage.* @@ -104,7 +104,7 @@ jobs: env: UV_PYTHON_PREFERENCE: only-managed - name: "📤 Upload HTML report" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: html-report path: .tox/htmlcov @@ -126,7 +126,7 @@ jobs: exclude: - { os: windows-2025, tox_env: pkg_meta } steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - name: "🔄 Install the latest version of uv" diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9275d8e8..85d4c69e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -10,7 +10,7 @@ jobs: build: runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v6 with: fetch-depth: 0 - name: "🔄 Install the latest version of uv" @@ -18,7 +18,7 @@ jobs: - name: "📦 Build package" run: uv build --python 3.14 --python-preference only-managed --sdist --wheel . --out-dir dist - name: "📤 Store the distribution packages" - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: ${{ env.dists-artifact-name }} path: dist/* @@ -34,7 +34,7 @@ jobs: id-token: write steps: - name: "⬇️ Download all the dists" - uses: actions/download-artifact@v5 + uses: actions/download-artifact@v7 with: name: ${{ env.dists-artifact-name }} path: dist/ diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index ce13a495..67f2cb26 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -5,7 +5,7 @@ repos: - id: end-of-file-fixer - id: trailing-whitespace - repo: https://github.com/python-jsonschema/check-jsonschema - rev: 0.34.0 + rev: 0.35.0 hooks: - id: check-github-workflows args: ["--verbose"] @@ -15,21 +15,21 @@ repos: - id: codespell additional_dependencies: ["tomli>=2.2.1"] - repo: https://github.com/tox-dev/tox-toml-fmt - rev: "v1.1.0" + rev: "v1.2.1" hooks: - id: tox-toml-fmt - repo: https://github.com/tox-dev/pyproject-fmt - rev: "v2.8.0" + rev: "v2.11.1" hooks: - id: pyproject-fmt - repo: https://github.com/astral-sh/ruff-pre-commit - rev: "v0.14.0" + rev: "v0.14.9" hooks: - id: ruff-format - id: ruff-check args: ["--fix", "--unsafe-fixes", "--exit-non-zero-on-fix"] - repo: https://github.com/rbubley/mirrors-prettier - rev: "v3.6.2" # Use the sha / tag you want to point at + rev: "v3.7.4" # Use the sha / tag you want to point at hooks: - id: prettier additional_dependencies: diff --git a/src/filelock/_unix.py b/src/filelock/_unix.py index b2fd0f33..25cbeca6 100644 --- a/src/filelock/_unix.py +++ b/src/filelock/_unix.py @@ -38,7 +38,7 @@ class UnixFileLock(BaseFileLock): def _acquire(self) -> None: ensure_directory_exists(self.lock_file) - open_flags = os.O_RDWR | os.O_TRUNC + open_flags = os.O_RDWR | os.O_TRUNC | os.O_NOFOLLOW if not Path(self.lock_file).exists(): open_flags |= os.O_CREAT fd = os.open(self.lock_file, open_flags, self._context.mode) diff --git a/src/filelock/_windows.py b/src/filelock/_windows.py index 348251d1..c6e423b2 100644 --- a/src/filelock/_windows.py +++ b/src/filelock/_windows.py @@ -11,7 +11,38 @@ from ._util import ensure_directory_exists, raise_on_not_writable_file if sys.platform == "win32": # pragma: win32 cover + import ctypes import msvcrt + from ctypes import wintypes + + # Windows API constants for reparse point detection + FILE_ATTRIBUTE_REPARSE_POINT = 0x00000400 + INVALID_FILE_ATTRIBUTES = 0xFFFFFFFF + + # Load kernel32.dll + _kernel32 = ctypes.WinDLL("kernel32", use_last_error=True) + _kernel32.GetFileAttributesW.argtypes = [wintypes.LPCWSTR] + _kernel32.GetFileAttributesW.restype = wintypes.DWORD + + def _is_reparse_point(path: str) -> bool: + """ + Check if a path is a reparse point (symlink, junction, etc.) on Windows. + + :param path: Path to check + :return: True if path is a reparse point, False otherwise + :raises OSError: If GetFileAttributesW fails for reasons other than file-not-found + """ + attrs = _kernel32.GetFileAttributesW(path) + if attrs == INVALID_FILE_ATTRIBUTES: + # File doesn't exist yet - that's fine, we'll create it + err = ctypes.get_last_error() + if err == 2: # noqa: PLR2004 # ERROR_FILE_NOT_FOUND + return False + if err == 3: # noqa: PLR2004 # ERROR_PATH_NOT_FOUND + return False + # Some other error - let caller handle it + return False + return bool(attrs & FILE_ATTRIBUTE_REPARSE_POINT) class WindowsFileLock(BaseFileLock): """Uses the :func:`msvcrt.locking` function to hard lock the lock file on Windows systems.""" @@ -19,6 +50,13 @@ class WindowsFileLock(BaseFileLock): def _acquire(self) -> None: raise_on_not_writable_file(self.lock_file) ensure_directory_exists(self.lock_file) + + # Security check: Refuse to open reparse points (symlinks, junctions) + # This prevents TOCTOU symlink attacks (CVE-TBD) + if _is_reparse_point(self.lock_file): + msg = f"Lock file is a reparse point (symlink/junction): {self.lock_file}" + raise OSError(msg) + flags = ( os.O_RDWR # open for read and write | os.O_CREAT # create file if not exists