Add Windows symlink detection and binary prefix detection tests

Author: zelosleone

src/build.rs

@@ -3,7 +3,7 @@
 use std::{path::PathBuf, vec};
 
 use miette::{Context, IntoDiagnostic};
-use rattler_conda_types::{Channel, MatchSpec};
+use rattler_conda_types::{Channel, MatchSpec, package::PathsJson};
 
 use crate::{
     metadata::{Output, build_reindexed_channels},
@@ -138,6 +138,20 @@ pub async fn run_build(
         .await
         .into_diagnostic()?;
 
+    // Check for binary prefix if configured
+    if tool_configuration.error_prefix_in_binary {
+        tracing::info!("Checking for host prefix in binary files...");
+        check_for_binary_prefix(&output, &paths_json)?;
+    }
+
+    // Check for symlinks on Windows if not allowed
+    if output.build_configuration.target_platform.is_windows()
+        && !tool_configuration.allow_symlinks_on_windows
+    {
+        tracing::info!("Checking for symlinks in Windows package...");
+        check_for_symlinks_on_windows(&output, &paths_json)?;
+    }
+
     output.record_artifact(&result, &paths_json);
 
     let span = tracing::info_span!("Running package tests");
@@ -164,3 +178,51 @@ pub async fn run_build(
 
     Ok((output, result))
 }
+
+/// Check if any binary files contain the host prefix
+fn check_for_binary_prefix(output: &Output, paths_json: &PathsJson) -> Result<(), miette::Error> {
+    use rattler_conda_types::package::FileMode;
+
+    for paths_entry in &paths_json.paths {
+        if let Some(prefix_placeholder) = &paths_entry.prefix_placeholder {
+            if prefix_placeholder.file_mode == FileMode::Binary {
+                return Err(miette::miette!(
+                    "Package {} contains Binary file {} which contains host prefix placeholder, which may cause issues when the package is installed to a different location. \
+                    Consider fixing the build process to avoid embedding the host prefix in binaries. \
+                    To allow this, remove the --error-prefix-in-binary flag.",
+                    output.name().as_normalized(),
+                    paths_entry.relative_path.display()
+                ));
+            }
+        }
+    }
+
+    Ok(())
+}
+
+/// Check if any files are symlinks on Windows
+fn check_for_symlinks_on_windows(
+    output: &Output,
+    paths_json: &PathsJson,
+) -> Result<(), miette::Error> {
+    use rattler_conda_types::package::PathType;
+
+    let mut symlinks = Vec::new();
+
+    for paths_entry in &paths_json.paths {
+        if paths_entry.path_type == PathType::SoftLink {
+            symlinks.push(paths_entry.relative_path.display().to_string());
+        }
+    }
+
+    if !symlinks.is_empty() {
+        return Err(miette::miette!(
+            "Package {} contains symlinks which are not supported on most Windows systems:\n  - {}\n\
+            To allow symlinks, use the --allow-symlinks-on-windows flag.",
+            output.name().as_normalized(),
+            symlinks.join("\n  - ")
+        ));
+    }
+
+    Ok(())
+}

src/lib.rs

@@ -148,7 +148,9 @@ pub fn get_tool_config(
         .with_continue_on_failure(build_data.continue_on_failure)
         .with_noarch_build_platform(build_data.noarch_build_platform)
         .with_channel_priority(build_data.common.channel_priority)
-        .with_allow_insecure_host(build_data.common.allow_insecure_host.clone());
+        .with_allow_insecure_host(build_data.common.allow_insecure_host.clone())
+        .with_error_prefix_in_binary(build_data.error_prefix_in_binary)
+        .with_allow_symlinks_on_windows(build_data.allow_symlinks_on_windows);
 
     let configuration_builder = if let Some(fancy_log_handler) = fancy_log_handler {
         configuration_builder.with_logging_output_handler(fancy_log_handler.clone())
@@ -996,6 +998,8 @@ pub async fn debug_recipe(
         extra_meta: None,
         sandbox_configuration: None,
         continue_on_failure: ContinueOnFailure::No,
+        error_prefix_in_binary: false,
+        allow_symlinks_on_windows: false,
     };
 
     let tool_config = get_tool_config(&build_data, log_handler)?;

src/opt.rs

@@ -446,6 +446,14 @@ pub struct BuildOpts {
     /// This is useful when building many packages with `--recipe-dir`.`
     #[clap(long)]
     pub continue_on_failure: bool,
+
+    /// Error if the host prefix is detected in any binary files
+    #[arg(long, help_heading = "Modifying result")]
+    pub error_prefix_in_binary: bool,
+
+    /// Allow symlinks in packages on Windows (defaults to false - symlinks are forbidden on Windows)
+    #[arg(long, help_heading = "Modifying result")]
+    pub allow_symlinks_on_windows: bool,
 }
 #[allow(missing_docs)]
 #[derive(Clone, Debug)]
@@ -475,6 +483,8 @@ pub struct BuildData {
     pub sandbox_configuration: Option<SandboxConfiguration>,
     pub debug: Debug,
     pub continue_on_failure: ContinueOnFailure,
+    pub error_prefix_in_binary: bool,
+    pub allow_symlinks_on_windows: bool,
 }
 
 impl BuildData {
@@ -505,6 +515,8 @@ impl BuildData {
         sandbox_configuration: Option<SandboxConfiguration>,
         debug: bool,
         continue_on_failure: ContinueOnFailure,
+        error_prefix_in_binary: bool,
+        allow_symlinks_on_windows: bool,
     ) -> Self {
         Self {
             up_to,
@@ -539,6 +551,8 @@ impl BuildData {
             sandbox_configuration,
             debug: Debug::new(debug),
             continue_on_failure,
+            error_prefix_in_binary,
+            allow_symlinks_on_windows,
         }
     }
 }
@@ -584,6 +598,8 @@ impl BuildData {
             opts.sandbox_arguments.into(),
             opts.debug,
             opts.continue_on_failure.into(),
+            opts.error_prefix_in_binary,
+            opts.allow_symlinks_on_windows,
         )
     }
 }

src/tool_configuration.rs

@@ -218,6 +218,12 @@ pub struct Configuration {
 
     /// Whether to continue building on failure of a package or stop the build
     pub continue_on_failure: ContinueOnFailure,
+
+    /// Whether to error if the host prefix is detected in binary files
+    pub error_prefix_in_binary: bool,
+
+    /// Whether to allow symlinks in packages on Windows (defaults to false)
+    pub allow_symlinks_on_windows: bool,
 }
 
 /// Get the authentication storage from the given file
@@ -272,6 +278,8 @@ pub struct ConfigurationBuilder {
     channel_priority: ChannelPriority,
     allow_insecure_host: Option<Vec<String>>,
     continue_on_failure: ContinueOnFailure,
+    error_prefix_in_binary: bool,
+    allow_symlinks_on_windows: bool,
 }
 
 impl Configuration {
@@ -301,6 +309,8 @@ impl ConfigurationBuilder {
             channel_priority: ChannelPriority::Strict,
             allow_insecure_host: None,
             continue_on_failure: ContinueOnFailure::No,
+            error_prefix_in_binary: false,
+            allow_symlinks_on_windows: false,
         }
     }
 
@@ -321,6 +331,22 @@ impl ConfigurationBuilder {
         }
     }
 
+    /// Whether to error if the host prefix is detected in binary files
+    pub fn with_error_prefix_in_binary(self, error_prefix_in_binary: bool) -> Self {
+        Self {
+            error_prefix_in_binary,
+            ..self
+        }
+    }
+
+    /// Whether to allow symlinks in packages on Windows
+    pub fn with_allow_symlinks_on_windows(self, allow_symlinks_on_windows: bool) -> Self {
+        Self {
+            allow_symlinks_on_windows,
+            ..self
+        }
+    }
+
     /// Set the default cache directory to use for objects that need to be
     /// cached.
     pub fn with_opt_cache_dir(self, cache_dir: Option<PathBuf>) -> Self {
@@ -492,6 +518,8 @@ impl ConfigurationBuilder {
             channel_priority: self.channel_priority,
             allow_insecure_host: self.allow_insecure_host,
             continue_on_failure: self.continue_on_failure,
+            error_prefix_in_binary: self.error_prefix_in_binary,
+            allow_symlinks_on_windows: self.allow_symlinks_on_windows,
         }
     }
 }

test-data/recipes/binary_prefix_test/recipe.yaml

@@ -0,0 +1,44 @@
+context:
+  name: binary-prefix-test
+  version: "1.0.0"
+
+package:
+  name: ${{ name }}
+  version: ${{ version }}
+
+build:
+  number: 0
+  script:
+    - if: unix
+      then:
+        - mkdir -p $PREFIX/bin
+        # C program that embeds the prefix
+        - |
+          cat > test_binary.c << EOF
+          #include <stdio.h>
+          int main() {
+              const char* prefix = "$PREFIX";
+              printf("Prefix is: %s\n", prefix);
+              return 0;
+          }
+          EOF
+        - gcc test_binary.c -o $PREFIX/bin/test_binary
+      else:
+        - mkdir %PREFIX%\Library\bin
+        # A simple executable that contains the prefix
+        - |
+          echo #include ^<stdio.h^> > test_binary.c
+          echo int main() { >> test_binary.c
+          echo     const char* prefix = "%PREFIX%"; >> test_binary.c
+          echo     printf("Prefix is: %%s\n", prefix); >> test_binary.c
+          echo     return 0; >> test_binary.c
+          echo } >> test_binary.c
+        - cl test_binary.c /Fe:%PREFIX%\Library\bin\test_binary.exe
+
+requirements:
+  build:
+    - ${{ compiler('c') }}
+
+about:
+  summary: Test package with binary containing host prefix
+  description: This package intentionally contains a binary with the host prefix embedded

test-data/recipes/symlink_test/recipe.yaml

@@ -0,0 +1,20 @@
+context:
+  name: symlink-test
+  version: "1.0.0"
+
+package:
+  name: ${{ name }}
+  version: ${{ version }}
+
+build:
+  number: 0
+  script:
+    - mkdir %PREFIX%\Library\bin
+    - echo @echo off > %PREFIX%\Library\bin\real_script.bat
+    - echo echo Hello from real script >> %PREFIX%\Library\bin\real_script.bat
+    - mklink %PREFIX%\Library\bin\symlink_script.bat %PREFIX%\Library\bin\real_script.bat
+    - mklink %PREFIX%\Library\bin\another_symlink.bat %PREFIX%\Library\bin\real_script.bat
+
+about:
+  summary: Test package with symlinks
+  description: This package contains symlinks to test Windows symlink detection

test/end-to-end/test_simple.py

@@ -13,6 +13,7 @@
 import requests
 import yaml
 import subprocess
+import shutil
 from helpers import RattlerBuild, check_build_output, get_extracted_package, get_package
 
 
@@ -1870,3 +1871,56 @@ def test_merge_build_and_host(
         recipes / "merge_build_and_host/recipe.yaml",
         tmp_path,
     )
+
+
+def test_error_on_binary_prefix(
+    rattler_build: RattlerBuild, recipes: Path, tmp_path: Path
+):
+    """Test that --error-prefix-in-binary flag correctly detects prefix in binaries"""
+    recipe_path = recipes / "binary_prefix_test"
+    args = rattler_build.build_args(recipe_path, tmp_path)
+    rattler_build(*args)
+
+    shutil.rmtree(tmp_path)
+    tmp_path.mkdir()
+    args = rattler_build.build_args(recipe_path, tmp_path)
+    args = list(args) + ["--error-prefix-in-binary"]
+
+    try:
+        rattler_build(*args, stderr=STDOUT)
+        pytest.fail("Expected build to fail with binary prefix error")
+    except CalledProcessError as e:
+        output = e.output.decode("utf-8") if e.output else ""
+        assert "Binary file" in output and "contains host prefix" in output
+
+
+@pytest.mark.skipif(
+    os.name != "nt", reason="Windows symlink test can only run on Windows"
+)
+def test_error_on_symlinks_windows(
+    rattler_build: RattlerBuild, recipes: Path, tmp_path: Path
+):
+    """Test that symlinks are forbidden on Windows by default"""
+    recipe_path = recipes / "symlink_test"
+
+    args = rattler_build.build_args(recipe_path, tmp_path)
+
+    # Should fail by default on Windows
+    try:
+        rattler_build(*args, stderr=STDOUT)
+        pytest.fail("Expected build to fail with symlink error on Windows")
+    except CalledProcessError as e:
+        output = e.output.decode("utf-8") if e.output else ""
+        assert "symlinks" in output.lower() and "windows systems" in output.lower()
+
+    # Should succeed with --allow-symlinks-on-windows flag
+    shutil.rmtree(tmp_path)
+    tmp_path.mkdir()
+    args = rattler_build.build_args(recipe_path, tmp_path)
+    args = list(args) + ["--allow-symlinks-on-windows"]
+    rattler_build(*args)
+    pkg_name = "symlink-test-1.0.0-h"
+    assert any(
+        f.name.startswith(pkg_name)
+        for f in (tmp_path / host_subdir()).glob("*.tar.bz2")
+    )