Skip to content

feat: replace SharpCompress with LibArchive.Net#122

Merged
jas88 merged 3 commits intomainfrom
replace-sharpcompress-with-libarchive
Mar 6, 2026
Merged

feat: replace SharpCompress with LibArchive.Net#122
jas88 merged 3 commits intomainfrom
replace-sharpcompress-with-libarchive

Conversation

@jas88
Copy link
Owner

@jas88 jas88 commented Mar 6, 2026
edited by cubic-dev-ai bot
Loading

Summary

  • Replaces SharpCompress dependency with LibArchive.Net for TAR archive reading in UpdateFetcher
  • Resolves breaking API changes that caused PR Bump SharpCompress from 0.39.0 to 0.47.0 #121 (SharpCompress 0.47.0 update) to fail CI
  • LibArchive.Net wraps native libarchive, providing broader format support with bundled native binaries for all platforms

Test plan

  • Build succeeds with zero warnings
  • All existing tests pass
  • CI passes on ubuntu-latest

High-level PR Summary

This PR replaces the SharpCompress library with LibArchive.Net to resolve breaking API changes that caused issues when updating SharpCompress to version 0.47.0. The change primarily affects the UpdateFetcher class, where TAR archive reading logic has been refactored to use the new library's API. LibArchive.Net provides broader format support through native libarchive bindings with bundled binaries for all platforms.

⏱️ Estimated Review Time: 5-15 minutes

💡 Review Order Suggestion
Order File Path
1 PACSify/PACSify.csproj
2 PACSify/UpdateFetcher.cs

Need help? Join our Discord

Summary by cubic

Switch archive handling to LibArchive.Net in UpdateFetcher to fix CI failures from SharpCompress API changes, improve format support across platforms, and prevent path traversal in archive entries.

  • Dependencies

    • Remove SharpCompress; add LibArchive.Net 0.3.0 (bundled native libarchive).
    • Keep Microsoft.Extensions.* packages at 10.0.3.

  • Refactors

    • Replace ReaderFactory/OpenEntryStream with LibArchiveReader and foreach entry iteration.
    • Use Path.GetFileName(entry.Name) and entry.Stream for .docker processing, file writes, and Windows replace logic to avoid path traversal.

Written for commit 6949f60. Summary will update on new commits.

jas88 added 2 commits March 6, 2026 12:55
@jas88
feat: replace SharpCompress with LibArchive.Net for archive handling
ca2565e 
SharpCompress 0.47.0 update (PR #121) fails CI due to breaking API
changes. Switch to LibArchive.Net which wraps native libarchive,
providing broader format support and a simpler API.
@jas88
merge: resolve conflict with main, keep updated package versions
8584b1a
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="PACSify/UpdateFetcher.cs">

<violation number="1" location="PACSify/UpdateFetcher.cs:75">
P0: Archive entry paths are used directly for file writes/replacements, which enables path traversal (e.g., `../`) from a crafted TAR and can overwrite arbitrary files.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

recurseml[bot]
recurseml bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@recurseml recurseml bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review by RecurseML

🔍 Review performed on e1f44a0..ca2565e

  Severity     Location     Issue     Delete  
High PACSify/UpdateFetcher.cs:46 Null reference exception
✅ Files analyzed, no issues (1)

PACSify/PACSify.csproj

@jas88
fix: prevent path traversal from crafted archive entries
6949f60 
Use Path.GetFileName() to strip directory components from archive
entry names before using them for file operations. A malicious TAR
with entries like "../../../etc/crontab" could previously overwrite
arbitrary files on the filesystem.
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Mar 6, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 1 file (changes from recent commits).

Prompt for AI agents (unresolved issues) 

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="PACSify/UpdateFetcher.cs">

<violation number="1" location="PACSify/UpdateFetcher.cs:46">
P2: Using `Path.GetFileName(entry.Name)` flattens archive paths and can cause filename collisions/overwrites when different directories contain the same file name.</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

@jas88 jas88 merged commit 80a702c into main Mar 6, 2026
3 checks passed
@jas88 jas88 deleted the replace-sharpcompress-with-libarchive branch March 6, 2026 19:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

+1 more reviewer

@recurseml recurseml[bot] recurseml[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jas88