fix: eliminate unsafe code via nix, command-fds, and thread-local cookie

Replace 4 unsafe sites with safe wrappers: - libc::pipe2 → nix::unistd::pipe2 (safe OwnedFd return) - File::from_raw_fd → File::from(OwnedFd) (safe ownership transfer) - unsafe impl Send for SendCookie → thread_local! lazy Cookie (each thread gets its own independent Cookie, no Send needed) - pre_exec + libc::fcntl → command-fds crate fd_mappings() (handles CLOEXEC clearing safely, also fixes potential fd leak on spawn failure via OwnedFd RAII) Only libc::umask remains as a single unavoidable unsafe site (no safe Rust wrapper exists for the umask syscall). Also updates AGENTS.md to remove stale SendCookie exception.
2026-03-14 16:01:54 -03:00
parent 9a1e23e85f
commit 0af74000d2
5 changed files with 83 additions and 102 deletions
--- a/src/meta_plugin/magic_file.rs
+++ b/src/meta_plugin/magic_file.rs
@@ -3,7 +3,6 @@ use magic::{Cookie, CookieFlags};
 #[cfg(not(feature = "magic"))]
 use std::process::{Command, Stdio};

-use log::debug;
 use std::io::{self, Write};
 use std::path::Path;

@@ -12,27 +11,14 @@ use crate::meta_plugin::{
    process_metadata_outputs,
 };

-/// Wrapper around `magic::Cookie` that is Send.
-///
-/// Libmagic cookies are thread-safe per-instance (separate cookies have
-/// independent state). The raw pointer `*mut magic_sys::magic_set` does not
-/// auto-derive Send, but concurrent access to distinct cookies is safe per
-/// the libmagic documentation.
+// Thread-local libmagic cookie, lazily initialized on first access per thread.
+// Each thread gets its own independent Cookie instance. Libmagic documents that
+// separate cookies can be used from different threads concurrently without
+// synchronization. Using thread_local! avoids unsafe impl Send since the
+// storage is inherently !Send.
 #[cfg(feature = "magic")]
-struct SendCookie(Cookie);
-
-#[cfg(feature = "magic")]
-// SAFETY: Each SendCookie owns a distinct libmagic instance. Libmagic
-// documents that separate cookies can be used from different threads
-// concurrently without synchronization.
-#[allow(unsafe_code)]
-unsafe impl Send for SendCookie {}
-
-#[cfg(feature = "magic")]
-impl std::fmt::Debug for SendCookie {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.debug_struct("SendCookie").finish()
-    }
+thread_local! {
+    static MAGIC_COOKIE: std::cell::RefCell<Option<Cookie>> = const { std::cell::RefCell::new(None) };
 }

 #[cfg(feature = "magic")]
@@ -41,7 +27,6 @@ pub struct MagicFileMetaPluginImpl {
    buffer: Vec<u8>,
    max_buffer_size: usize,
    is_finalized: bool,
-    cookie: Option<SendCookie>,
    base: BaseMetaPlugin,
 }

@@ -68,14 +53,28 @@ impl MagicFileMetaPluginImpl {
            buffer: Vec::new(),
            max_buffer_size,
            is_finalized: false,
-            cookie: None,
            base,
        }
    }

    fn get_magic_result(&self, flags: CookieFlags) -> io::Result<String> {
-        if let Some(send_cookie) = &self.cookie {
-            let cookie = &send_cookie.0;
+        MAGIC_COOKIE.with(|cell| {
+            // Lazy init: create cookie on first access per thread
+            {
+                let mut opt = cell.borrow_mut();
+                if opt.is_none() {
+                    let cookie = Cookie::open(CookieFlags::default())
+                        .map_err(|e| io::Error::other(format!("Failed to open magic: {e}")))?;
+                    cookie.load(&[] as &[&Path]).map_err(|e| {
+                        io::Error::other(format!("Failed to load magic database: {e}"))
+                    })?;
+                    *opt = Some(cookie);
+                }
+            }
+
+            let cookie_ref = cell.borrow();
+            let cookie = cookie_ref.as_ref().expect("cookie initialized above");
+
            cookie
                .set_flags(flags)
                .map_err(|e| io::Error::other(format!("Failed to set magic flags: {e}")))?;
@@ -84,13 +83,8 @@ impl MagicFileMetaPluginImpl {
                .buffer(&self.buffer)
                .map_err(|e| io::Error::other(format!("Failed to analyze buffer: {e}")))?;

-            // Clean up the result - remove extra whitespace
-            let trimmed = result.trim().to_string();
-
-            Ok(trimmed)
-        } else {
-            Err(io::Error::other("Magic cookie not initialized"))
-        }
+            Ok(result.trim().to_string())
+        })
    }

    fn process_magic_types(&self) -> Vec<MetaData> {
@@ -130,27 +124,7 @@ impl MetaPlugin for MagicFileMetaPluginImpl {
    }

    fn initialize(&mut self) -> MetaPluginResponse {
-        let cookie = match Cookie::open(CookieFlags::default()) {
-            Ok(cookie) => cookie,
-            Err(e) => {
-                debug!("META: MagicFile plugin: failed to create cookie: {e}");
-                return MetaPluginResponse {
-                    metadata: Vec::new(),
-                    is_finalized: true,
-                };
-            }
-        };
-
-        if let Err(e) = cookie.load(&[] as &[&Path]) {
-            debug!("META: MagicFile plugin: failed to load magic database: {e}");
-            return MetaPluginResponse {
-                metadata: Vec::new(),
-                is_finalized: true,
-            };
-        }
-
-        self.cookie = Some(SendCookie(cookie));
-
+        // Cookie is lazily initialized in the thread-local on first use.
        MetaPluginResponse {
            metadata: Vec::new(),
            is_finalized: false,