Merge commit from fork

build-scripts/config_common.cmake

@@ -279,7 +279,12 @@ else ()
   message ("     Libc builtin disabled")
 endif ()
 if (WAMR_BUILD_LIBC_UVWASI EQUAL 1)
-  message ("     Libc WASI enabled with uvwasi implementation")
+  message ("     Libc WASI enabled with uvwasi implementation\n"
+           "     WANRING:: uvwasi does not currently provide the comprehensive\n"
+           "     file system security properties provided by some WASI runtimes.\n"
+           "     Full support for secure file system sandboxing may or may not\n"
+           "     be implemented in future. In the mean time, DO NOT RELY ON IT\n"
+           "     TO RUN UNTRUSTED CODE.")
 elseif (WAMR_BUILD_LIBC_WASI EQUAL 1)
   message ("     Libc WASI enabled")
 else ()

core/iwasm/libraries/libc-uvwasi/libc_uvwasi.cmake

@@ -10,7 +10,7 @@ set(CMAKE_POLICY_VERSION_MINIMUM 3.5 FORCE)
 
 set (LIBC_WASI_DIR ${CMAKE_CURRENT_LIST_DIR})
 
-set (LIBUV_VERSION v1.46.0)
+set (LIBUV_VERSION v1.51.0)
 
 add_definitions (-DWASM_ENABLE_LIBC_WASI=1 -DWASM_ENABLE_UVWASI=1)
 
@@ -29,15 +29,10 @@ else()
         GIT_REPOSITORY https://github.com/libuv/libuv.git
         GIT_TAG ${LIBUV_VERSION}
     )
-    FetchContent_GetProperties(libuv)
-    if (NOT libuv_POPULATED)
-        message("-- Fetching libuv ..")
-        FetchContent_Populate(libuv)
-        include_directories("${libuv_SOURCE_DIR}/include")
-        add_subdirectory(${libuv_SOURCE_DIR} ${libuv_BINARY_DIR} EXCLUDE_FROM_ALL)
-        set (LIBUV_LIBRARIES uv_a)
-        set_target_properties(uv_a PROPERTIES POSITION_INDEPENDENT_CODE 1)
-    endif()
+    FetchContent_MakeAvailable(libuv)
+    include_directories("${libuv_SOURCE_DIR}/include")
+    set (LIBUV_LIBRARIES uv_a)
+    set_target_properties(uv_a PROPERTIES POSITION_INDEPENDENT_CODE 1)
 endif()
 
 ## uvwasi
@@ -48,17 +43,12 @@ else()
     FetchContent_Declare(
         uvwasi
         GIT_REPOSITORY https://github.com/nodejs/uvwasi.git
-        GIT_TAG main
+        GIT_TAG v0.0.21
     )
-    FetchContent_GetProperties(uvwasi)
-    if (NOT uvwasi_POPULATED)
-        message("-- Fetching uvwasi ..")
-        FetchContent_Populate(uvwasi)
-        include_directories("${uvwasi_SOURCE_DIR}/include")
-        add_subdirectory(${uvwasi_SOURCE_DIR} ${uvwasi_BINARY_DIR} EXCLUDE_FROM_ALL)
-        set (UVWASI_LIBRARIES uvwasi_a)
-        set_target_properties(uvwasi_a PROPERTIES POSITION_INDEPENDENT_CODE 1)
-    endif()
+    FetchContent_MakeAvailable(uvwasi)
+    include_directories("${uvwasi_SOURCE_DIR}/include")
+    set (UVWASI_LIBRARIES uvwasi_a)
+    set_target_properties(uvwasi_a PROPERTIES POSITION_INDEPENDENT_CODE 1)
 endif()
 
 set (UV_A_LIBS ${LIBUV_LIBRARIES} ${UVWASI_LIBRARIES})

core/iwasm/libraries/libc-uvwasi/libc_uvwasi_wrapper.c

@@ -890,6 +890,24 @@ wasi_path_symlink(wasm_exec_env_t exec_env, const char *old_path,
     if (!uvwasi)
         return (wasi_errno_t)-1;
 
+    /*
+     * check if old_path is valid.
+     * if it is a symlink, follow it.
+     *
+     * this is a workaround for the fact that
+     * uvwasi_path_symlink does not check if the old_path is valid
+     *
+     * the goal is trigger uvwasi__resolve_path() to check
+     */
+    {
+        uvwasi_filestat_t filestat = { 0 };
+        wasi_errno_t err =
+            uvwasi_path_filestat_get(uvwasi, fd, UVWASI_LOOKUP_SYMLINK_FOLLOW,
+                                     old_path, old_path_len, &filestat);
+        if (err)
+            return err;
+    }
+
     return uvwasi_path_symlink(uvwasi, old_path, old_path_len, fd, new_path,
                                new_path_len);
 }