parse: Consolidate metadata limits into max_metadata_size

Replace max_pax_size, max_gnu_long_size, and the previous max_path_len
with two cleaner limits:

- max_metadata_size: u32 — aggregate budget for all extension data
  (PAX headers + GNU long name/link) per entry. Default 1 MiB.
  Consolidates PaxTooLarge/GnuLongTooLarge into MetadataTooLarge.

- max_path_len: Option<u32> — optional filesystem-level path length
  check. None by default (we're a parser, not a filesystem). Callers
  extracting to disk should set this to libc::PATH_MAX or equivalent.

Also add Limits::check_path_len() helper and track running metadata
size in PendingMetadata.

Assisted-by: OpenCode (Claude claude-opus-4-6)

Author: cgwalters

src/parse.rs

@@ -81,37 +81,36 @@ use crate::{
 ///
 /// // Customize limits
 /// let strict_limits = Limits {
-///     max_path_len: 1024,
-///     max_pax_size: 64 * 1024,
+///     max_metadata_size: 64 * 1024,
+///     // Set to libc::PATH_MAX when extracting to disk
+///     max_path_len: Some(4096),
 ///     ..Default::default()
 /// };
 /// ```
 #[derive(Debug, Clone, PartialEq, Eq)]
 pub struct Limits {
-    /// Maximum path length in bytes.
+    /// Maximum total size of all extension metadata for a single entry, in bytes.
     ///
-    /// Applies to both file paths and link targets. Paths exceeding this
-    /// limit will cause a [`ParseError::PathTooLong`] error.
-    ///
-    /// Default: 4096 bytes (Linux PATH_MAX).
-    pub max_path_len: usize,
-
-    /// Maximum size of PAX extended header data in bytes.
-    ///
-    /// This limits the total size of a single PAX 'x' entry's content.
-    /// PAX headers larger than this will cause a [`ParseError::PaxTooLarge`] error.
+    /// This is an aggregate budget: the combined size of PAX extended headers,
+    /// GNU long name, and GNU long link data for one file entry must not exceed
+    /// this limit. Exceeding it will cause a [`ParseError::MetadataTooLarge`]
+    /// error.
     ///
     /// Default: 1 MiB (1,048,576 bytes).
-    pub max_pax_size: u64,
+    pub max_metadata_size: u32,
 
-    /// Maximum size of GNU long name/link data in bytes.
+    /// Optional maximum path length in bytes.
+    ///
+    /// When set, paths and link targets exceeding this limit will cause a
+    /// [`ParseError::PathTooLong`] error. When `None`, no path length check
+    /// is performed (the default).
     ///
-    /// GNU 'L' (long name) and 'K' (long link) entries should only contain
-    /// a single path. Values exceeding this limit will cause a
-    /// [`ParseError::GnuLongTooLarge`] error.
+    /// Callers extracting to a real filesystem should set this to
+    /// `libc::PATH_MAX` (4096 on Linux, 1024 on macOS) or the appropriate
+    /// platform constant.
     ///
-    /// Default: 4096 bytes.
-    pub max_gnu_long_size: u64,
+    /// Default: `None`.
+    pub max_path_len: Option<u32>,
 
     /// Maximum number of consecutive metadata entries before an actual entry.
     ///
@@ -145,9 +144,8 @@ pub struct Limits {
 impl Default for Limits {
     fn default() -> Self {
         Self {
-            max_path_len: 4096,
-            max_pax_size: 1024 * 1024, // 1 MiB
-            max_gnu_long_size: 4096,
+            max_metadata_size: 1024 * 1024, // 1 MiB
+            max_path_len: None,
             max_pending_entries: 16,
             max_sparse_entries: 10_000,
             strict: true,
@@ -169,9 +167,8 @@ impl Limits {
     #[must_use]
     pub fn permissive() -> Self {
         Self {
-            max_path_len: usize::MAX,
-            max_pax_size: u64::MAX,
-            max_gnu_long_size: u64::MAX,
+            max_metadata_size: u32::MAX,
+            max_path_len: None,
             max_pending_entries: usize::MAX,
             max_sparse_entries: 1_000_000,
             strict: false,
@@ -185,14 +182,26 @@ impl Limits {
     #[must_use]
     pub fn strict() -> Self {
         Self {
-            max_path_len: 1024,
-            max_pax_size: 64 * 1024, // 64 KiB
-            max_gnu_long_size: 1024,
+            max_metadata_size: 64 * 1024, // 64 KiB
+            max_path_len: Some(4096),
             max_pending_entries: 8,
             max_sparse_entries: 1000,
             strict: true,
         }
     }
+
+    /// Check a path length against the configured limit.
+    ///
+    /// Returns `Ok(())` if the path is within the limit (or no limit is set),
+    /// or `Err(ParseError::PathTooLong)` if it exceeds it.
+    pub fn check_path_len(&self, len: usize) -> Result<()> {
+        if let Some(limit) = self.max_path_len {
+            if len > limit as usize {
+                return Err(ParseError::PathTooLong { len, limit });
+            }
+        }
+        Ok(())
+    }
 }
 
 // ============================================================================
@@ -225,25 +234,19 @@ pub enum ParseError {
         /// Actual path length.
         len: usize,
         /// Configured limit.
-        limit: usize,
+        limit: u32,
     },
 
-    /// PAX extended header exceeds configured maximum size.
-    #[error("PAX header exceeds limit: {size} bytes > {limit} bytes")]
-    PaxTooLarge {
-        /// Actual PAX header size.
-        size: u64,
-        /// Configured limit.
-        limit: u64,
-    },
-
-    /// GNU long name/link exceeds configured maximum size.
-    #[error("GNU long name/link exceeds limit: {size} bytes > {limit} bytes")]
-    GnuLongTooLarge {
-        /// Actual GNU long name/link size.
+    /// Extension metadata exceeds configured maximum size.
+    ///
+    /// The aggregate size of all extension data (PAX headers, GNU long
+    /// name/link) for a single entry exceeded [`Limits::max_metadata_size`].
+    #[error("metadata exceeds limit: {size} bytes > {limit} bytes")]
+    MetadataTooLarge {
+        /// Total metadata size that would result.
         size: u64,
         /// Configured limit.
-        limit: u64,
+        limit: u32,
     },
 
     /// Duplicate GNU long name entry without an intervening actual entry.
@@ -575,6 +578,8 @@ struct PendingMetadata<'a> {
     gnu_long_link: Option<&'a [u8]>,
     pax_extensions: Option<&'a [u8]>,
     count: usize,
+    /// Running total of all extension data bytes accumulated so far.
+    metadata_size: u64,
 }
 
 /// Context for GNU sparse entries, passed from `handle_gnu_sparse` to
@@ -880,11 +885,11 @@ impl Parser {
             // them here. Routing through emit_entry would fail because
             // global headers have arbitrary metadata fields.
             EntryType::XGlobalHeader => {
-                // Check size limit (same as local PAX headers)
-                if size > self.limits.max_pax_size {
-                    return Err(ParseError::PaxTooLarge {
+                // Check size limit
+                if size > self.limits.max_metadata_size as u64 {
+                    return Err(ParseError::MetadataTooLarge {
                         size,
-                        limit: self.limits.max_pax_size,
+                        limit: self.limits.max_metadata_size,
                     });
                 }
 
@@ -956,25 +961,12 @@ impl Parser {
             });
         }
 
-        // Check size limit
-        let max_size = match kind {
-            ExtensionKind::GnuLongName | ExtensionKind::GnuLongLink => {
-                self.limits.max_gnu_long_size
-            }
-            ExtensionKind::Pax => self.limits.max_pax_size,
-        };
-        if size > max_size {
-            return Err(match kind {
-                ExtensionKind::GnuLongName | ExtensionKind::GnuLongLink => {
-                    ParseError::GnuLongTooLarge {
-                        size,
-                        limit: max_size,
-                    }
-                }
-                ExtensionKind::Pax => ParseError::PaxTooLarge {
-                    size,
-                    limit: max_size,
-                },
+        // Check aggregate metadata size limit
+        let new_metadata_size = slices.metadata_size + size;
+        if new_metadata_size > self.limits.max_metadata_size as u64 {
+            return Err(ParseError::MetadataTooLarge {
+                size: new_metadata_size,
+                limit: self.limits.max_metadata_size,
             });
         }
 
@@ -1000,17 +992,13 @@ impl Parser {
             if let Some(trimmed) = data.strip_suffix(&[0]) {
                 data = trimmed;
             }
-            if data.len() > self.limits.max_path_len {
-                return Err(ParseError::PathTooLong {
-                    len: data.len(),
-                    limit: self.limits.max_path_len,
-                });
-            }
+            self.limits.check_path_len(data.len())?;
         }
 
-        // Build new pending slices with the added extension data
+        // Build new pending metadata with the added extension data
         let mut new_slices = PendingMetadata {
             count: slices.count + 1,
+            metadata_size: new_metadata_size,
             ..slices
         };
         match kind {
@@ -1391,21 +1379,11 @@ impl Parser {
 
                 match key {
                     PAX_PATH => {
-                        if value.len() > self.limits.max_path_len {
-                            return Err(ParseError::PathTooLong {
-                                len: value.len(),
-                                limit: self.limits.max_path_len,
-                            });
-                        }
+                        self.limits.check_path_len(value.len())?;
                         path = Cow::Borrowed(value);
                     }
                     PAX_LINKPATH => {
-                        if value.len() > self.limits.max_path_len {
-                            return Err(ParseError::PathTooLong {
-                                len: value.len(),
-                                limit: self.limits.max_path_len,
-                            });
-                        }
+                        self.limits.check_path_len(value.len())?;
                         link_target = Some(Cow::Borrowed(value));
                     }
                     PAX_SIZE => {
@@ -1523,12 +1501,7 @@ impl Parser {
                         }
                     }
                     PAX_GNU_SPARSE_NAME => {
-                        if value.len() > self.limits.max_path_len {
-                            return Err(ParseError::PathTooLong {
-                                len: value.len(),
-                                limit: self.limits.max_path_len,
-                            });
-                        }
+                        self.limits.check_path_len(value.len())?;
                         pax_sparse_name = Some(value);
                     }
 
@@ -1570,12 +1543,7 @@ impl Parser {
         }
 
         // Validate final path length
-        if path.len() > self.limits.max_path_len {
-            return Err(ParseError::PathTooLong {
-                len: path.len(),
-                limit: self.limits.max_path_len,
-            });
-        }
+        self.limits.check_path_len(path.len())?;
 
         let entry = ParsedEntry {
             header,
@@ -1632,24 +1600,23 @@ mod tests {
     #[test]
     fn test_default_limits() {
         let limits = Limits::default();
-        assert_eq!(limits.max_path_len, 4096);
-        assert_eq!(limits.max_pax_size, 1024 * 1024);
-        assert_eq!(limits.max_gnu_long_size, 4096);
+        assert_eq!(limits.max_metadata_size, 1024 * 1024);
+        assert_eq!(limits.max_path_len, None);
         assert_eq!(limits.max_pending_entries, 16);
     }
 
     #[test]
     fn test_permissive_limits() {
         let limits = Limits::permissive();
-        assert_eq!(limits.max_path_len, usize::MAX);
-        assert_eq!(limits.max_pax_size, u64::MAX);
+        assert_eq!(limits.max_metadata_size, u32::MAX);
+        assert_eq!(limits.max_path_len, None);
     }
 
     #[test]
     fn test_strict_limits() {
         let limits = Limits::strict();
-        assert!(limits.max_path_len < Limits::default().max_path_len);
-        assert!(limits.max_pax_size < Limits::default().max_pax_size);
+        assert_eq!(limits.max_path_len, Some(4096));
+        assert!(limits.max_metadata_size < Limits::default().max_metadata_size);
     }
 
     #[test]
@@ -2290,7 +2257,7 @@ mod tests {
 
     #[test]
     fn test_parser_global_pax_header_too_large() {
-        // Global PAX header exceeding max_pax_size should error
+        // Global PAX header exceeding max_metadata_size should error
         let large_value = "x".repeat(1000);
 
         let mut archive = Vec::new();
@@ -2302,13 +2269,13 @@ mod tests {
         archive.extend(zeroes(1024));
 
         let limits = Limits {
-            max_pax_size: 100,
+            max_metadata_size: 100,
             ..Default::default()
         };
         let mut parser = Parser::new(limits);
         let result = parser.parse(&archive);
 
-        assert!(matches!(result, Err(ParseError::PaxTooLarge { .. })));
+        assert!(matches!(result, Err(ParseError::MetadataTooLarge { .. })));
     }
 
     #[test]
@@ -2606,13 +2573,13 @@ mod tests {
         archive.extend(zeroes(1024));
 
         let limits = Limits {
-            max_gnu_long_size: 100,
+            max_metadata_size: 100,
             ..Default::default()
         };
         let mut parser = Parser::new(limits);
         let result = parser.parse(&archive);
 
-        assert!(matches!(result, Err(ParseError::GnuLongTooLarge { .. })));
+        assert!(matches!(result, Err(ParseError::MetadataTooLarge { .. })));
     }
 
     #[test]
@@ -2625,7 +2592,7 @@ mod tests {
         archive.extend(zeroes(1024));
 
         let limits = Limits {
-            max_path_len: 100,
+            max_path_len: Some(100),
             ..Default::default()
         };
         let mut parser = Parser::new(limits);
@@ -2642,7 +2609,7 @@ mod tests {
 
     #[test]
     fn test_parser_pax_too_large() {
-        // Create a PAX header that exceeds the size limit
+        // Create a PAX header that exceeds the metadata size limit
         let large_value = "x".repeat(1000);
 
         let mut archive = Vec::new();
@@ -2651,13 +2618,13 @@ mod tests {
         archive.extend(zeroes(1024));
 
         let limits = Limits {
-            max_pax_size: 100,
+            max_metadata_size: 100,
             ..Default::default()
         };
         let mut parser = Parser::new(limits);
         let result = parser.parse(&archive);
 
-        assert!(matches!(result, Err(ParseError::PaxTooLarge { .. })));
+        assert!(matches!(result, Err(ParseError::MetadataTooLarge { .. })));
     }
 
     // =========================================================================