Auto merge of #691 - rust-lang:dependabot/cargo/remove_dir_all-0.8.0, r=Mark-Simulacrum

Bump remove_dir_all from 0.7.0 to 0.8.0

Bumps [remove_dir_all](https://github.com/XAMPPRocky/remove_dir_all) from 0.7.0 to 0.8.0.
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a href="https://github.com/XAMPPRocky/remove_dir_all/blob/master/CHANGELOG.md">remove_dir_all's changelog</a>.</em></p>
<blockquote>
<h1>0.8.0</h1>
<h2>Security changes</h2>
<ul>
<li>
<p>Fix TOCTOU race conditions both inside the implementation of functions and the
contract: functions now only operate on directories. Callers wanting to
process the contents of a symlink (e.g. for remove_dir_contents) should
resolve the symlink themselves. This is an API break from 0.7.0, but the previous behaviour was insecure.</p>
<p>This is due to the same code pattern as caused CVE-2022-21658 in Rust itself:
it was possible to trick a privileged process doing a recursive delete in an
attacker controlled directory into deleting privileged files, on all operating
systems.</p>
<p>For instance, consider deleting a tree called 'etc' in a parent directory
called 'p'. Between calling <code>remove_dir_all(&quot;a&quot;)</code> and remove_dir_all(&quot;a&quot;)
actually starting its work, the attacker can move 'p' to 'p-prime', and
replace 'p' with a symlink to '/'. Then the privileged process deletes 'p/etc'
which is actually /etc, and now your system is broken. There are some
mitigations for this exact scenario, such as CWD relative file lookup, but
they are not guaranteed - any code using absolute paths will not have that
protection in place.</p>
<p>The same attack could be performed at any point in the directory tree being
deleted: if 'a' contains a child directory called 'etc', attacking the
deletion by replacing 'a' with a link is possible.</p>
<p>The new code in this release mitigates the attack within the directory tree
being deleted by using file-handle relative operations: to open 'a/etc', the
path 'etc' relative to 'a' is opened, where 'a' is represented by a file
descriptor (Unix) or handle (Windows). With the exception of the entry points
into the directory deletion logic, this is robust against manipulation of the
directory hierarchy, and remove_dir_all will only delete files and directories
contained in the tree it is deleting.</p>
<p>The entry path however is a challenge - as described above, there are some
potential mitigations, but since using them must be done by the calling code,
it is hard to be confident about the security properties of the path based
interface.</p>
<p>The new extension trait <code>RemoveDir</code> provides an interface where it is much
harder to get it wrong.</p>
<p><code>somedir.remove_dir_contents(&quot;name-of-child&quot;)</code>.</p>
<p>Callers can then make their own security evaluation about how to securely get
a directory handle. That is still not particularly obvious, and we're going to
follow up with a helper of some sort (probably in the <code>fs_at</code> crate). Once
that is available, the path based entry points will get deprecated.</p>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/e1066ef446381d97decbc9c9116c316148292cba"><code>e1066ef</code></a> Release 0.8.0</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/7247a8b6ee59fc99bbb69ca6b3ca4bfd8c809ead"><code>7247a8b</code></a> Merge pull request from GHSA-mc8h-8q98-g5hr</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/be7a410df1d47dc7c996938275debb94415b9881"><code>be7a410</code></a> Update windows-sys requirement from 0.42.0 to 0.45.0 (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/52">#52</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/6ebf7f03505cfff57adca4a89efc64b6156e0749"><code>6ebf7f0</code></a> Use SPDX license format (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/50">#50</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/48e2043d5c3ae2874f4d65f0c8c4c5b0492c31fe"><code>48e2043</code></a> Remove unused <code>num_cpus</code> dependency (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/48">#48</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/720ca0ef0097d4a545a9603c1704fa0797a1b8fe"><code>720ca0e</code></a> Update <code>windows-sys</code> to <code>0.42.0</code> (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/47">#47</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/8b661296ba1ce62d64fdf1798a5590846a5691cd"><code>8b66129</code></a> Migrate from winapi to windows-sys. (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/42">#42</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/d2248555dd1c8aa08327a75fc024b0520f4afe22"><code>d224855</code></a> Make parallelism a default-on feature (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/38">#38</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/08037c9eb12b486e383ef03acb503e21e16eb39f"><code>08037c9</code></a> Remove nightly feature (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/37">#37</a>)</li>
<li><a href="https://github.com/XAMPPRocky/remove_dir_all/commit/d8e02e653baf6e55d72796b2a8eae1f92e7c70e9"><code>d8e02e6</code></a> Update env_logger requirement from 0.8.1 to 0.9.0 (<a href="https://redirect.github.com/XAMPPRocky/remove_dir_all/issues/32">#32</a>)</li>
<li>Additional commits viewable in <a href="https://github.com/XAMPPRocky/remove_dir_all/compare/v0.7.0...remove_dir_all@0.8.0">compare view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=remove_dir_all&package-manager=cargo&previous-version=0.7.0&new-version=0.8.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting ``@dependabot` rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- ``@dependabot` rebase` will rebase this PR
- ``@dependabot` recreate` will recreate this PR, overwriting any edits that have been made to it
- ``@dependabot` merge` will merge this PR after your CI passes on it
- ``@dependabot` squash and merge` will squash and merge this PR after your CI passes on it
- ``@dependabot` cancel merge` will cancel a previously requested merge and block automerging
- ``@dependabot` reopen` will reopen this PR if it is closed
- ``@dependabot` close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- ``@dependabot` ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- ``@dependabot` ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- ``@dependabot` ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/rust-lang/crater/network/alerts).

</details>

Author: bors

Cargo.lock

@@ -50,7 +50,7 @@ rust_team_data = { git = "https://github.com/rust-lang/team" }
 systemstat = "0.1.11"
 rustwide = { version = "0.15.0", features = ["unstable", "unstable-toolchain-ci"] }
 percent-encoding = "2.1.0"
-remove_dir_all = "0.7"
+remove_dir_all = "0.8"
 ctrlc = "3.1.3"
 prometheus = "0.7.0"
 cargo_metadata = "0.15"