The kstring integration in gix-attributes is unsound about gitoxide HOT 5 CLOSED

I suggest that you go ahead with making the advisory contribution, and @ssbr can collaborate there as/if desired.

I have opened rustsec/advisory-db#2027 for this.

from gitoxide.

Thanks for bringing this up!

It was quite a hack to begin with and I don't recall why it had to be kstring here. And even though small-string optimisation should be possible, it definitely shouldn't be traded for safety.

Edit: I looked into this more and the idea was that it parses as zero-copy, but then typically converts to owned instances at some point. This is definitely where non-UTF8 could be exposed to places where UTF8 is expected.

from gitoxide.

It's worth noting that without kstring, there is a 5% performance loss for an attribute-matching heavy workload. For now I replaced it with BString, but hope to get to try a SmallVec implementation as well.

❯ hyperfine  "/Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i" "gix index entries ':(attr:export-ignore)' -i"
Benchmark 1: /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
  Time (mean ± σ):     820.1 ms ±  71.7 ms    [User: 759.9 ms, System: 85.9 ms]
  Range (min … max):   778.8 ms … 984.3 ms    10 runs

  Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet system without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options.

Benchmark 2: gix index entries ':(attr:export-ignore)' -i
  Time (mean ± σ):     782.1 ms ±   1.8 ms    [User: 760.1 ms, System: 43.2 ms]
  Range (min … max):   780.0 ms … 786.0 ms    10 runs

Summary
  gix index entries ':(attr:export-ignore)' -i ran
    1.05 ± 0.09 times faster than /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i

from gitoxide.

I recommend that an informational RUSTSEC advisory be created to document that gix-attributes was unsound--as described in this issue--prior to version 0.22.3.

This will help to notify interested users that they may wish to upgrade, and is part of what the RUSTSEC database tracks:

RustSec also tracks soundness issues as informational advisories, independent of whether they are vulnerabilities or not. A soundness issue arises when using a crate from safe code can cause Undefined Behavior.

This can be done by opening a pull request on the advisory-db repository in accordance with these instructions (which apply to informational advisories as well as those documenting vulnerabilities).

@ssbr I would be happy to contribute this. But I wanted to check with you first in case you want to do it. If not, I'll go ahead and open a PR and, unless you think it should be done differently, I would use text you wrote in this issue description and credit you in a Co-authored-by: trailer in the commit message.

from gitoxide.

Thanks for bringing this up, I think it's the right call, too.

I suggest that you go ahead with making the advisory contribution, and @ssbr can collaborate there as/if desired.

from gitoxide.