The kstring integration in gix-attributes is unsound #1460
Comments
|
Thanks for bringing this up! It was quite a hack to begin with and I don't recall why it had to be Edit: I looked into this more and the idea was that it parses as zero-copy, but then typically converts to owned instances at some point. This is definitely where non-UTF8 could be exposed to places where UTF8 is expected. |
Let's not trade safety for some convenience.
This reduces performance by 5% at least (in the WebKit repository at 886077e077a496a6e398df52a4b7915d8cd68f76):
```
❯ hyperfine "/Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i" "gix index entries ':(attr:export-ignore)' -i"
Benchmark 1: /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
Time (mean ± σ): 820.1 ms ± 71.7 ms [User: 759.9 ms, System: 85.9 ms]
Range (min … max): 778.8 ms … 984.3 ms 10 runs
Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet system without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options.
Benchmark 2: gix index entries ':(attr:export-ignore)' -i
Time (mean ± σ): 782.1 ms ± 1.8 ms [User: 760.1 ms, System: 43.2 ms]
Range (min … max): 780.0 ms … 786.0 ms 10 runs
Summary
gix index entries ':(attr:export-ignore)' -i ran
1.05 ± 0.09 times faster than /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
```
|
It's worth noting that without |
Let's not trade safety for some convenience.
This reduces performance by 5% at least (in the WebKit repository at 886077e077a496a6e398df52a4b7915d8cd68f76):
```
❯ hyperfine "/Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i" "gix index entries ':(attr:export-ignore)' -i"
Benchmark 1: /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
Time (mean ± σ): 820.1 ms ± 71.7 ms [User: 759.9 ms, System: 85.9 ms]
Range (min … max): 778.8 ms … 984.3 ms 10 runs
Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet system without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options.
Benchmark 2: gix index entries ':(attr:export-ignore)' -i
Time (mean ± σ): 782.1 ms ± 1.8 ms [User: 760.1 ms, System: 43.2 ms]
Range (min … max): 780.0 ms … 786.0 ms 10 runs
Summary
gix index entries ':(attr:export-ignore)' -i ran
1.05 ± 0.09 times faster than /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
```
|
I recommend that an informational RUSTSEC advisory be created to document that This will help to notify interested users that they may wish to upgrade, and is part of what the RUSTSEC database tracks:
This can be done by opening a pull request on the advisory-db repository in accordance with these instructions (which apply to informational advisories as well as those documenting vulnerabilities). @ssbr I would be happy to contribute this. But I wanted to check with you first in case you want to do it. If not, I'll go ahead and open a PR and, unless you think it should be done differently, I would use text you wrote in this issue description and credit you in a |
|
Thanks for bringing this up, I think it's the right call, too. I suggest that you go ahead with making the advisory contribution, and @ssbr can collaborate there as/if desired. |
gix-attributes was found by @ssbr to be unsound, as reported in GitoxideLabs/gitoxide#1460. This adds an informational notice for that, as discussed in comments there. It looks like the affected code, having been introduced in GitoxideLabs/gitoxide#400, was present in all versions of the crate prior to the fix in 0.22.3 (which was one of the bugs fixed in GitoxideLabs/gitoxide#1462). Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
This makes some minor changes to the advisory description to adapt the text from GitoxideLabs/gitoxide#1460 to be an advisory. For the most part it has remained the same. Changes: * Express the claim of unsoundness with more confidence, since it has been reviewed by the maintainer. * Modify the link to the affected code to point to the latest tag for gix-attributes that has that code. The original link was to a branch, so it was broken when the fix was applied. * Apply inline code formatting in a few more places, where doing so improves stylistic consistency.
I have opened rustsec/advisory-db#2027 for this. |
* Unsoundness notice for gix-attributes (kstring integration) gix-attributes was found by @ssbr to be unsound, as reported in GitoxideLabs/gitoxide#1460. This adds an informational notice for that, as discussed in comments there. It looks like the affected code, having been introduced in GitoxideLabs/gitoxide#400, was present in all versions of the crate prior to the fix in 0.22.3 (which was one of the bugs fixed in GitoxideLabs/gitoxide#1462). Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com> * Small adjustments for advisory This makes some minor changes to the advisory description to adapt the text from GitoxideLabs/gitoxide#1460 to be an advisory. For the most part it has remained the same. Changes: * Express the claim of unsoundness with more confidence, since it has been reviewed by the maintainer. * Modify the link to the affected code to point to the latest tag for gix-attributes that has that code. The original link was to a branch, so it was broken when the fix was applied. * Apply inline code formatting in a few more places, where doing so improves stylistic consistency. --------- Co-authored-by: Devin Jeanpierre <jeanpierreda@google.com>
Let's not trade safety for some convenience.
This reduces performance by 5% at least (in the WebKit repository at 886077e077a496a6e398df52a4b7915d8cd68f76):
```
❯ hyperfine "/Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i" "gix index entries ':(attr:export-ignore)' -i"
Benchmark 1: /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
Time (mean ± σ): 820.1 ms ± 71.7 ms [User: 759.9 ms, System: 85.9 ms]
Range (min … max): 778.8 ms … 984.3 ms 10 runs
Warning: Statistical outliers were detected. Consider re-running this benchmark on a quiet system without any interferences from other programs. It might help to use the '--warmup' or '--prepare' options.
Benchmark 2: gix index entries ':(attr:export-ignore)' -i
Time (mean ± σ): 782.1 ms ± 1.8 ms [User: 760.1 ms, System: 43.2 ms]
Range (min … max): 780.0 ms … 786.0 ms 10 runs
Summary
gix index entries ':(attr:export-ignore)' -i ran
1.05 ± 0.09 times faster than /Users/byron/dev/github.com/Byron/gitoxide/target/release/gix index entries ':(attr:export-ignore)' -i
```
Current behavior 😯
gix-attributes (in state::ValueRef) unsafely creates a
&strfrom a&[u8]containing non-UTF8 data, with the justification that so long as nothing reads the &str and relies on it being UTF-8 in the &str, there is no UB:// SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.The problem is that the non-UTF8
stris exposed to outside code: first to thekstringcrate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also toserde, where it propagates to e.g.serde_json,serde_yaml, etc., where the same problems occur.As far as I know, this is not sound, and either is or can cause UB down the line in these places that can view the
&str.Expected behavior 🤔
I think gix-attributes should probably use a
Vec<u8>orsmallvecor similar, at least untilkstringcan support bytes.Absolute worst case, one could at least add an
unsafefeature, so that code that opts out ofunsafecan get the slowerVec<u8>-based implementation which is guaranteed to be sound.Git behavior
N/A
Steps to reproduce 🕹
N/A
The text was updated successfully, but these errors were encountered: