Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update rust crate gix to 0.63.0 [security] #10

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): update rust crate gix to 0.63.0 [security] #10

wants to merge 1 commit into from

Conversation

renovate-bot
Copy link

@renovate-bot renovate-bot commented Apr 16, 2024
edited
Loading

This PR contains the following updates:

Package Type Update Change
gix workspace.dependencies minor 0.54.1 -> 0.63.0

GitHub Vulnerability Alerts

CVE-2024-32884

Summary

gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.

Details

This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, gix-transport checks the host and path portions of a URL for text that has a - in a position that will cause ssh to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.

As in Git, when an address is a URL of the form ssh://username@hostname/path, or when it takes the special form username@hostname:dirs/repo, this is treated as an SSH URL. gix-transport will replace some characters in username with their %-based URL encodings, but otherwise passes username@hostname as an argument to the external ssh command. This happens even if username begins with a hyphen. In that case, ssh treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.

This is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:

  • The difficulty of forming an option argument ssh accepts, given that characters such as =, /, and \, are URL-encoded, : is removed, and the argument passed to ssh contains the @ sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.

    The inability to include a literal = prevents the use of -oNAME=VALUE (e.g., -oProxyCommand=payload). The inability to include a literal / or \ prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a ~ character may be smuggled in, ssh does not perform its own tilde expansion, so it does not form an absolute path.)

  • The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as -A and -X together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument gix-transport intends as a URL is treated as an option argument, ssh treats the subsequent non-option argument git-upload-pack as the host instead of the command, but it is not a valid host name.

    Although ssh supports aliases for hosts, even if git-upload-pack could be made an alias, that is made difficult by the URL-encoding transformation.

However, an attacker who is able to cause a specially named ssh configuration file to be placed in the current working directory can smuggle in an -F option referencing the file, and this allows arbitrary command execution.

This scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.

Other avenues of exploitation exist, but appear to be less severe. For example, the -E option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of ssh.

PoC

To reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named configfile@example.com, of the form

ProxyCommand payload

where payload is a command with an observable side effect. On Unix-like systems, this could be date | tee vulnerable or an xdg-open, open, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as calc.exe.

(Although the syntax permitted in the value of ProxyCommand may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in configfile@example.com as well.)

Then run:

gix clone 'ssh://-Fconfigfile@example.com/abc'

Or:

gix clone -- '-Fconfigfile@example.com:abc/def'

(The -- is required to ensure that gix is really passing the argument as a URL for use in gix-transport, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)

In either case, the payload specified in configfile@example.com runs, and its side effect can be observed.

Other cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file errors@example.com, or to create or append to its target if it is a symlink:

gix clone 'ssh://-Eerrors@example.com/abc'
gix clone -- '-Eerrors@example.com:abc/def'

Impact

As in GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the gix-transport library.

Users who use applications that make use of gix-transport are potentially vulnerable, especially:

  • On repositories with submodules that are automatically added, depending how the application manages submodules.
  • When operating on other repositories from inside an untrusted repository.
  • When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.

CVE-2024-35186

Summary

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

Details

Although gix-worktree-state checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs and gix-worktree prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git directory. The simplest cases are:

  • A tree named .. to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
  • A tree named .git to enter a .git directory. This facilitates arbitrary code execution because hooks can be installed.

A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:

  • A tree or blob whose name contains one or more /, to traverse upward or downward. For example, even without containing any tree named .. or .git, a repository can represent a file named ../outside or .git/hooks/pre-commit. This is distinct from the more intuitive case a repository containing trees that represent those paths.
  • In Windows, a tree or blob whose name contains one or more \, to traverse upward or downward. (Unlike /, these are valid on other systems.) See GHSA-xjx4-8694-q2fq.
  • On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of .git.
  • On HFS+, a tree named like .git or a case variant, with characters added that HFS+ ignores in collation. See git/git@6162a1d.
  • On NTFS, a tree equivalent to .git (or a case variant) by the use of NTFS stream notation, such as .git::$INDEX_ALLOCATION. See GHSA-5wph-8frv-58vj.
  • On an NTFS volume with 8.3 aliasing enabled, a tree named as git~1 (or a case variant). See GHSA-589j-mmg9-733v.

When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.

PoC

For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed supports -i, which is the case on most systems. If using Windows, a Git Bash shell should be used.

Example: Downward traversal to install hooks

  1. Create a new repository with git init dangerous-repo-installs-hook and cd into the directory.
  2. Create the stand-in called .git@hooks@pre-commit, with the contents: 
    #!/bin/sh
printf 'Vulnerable!\n'
date >vulnerable
  3. Stage the stand-in: git add --chmod=+x .git@hooks@pre-commit
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, on another or the same machine:

  1. Clone the repository with a gix clone … command.
  2. Enter the newly created directory.
  3. Optionally run ls -l .git/hooks to observe that the pre-commit hook is already present.
  4. Make a new file and commit it with git. This causes the payload surreptitiously installed as a pre-commit hook to run, printing the message Vulnerable! and creating a file in the current directory containing the current date and time.

Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit is capable of.

Example: Upward traversal to create a file above the working tree

  1. Create a new repository with git init dangerous-repo-reaches-up, and cd into the directory.
  2. Create the stand-in: echo 'A file outside the working tree, somehow.' >..@​outside
  3. Stage the stand-in: git add ..@​outside
  4. Edit the index: env LC_ALL=C sed -i.orig 's|\.\.@​outside|../outside|' .git/index
  5. Commit: git commit -m 'Initial commit'
  6. Optionally, push to a private remote.

Then, as above, on the same or another machine, clone the repository with a gix clone … command. Observe that a file named outside is present alongside (not inside) the cloned directory.

Impact

Any use of gix or another application that makes use of gix-worktree-state, or otherwise relies on gix-fs and gix-worktree for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.

In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.

CVE-2024-35197

Summary

On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

Details

It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:

  • In references, gix-ref does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
  • In paths, gix-worktree-state does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.

Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:

  • Reading a ref whose last component (e.g., tag name) is CON or CONIN$ reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
  • Checking out a file named CON or CONOUT$ writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.

Another potentially important case is serial ports. For example, COM1 refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.

Naming Files, Paths, and Namespaces covers most reserved names. CONIN$ and CONOUT$ are also special, and are similar in effect to CON but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt is equivalent to CON) and with some variations involving added spaces or colons.

PoC

Ref example

Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON to create a lightweight tag named CON. Place the repository somewhere it can be cloned on Windows. A file:// URL is sufficient for testing if a private remote is unavailable. If using git push, pass --tags so the remote has the tag.

On a Windows system, clone the repository with gix clone. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with Ctrl+C.

However, if desired, input can be provided. Ending input with Ctrl+Z followed by Enter will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.

Path example

Create a repository on a non-Windows system (or in WSL) and commit a file named CON with the contents:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!

While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file:// URL is sufficient.

On a Windows system, clone the repository with gix clone. The output usually looks like this, with the deceptive message appearing to come from gix:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
 04:45:15     Resolving done 3.0 objects in 0.05s (58.0 objects/s)
 04:45:15      Decoding done 309B in 0.05s (6.0KB/s)
 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
 04:45:15  create index file done 3.0 objects in 0.05s (55.0 objects/s)
 04:45:15          read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype

Caused by:
    Incorrect function. (os error 1)

The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error: line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.

Impact

If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.

The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.

For attacks using the CON or CONOUT$ device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix appears to recommend it. The user may then be misled into running an attacker's command.

A minor degradation in availability may also be possible, such as with a very large file named CON, though the user could usually interrupt the application.

Release Notes

Byron/gitoxide (gix)

v0.63.0: gix v0.63.0

Compare Source

New Features

  • checkout respects options for core.protectHFS and core.protectNTFS.
    This also adds gitoxide.core.protectWindows as a way to enforce
    additional restrictions that are usually only available on Windows.

    Note that core.protectNFS is always enabled by default, just like
    it is in Git.

Bug Fixes

  • empty paths as configured will not be an error with lenient configuration enabled.
    When using gix::open_opts(path, options.strict_config(false)), empty core.excludesFile values
    will not cause an error anymore.

    Note that in strict mode, the behaviour is unchanged so invalid configuration can rather be fixed
    than ignored.

  • don't unwrap when reading possibly left-over bytes from pack-stream

Commit Statistics
  • 23 commits contributed to the release over the course of 38 calendar days.
  • 38 days passed between releases.
  • 3 commits were understood as conventional.
  • 2 unique issues were worked on: #​1352, #​1370
Commit Details
view details
  • #​1352
    • Don't unwrap when reading possibly left-over bytes from pack-stream (88a6a4e)
  • #​1370
    • Empty paths as configured will not be an error with lenient configuration enabled. (3c7b7b3)
  • Uncategorized
    • Adjust changelogs prior to release (9511416)
    • Merge branch 'various-fixes' (d6cd449)
    • Update dependencies (cd4de83)
    • Fix-CI (6f55f2a)
    • Merge pull request from GHSA-7w47-3wg8-547c (79dce79)
    • Adapt to changes in gix-ref (d2ae9d5)
    • Adapt to changes in gix-index (5f86e6b)
    • Fix compile warnings (f961687)
    • Address review comments (fcc3b69)
    • Apply suggestions from code review (bad9a79)
    • Checkout respects options for core.protectHFS and core.protectNTFS. (886d6b5)
    • Adapt to changes in gix-worktree (1ca6a3c)
    • Merge pull request #​1371 from Byron/fix-empty-excludes-file (3c21741)
    • Release gix-date v0.8.6 (d3588ca)
    • Merge branch 'status' (04ef31e)
    • Improve docs to be more approachable from git2 (5197b5a)
    • Merge branch 'status' (e791bc5)
    • Merge branch 'cargo-fixes' (977346e)
    • Release gix-index v0.32.1, gix-pathspec v0.7.4, gix-worktree v0.33.1, gix-dir v0.4.1 (54ac559)
    • Merge pull request #​1345 from EliahKagan/shell-scripts (fe24c89)
    • Add missing +x bit on scripts that are run and not sourced (41bf65a)

v0.62.0: gix v0.62

Compare Source

Please note that this release contains a security fix originally implemented in gix-transport via this PR which prevents ssh options to be smuggled into the ssh command-line invocation with a username provided to a clone or fetch URL.

Details can be found in the advisory.

Bug Fixes

  • into_index_worktree_iter() now takes an iterator, instead of a Vec.
    This makes the API more consistent, and one can pass None
    as well.

  • show submodules in status independently of their active state.
    Even inactive submodules are shown in the status by git status,
    so gix should do the same.

    First observed in https://github.com/helix-editor/helix/pull/5645#issuecomment-2016798212

  • forward curl rustls feature from gix-transport to avoid curl in gix.
    This removes the curl dependency just for configuring it, and removes
    a hazard which became evident with reqwest.

Bug Fixes (BREAKING)
  • Make topo more similar to Ancestors, but also rename Ancestors to Simple
Commit Statistics
Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details

v0.61.1: gix v0.61.1

Compare Source

This release also updates reqwest to v0.12, bringing hyper 1.0 and a more recent rustls version.

Bug Fixes
  • missing closing backtick in gix lib documentation
Commit Statistics
  • 7 commits contributed to the release over the course of 2 calendar days.
  • 3 days passed between releases.
  • 1 commit was understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
  • Uncategorized
    • Prepare changelogs prior to release (7018a92)
    • Merge branch 'patch-1' (8fde62b)
    • Turncurl into a workspace package (adee500)
    • Make reqwest a workspace package (369cf1b)
    • Merge pull request #​1325 from kdelorey/fix/simple-docs-formatting (3b34699)
    • Fixed opening of backtick in documentation. (f1bc4cd)
    • Missing closing backtick in gix lib documentation (e1fec3c)

v0.61.0: gix v0.61.0

Compare Source

Documentation
  • fix typo
New Features (BREAKING)
  • provide Repository::dirwalk_iter().
    That way, more copying happens but the usability increases tremendously as well.
    It's breaking as public types moved from repository::dirwalk to dirwalk,
    dissolving repository::dirwalk entirely.
Commit Statistics
  • 7 commits contributed to the release over the course of 3 calendar days.
  • 3 days passed between releases.
  • 2 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
  • Uncategorized

v0.60.0: gix v0.60.0

Compare Source

New Features
  • add gix status --index-worktree-renames
    This enables rename-tracking between worktree and index, something
    that Git also doesn't do or doesn't do by default.
    It is, however, available in git2.
  • describing commits can now be done with conditional dirty-suffix using commit::describe::Resolution::format_with_dirty_suffix()
  • add Repository::is_dirty()
    The simplest way to learn if the repository is dirty or not.
  • Add Submodule::status() method.
    That way it's possible to obtain submodule status information,
    with enough information to implement git status-like commands.
  • add Status iterator.
    We also move the IndexPersistedOrInMemory type to the worktree module
    as its more widely useful.
New Features (BREAKING)
  • diff::resource_cache() now takes the attribute stack directly.
    That way, the constructor becaomes more versatile as the user can chose
    to pass attribute stacks that have more functionality, and thus can be
    used in more places.
Commit Statistics
  • 15 commits contributed to the release over the course of 10 calendar days.
  • 18 days passed between releases.
  • 6 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
  • Uncategorized
    • Prepare changelogs prior to release (52c3bbd)
    • Merge branch 'status' (3e5c974)
    • Assure submodule status doesn't operate if there is no worktree checkout (3753592)
    • Make summary available for Item. (da45d92)
    • Add gix status --index-worktree-renames (66e87cd)
    • Add status.showUntrackedFiles to config-tree and use it in status() (22abf60)
    • Fix lints for nightly, and clippy (f8ce3d0)
    • Allow configuration of interrupts in status iter (f1ba7bd)
    • Provide a non-parallel version of the status iteration (17bef30)
    • Describing commits can now be done with conditional dirty-suffix using commit::describe::Resolution::format_with_dirty_suffix() (c7ddd30)
    • Add Repository::is_dirty() (c20ad28)
    • Add submodule support for status iterator (4a4989d)
    • Add Submodule::status() method. (a29fa00)
    • Add Status iterator. (0330ad7)
    • diff::resource_cache() now takes the attribute stack directly. (57cf83b)

v0.59.0: gix v0.59.0

Compare Source

New Features
  • add Repository::dirwalk_with_delegate().
    That way it's possible to perform arbitrary directory walks,
    useful for status, clean, and add.
  • add open::Options::current_dir().
    That way it's possible to obtain the current working directory
    with which the repository was opened.
New Features (BREAKING)
  • empty pathspecs with prefix now are optionally matching the prefix.
    Otherwise it's not possible to have the 'no pattern matches everything' case
    which is important in conjunction with prefixes and the requirement to
    still see everything outside of the prefix.
Bug Fixes (BREAKING)
  • leave more control to the user when creating pathspecs
Commit Statistics
  • 18 commits contributed to the release over the course of 30 calendar days.
  • 36 days passed between releases.
  • 4 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
  • Uncategorized
    • Prepare changelogs prior to release (f2e111f)
    • Merge branch 'status' (bb48c4c)
    • Empty pathspecs with prefix now are optionally matching the prefix. (0b1b44f)
    • Leave more control to the user when creating pathspecs (1e85396)
    • Adapt to changes in gix-dir (ab0f63a)
    • Merge pull request #​1300 from DianaNites/patch-1 (e186199)
    • Fix a typo in gix::clone::PrepareFetch::new, crate_opts -> create_opts (adbf8e8)
    • Adapt to changes in gix-status (366dfb3)
    • Adapt to changes in gix-dir (e91accc)
    • Merge branch 'panic-msg-fix' (a86a5c0)
    • Fix into_{blob,tag} panic messages (b81d8ae)
    • Merge branch 'dirwalk' (face359)
    • Add Repository::dirwalk_with_delegate(). (6914d1a)
    • Add open::Options::current_dir(). (d8bd45e)
    • Merge branch 'tempfile-permissions' (7b44c7f)
    • Release gix-tempfile v13.1.0, gix-lock v13.1.0, safety bump 12 crates (8430442)
    • Release gix-command v0.3.4 (8a62fb5)
    • Release gix-path v0.10.5 (b8cba96)

v0.58.0: gix v0.58.0

Compare Source

New Features

  • add max-control feature for fine-grained performance control.
    This also adds the following performance features:

    • zlib-ng

  • zlib-ng-compat

  • zlib-stock

  • parallel-walkdir

Bug Fixes
  • object::tree::diff::Platform::for_each_to_obtain_tree(callback) errors are more convenient to use.
    Due to a change in how the generic error type is declared it should now be possible to
    use anyhow with it as well.
Commit Statistics
  • 13 commits contributed to the release over the course of 18 calendar days.
  • 20 days passed between releases.
  • 4 commits were understood as conventional.
  • 1 unique issue was worked on: #​670
Commit Details
view details
  • #​670
    • object::tree::diff::Platform::for_each_to_obtain_tree(callback) errors are more convenient to use. (e3c5a0f)
  • Uncategorized
    • Prepare changelogs prior to release (6a2e0be)
    • Merge branch 'finegrained-features' (d8570d0)
    • Add max-control feature for fine-grained performance control. (8847676)
    • Merge branch 'dirwalk' (5d176fc)
    • Use gix_fs::current_dir(precompose_unicode). (7d8d167)
    • Adapt to changes in gix-features (eacb5a4)
    • Add env::args_os_opt() which takes an argument to determine input unicode-decomposition (a7e606b)
    • Release gix-trace v0.1.7, gix-features v0.37.2, gix-commitgraph v0.23.2, gix-traverse v0.36.2, gix-index v0.28.2 (b6c04c8)
    • Merge pull request #​1248 from joshtriplett/tyop (39f35da)
    • Typo fixes (3ef3bc2)
    • max-performance-zlib-ng-compat flag (1ba9488)
    • Add a max-performance-zlib-ng-compat flag (cfb06ec)

v0.57.1: gix v0.57.1

Compare Source

Chore

  • change rust-version manifest field back to 1.65.
    They didn't actually need to be higher to work, and changing them
    unecessarily can break downstream CI.

    Let's keep this value as low as possible, and only increase it when
    more recent features are actually used.

Commit Statistics
  • 2 commits contributed to the release.
  • 1 commit was understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details
  • Uncategorized
    • Merge branch 'msrv' (8c492d7)
    • Change rust-version manifest field back to 1.65. (3bd09ef)

v0.57.0: gix v0.57.0

Compare Source

Chore
  • upgrade MSRV to v1.70
    Our MSRV follows the one of helix, which in turn follows Firefox.
New Features

  • Repository::rev_parse*() now supports branch@{upstream|push|u|p}.
    Previously it would be parsed, but always error as the implementation didn't exist.
    Now it will return the fetch and push tracking branches respectively.

  • Add Reference::remote_tracking_ref_name() and *::remote_ref_name().
    These methods mirror their respective Repository::branch_* prefixed versions.

  • add Repository::branch_remote_tracking_ref_name().

  • add push.default config key

  • add config::Snapshot::trusted_program().
    That way it's possible to obtain an executable, program or script
    from a key in the configuration that is in a trusted section of the
    configuration.

    This goes along with a new command feature that brings in the command
    module at the top level to be able to execute such commands.

  • add clone::PrepareFetch::with_in_memory_config_overrides().
    With it one can affect the repository configuration right before fetching.

New Features (BREAKING)
  • Repository::remote_names|remote_default_name() now returns Cow<'_, BStr> instead of Cow<'_, str>.
    That way information won't degenerate due to enforcement of UTF-8.
Bug Fixes (BREAKING)

  • rename Repository::branch_remote_ref() to Repository::branch_remote_ref_name(), add direction argument (also to Repository::branch_remote_name() and Repository::branch_remote()).
    This better differentiates the return value from the corresponding ref objects,
    which would require the named ref to exist in the repository.

    The direction argument allows to get the reference to push to as well.
    Further, it now takes a full ref name to support deriving the name of branches
    to push to.

    Regarding Repository::branch_remote(), previously, this functionality
    was only available from a Reference,
    but now it's more generally available with just a branch name.

    The method was also adjusted to permit looking up non-symbolic remote
    names, like remotes that are specified by their URL.

  • mark gix::interrupt::init_handler() as unsafe
    The passed interrupt() argument will be called from a signal
    handler, so that needs to be documented and the call sites need to
    state that they fulfill the contract.

    Thanks to @​Manishearth for pointing this out.

Commit Statistics
  • 40 commits contributed to the release over the course of 22 calendar days.
  • 22 days passed between releases.
  • 10 commits were understood as conventional.
  • 4 unique issues were worked on: #​1158, #​1165, #​1178, #​1191
Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details
view details
  • #​1158
    • Remove extra-lines from changelog (11c9f66)
  • #​1165
  • #​1178
    • Add config::Snapshot::trusted_program(). (3f84213)
  • #​1191
    • Add note to clarify what users might want to do (2e04403)
  • Uncategorized
    • Prepare changelogs of next release (e78a92b)
    • Merge branch 'maintenance' (4454c9d)
    • Upgrade MSRV to v1.70 (aea89c3)
    • Thanks clippy (d38d1cc)
    • Merge branch 'tracking-branch' (0fe20e8)
    • Refactor (530c15d)
    • Repository::rev_parse*() now supports branch@{upstream|push|u|p}. (3fba5b8)
    • Add Reference::remote_tracking_ref_name() and *::remote_ref_name(). (270322e)
    • Add Repository::branch_remote_tracking_ref_name(). (4aa4b05)
    • Rename Repository::branch_remote_ref() to Repository::branch_remote_ref_name(), add direction argument (also to Repository::branch_remote_name() and Repository::branch_remote()). (404fde5)
    • Repository::remote_names|remote_default_name() now returns Cow<'_, BStr> instead of Cow<'_, str>. (5c07c76)
    • Add push.default config key (8ac2dcc)
    • Merge branch 'match_ceiling_dir_or_error' (cda5b51)
    • Merge branch 'main' into fix-1183 (1691ba6)
    • Release gix-ref v0.39.1 (c1cfe6e)
    • Merge branch 'patch-1' (20dce42)
    • Differentiate between Executable and Program (56d1d09)
    • Add core.editor key (ff71e07)
    • Merge branch 'archive-handling' (7549559)
    • Check all git-lfs managed files into the repository (35439de)
    • Git-lfs might fail early; let's rely on these caches to be recreated, where possible (b6f2b81)
    • Release gix-hash v0.13.3, gix-index v0.27.1 (98b08f4)
    • Merge branch 'mailmap-config-section' (8dda069)
    • Use new mailmap keys and make a few improvements. (7f65ffd)
    • Assign more suitable types to mailmap keys (1bf3e88)
    • Add config section for mailmap.{blob,file}. (86c7fa1)
    • Merge branch 'configure-prepare-fetch' (281fda0)
    • Add clone::PrepareFetch::with_in_memory_config_overrides(). (b5c36b8)
    • Allow overriding Git configuration when cloning. (9833b45)
    • Merge branch 'push-yvzxzqrkkvry' (4917beb)
    • Fixup new unsafe interrupt handler (c23bb87)
    • Mark gix::interrupt::init_handler() as unsafe (59b8104)
    • Reduce size of unsafe block in signal handler (d77bc0e)
    • Release gix-config v0.32.1 (cd26fd8)
    • Merge branch 'adjustments-for-cargo' (56588a9)
    • Fix import/prevent warning (ec0211a)

v0.56.0: gix v0.56.0

Compare Source

New Features
  • add gitoxide.core.externalCommandStderr to allow enabling stderr to the enclosing terminal.
    Previously, this was enabled by default, now it can additionally be disabled by
    the caller.
  • use gitoxide.credentials.helperStderr key to control how stderr is handled with helpers.
    That way users can configure each repository instance according to their needs,
    with which includes disabling the stderr of credential helpers.
  • revision::Spec::path_and_mode()
    Provide additional information about revspecs for use with
    worktree filters.
  • add key for diff.external.
    That way it's conceivable that applications correctly run either
    a configured external diff tool, or one that is configured on a
    per diff-driver basis, while being allowed to fall back to
    a built-in implementation as needed.
  • add thediff::resource_cache() low-level utility for rapid in-memory diffing of combinations of resources.
    We also add the object::tree::diff::Platform::for_each_to_obtain_tree_with_cache() to pass a resource-cache
    for re-use between multiple invocation for significant savings.
  • Add config value gitoxide.http.sslNoVerify
    This value can by overriden by GIT_SSL_NO_VERIFY env variable. We use
    the value to override http.sslVerify when specifying ssl_verify in
    transport Options.
  • In gix read http.sslVerify config value and pass it to gix-transport.
  • add gitoxide.core.refsNamespace key and respect the GIT_NAMESPACE environment variable.
    It's also provided as context value.
  • make verbose-object-parsing-errors available in gix.
    That way, it's easy to create programs that are geared towards
    debugging repositories and finding invalid objects with detailed
    errors.
  • add the gitoxide.credentials.terminalPrompt key to represent the GIT_TERMINAL_PROMPT
    That way, it's easy to control the usage of terminals without using and environment.
  • Add http-client-curl-rustls (CLI) and blocking-http-transport-curl-rustls (lib) features to avoid openssl.
    That way, we should be able to avoid crashes on certain CI configurations.
  • add Head::try_into_peeled_object() and Head::peel_to_object_in_place()
    This makes it easier to peel to a specific object type, after
    all tags have been followed, without having to assume an intermediate
    commit.
Bug Fixes

  • assure the correct repository is used for checkouts after clone.
    If this is not the case, it's possible for filters to run in the context of
    potential parent repositories, which then can have all kinds of issues.

    In case of git-lfs, for instance, it would try to download objects
    from the wrong repository.

  • Allow multiple packs to be received one after another.
    Previously it would be difficult to perform another fetch operation on the
    same connection as the final flush packet after a pack wouldn't be consumed.

    This has now been mitigated by consuming it in the one place where knoweldge
    about this specialty exists.

  • don't use trust-dns by default when using request.
    It's reported to have issues under certain condition, please https://github.com/seanmonstar/reqwest/pull/437pull/437 for more.

    The blocking-http-transport-reqwest-rust-tls-trust-dns feature was added
    to provide the same feature-set as before for those who want trust-dns.

  • V1 negotiation won't hang anymore
    The logic previously tried to estimate when a pack can be expected,
    and when a NAK is the end of a block, or the beginning of a pack.

    This can be known because a pack (with our settings) needs two things:

    • the server thinks it's ready
  • a done sent by the client
New Features (BREAKING)

  • object::blob::diff::Platform now performs all necessary conversions.
    Previously it would just offer the git-ODB version of a blob for diffing,
    while it will now make it possible to apply all necessary conversion steps
    for you.

    This also moves Event::diff() to Change::diff(), adds
    Repository::diff_resource_cache() and refactors nearly everything
    about the objects::blob::diff::Platform.

  • generalize rename-tracking engine for later use with status.
    Previously the rename tracking engine was integrated with tree-diffs,
    but already operates in a stand-alone fashion.
    Now it's officially generalized which allows it to be tested separately
    and used when tracking renames for diffs between index and tree, index
    and index, and index and worktree.

  • make it possible to trace incoming and outgoing packetlines.
    Due to the way this is (and has to be) setup, unfortunately one
    has to integrate that with two crates, instead of just one.

    This changes touches multiple crates, most of which receive a single
    boolean as last argument to indicate whether the tracing should
    happen in the first place.

  • improve head() peeling API
    Previously it was partially untested and it was hard to obtain an object of choice.

    Further breaking changes:

    • rename Head::peeled() to into_peeled_id()
  • rename Head::into_fully_peeled_id() to try_peel_into_id()
  • rename Head::peel_to_id_in_place() to Head::try_peel_to_id_in_place()
Bug Fixes (BREAKING)
  • rename GITOXIDE_* environment variables to GIX_#
  • Remove unsafe transmute of should_interrupt
    Adds a lifetime to the ExtendedBufRead trait to specify how long the
    callback provided must live.
Commit Statistics
Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details
view details
  • #​1061
    • V1 negotiation won't hang anymore (6295dec)
  • #​1076
    • Don't use trust-dns by default when using request. (8d9296f)
  • #​1090
    • Add the gitoxide.credentials.terminalPrompt key to represent the GIT_TERMINAL_PROMPT (e95bb9f)
  • #​1125
    • Fix; SnapshotMut::set_value() now sets values for keys in subsections as well. (d8452a0)
  • #​1129
    • Assure the correct repository is used for checkouts after clone. (0b3eb14)
  • #​972
    • Allow multiple packs to be received one after another. (3ff1827)
  • Uncategorized
    • Release gix-worktree-state v0.5.0, gix v0.56.0, gix-fsck v0.1.0, gitoxide-core v0.34.0, gitoxide v0.32.0 (c8568b9)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@stackblitz StackBlitz
Copy link

stackblitz bot commented Apr 16, 2024

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Apr 16, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: b6d0630

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

sourcery-ai[bot]
sourcery-ai bot reviewed Apr 16, 2024
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We have skipped reviewing this pull request. Here's why:

  • It seems to have been created by a bot (hey, renovate-bot!). We assume it knows what it's doing!
  • We don't currently review these file types ['.lock', '.toml'] - Let us know if you'd like us to change this.

@renovate-bot renovate-bot force-pushed the renovate/crate-gix-vulnerability branch from 9b60735 to b6d0630 Compare May 23, 2024 02:31
@renovate-bot renovate-bot changed the title chore(deps): update rust crate gix to 0.62.0 [security] chore(deps): update rust crate gix to 0.63.0 [security] May 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai Sourcery AI Sourcery AI left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot