GHSA-cx7h-h87r-jpgr – gix-attributes

Package

Manager: cargo
Name: gix-attributes
Vulnerable Version: >=0 <0.22.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: N/A pctlN/A

Details

The kstring integration in gix-attributes is unsound `gix-attributes` (in [`state::ValueRef`](https://github.com/Byron/gitoxide/blob/gix-attributes-v0.22.2/gix-attributes/src/state.rs#L19-L27)) unsafely creates a `&str` from a `&[u8]` containing non-UTF8 data, with the justification that so long as nothing reads the `&str` and relies on it being UTF-8 in the `&str`, there is no UB: ```rust // SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such. ``` The problem is that the non-UTF8 `str` **is** exposed to outside code: first to the `kstring` crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to `serde`, where it propagates to e.g. `serde_json`, `serde_yaml`, etc., where the same problems occur. This is not sound, and it could cause further UB down the line in these places that can view the `&str`.

Metadata

Created: 2024-07-25T16:38:42Z
Modified: 2025-01-21T18:18:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/07/GHSA-cx7h-h87r-jpgr/GHSA-cx7h-h87r-jpgr.json
CWE IDs: ["CWE-172"]
Alternative ID: N/A
Finding: F113
Auto approve: 1