chore(deps): update rust crate gix to 0.71.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
gix	workspace.dependencies	minor	0.70.0 -> 0.71.0

GitHub Vulnerability Alerts

CVE-2025-31130

Summary

gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks.

Details

gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide.

The SHA-1 function is considered cryptographically insecure. However, in the wake of the SHAttered attacks, this issue was mitigated in Git 2.13.0 in 2017 by using the sha1collisiondetection algorithm by default and producing an error when known SHA-1 collisions are detected. Git is in the process of migrating to using SHA-256 for object hashes, but this has not been rolled out widely yet and gitoxide does not support SHA-256 object hashes.

PoC

The following program demonstrates the problem, using the two SHAttered PDFs:

use sha1_checked::{CollisionResult, Digest};

fn sha1_oid_of_file(filename: &str) -> gix::ObjectId {
    let mut hasher = gix::features::hash::hasher(gix::hash::Kind::Sha1);
    hasher.update(&std::fs::read(filename).unwrap());
    gix::ObjectId::Sha1(hasher.digest())
}

fn sha1dc_oid_of_file(filename: &str) -> Result<gix::ObjectId, String> {
    // Matches Git’s behaviour.
    let mut hasher = sha1_checked::Builder::default().safe_hash(false).build();
    hasher.update(&std::fs::read(filename).unwrap());
    match hasher.try_finalize() {
        CollisionResult::Ok(digest) => Ok(gix::ObjectId::Sha1(digest.into())),
        CollisionResult::Mitigated(_) => unreachable!(),
        CollisionResult::Collision(digest) => Err(format!(
            "Collision attack: {}",
            gix::ObjectId::Sha1(digest.into()).to_hex()
        )),
    }
}

fn main() {
    dbg!(sha1_oid_of_file("shattered-1.pdf"));
    dbg!(sha1_oid_of_file("shattered-2.pdf"));
    dbg!(sha1dc_oid_of_file("shattered-1.pdf"));
    dbg!(sha1dc_oid_of_file("shattered-2.pdf"));
}

The output is as follows:

[src/main.rs:24:5] sha1_oid_of_file("shattered-1.pdf") = Sha1(38762cf7f55934b34d179ae6a4c80cadccbb7f0a)
[src/main.rs:25:5] sha1_oid_of_file("shattered-2.pdf") = Sha1(38762cf7f55934b34d179ae6a4c80cadccbb7f0a)
[src/main.rs:26:5] sha1dc_oid_of_file("shattered-1.pdf") = Err(
    "Collision attack: 38762cf7f55934b34d179ae6a4c80cadccbb7f0a",
)
[src/main.rs:27:5] sha1dc_oid_of_file("shattered-2.pdf") = Err(
    "Collision attack: 38762cf7f55934b34d179ae6a4c80cadccbb7f0a",
)

The latter behaviour matches Git.

Since the SHAttered PDFs are not in a valid format for Git objects, a direct proof‐of‐concept using higher‐level APIs cannot be immediately demonstrated without significant computational resources.

Impact

An attacker with the ability to mount a collision attack on SHA-1 like the SHAttered or SHA-1 is a Shambles attacks could create two distinct Git objects with the same hash. This is becoming increasingly affordable for well‐resourced attackers, with the Shambles researchers in 2020 estimating $45k for a chosen‐prefix collision or $11k for a classical collision, and projecting less than $10k for a chosen‐prefix collision by 2025. The result could be used to disguise malicious repository contents, or potentially exploit assumptions in the logic of programs using gitoxide to cause further vulnerabilities.

This vulnerability affects any user of gitoxide, including gix-* library crates, that reads or writes Git objects.

---

Release Notes

GitoxideLabs/gitoxide (gix)

v0.71.0: gix v0.71.0

Compare Source

Changed

• read config losslessly even without debug_assertions
  This should hopefully not be a breaking change, as the same code
  could produce the same behaviour if compiled with different flags,
  and the semantic meaning of the resulting configuration should be
  the same. But Hyrum’s law is always lurking…

Documentation

• specify ThreadSafeRepository is not Send/Sync without "parallel"

New Features

• add Repository::checkout_options().
  It's a low-level set of options to drive (quite unsafe) checkouts.
  They are unsafe as they may be configured to overwrite, and are in no
  way similar to git checkout.
• add Repository::head_tree_id_or_empty() for convenience.
• add Repository::workdir_path() to easily obtain a Path for worktree items.
• add Repository::workdir() as replacement for Repository::work_dir().
  Keep the latter as deprecated though.
• filter::Pipeline::worktree_file_to_object() now can add Commit type objects.
• add filter::Pipeline::worktree_file_to_object().
  That way it's easier to correctly add whole files into the object
  database.
• make internal repo fields public for ease of use.
  That way, functions or methods taking such a type as argument
  have access to the underlying repository so it doesn't need
  to be passed as separate argument.
• add blob::platform::Resource::intern_source_strip_newline_separators()
  That way it will be easier to have typical Git-style patches diffs around
  files that don't end with a newline.
• add Repository::big_file_threshold() to easily learn what Git considers a big file.

Bug Fixes

• Don't panic when rev-parsing ^^^ and similar

• filter::Pipeline::convert_to_git() now also works on Windows under all circumstances.

• assure Repository::commit_as() also uses the committer for reflogs
  Previously it would retrieve the configured committer, or trigger an error
  if there was none despite the commiter being provided to commit_as().

  This als adds Repository::edit_references_as(committer) to allow passing
  a given committer.

Other

• Repository::commit() now explains how to create a commit without ref updates.

Changed (BREAKING)

• drop obsolete SHA‐1 features
  The hashing API has moved to gix_hash::hasher, and we now use
  sha1-checked unconditionally.

Bug Fixes (BREAKING)

• make clear what with_pruned() is doing by renaming it to with_boundary().
  This is how it acts, and it's not at all the same as hide() in git2.

Commit Statistics

• 57 commits contributed to the release.
• 17 commits were understood as conventional.
• 2 unique issues were worked on: #​1829, #​1914

Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details

view details

• #​1829
  • Assure Repository::commit_as() also uses the committer for reflogs (9bec947)
• #​1914
  • Don't panic when rev-parsing ^^^ and similar (aa8daf8)
• Uncategorized
  • Release gix-sec v0.10.12, gix-config v0.44.0, gix-prompt v0.10.0, gix-url v0.30.0, gix-credentials v0.28.0, gix-discover v0.39.0, gix-dir v0.13.0, gix-mailmap v0.26.0, gix-revision v0.33.0, gix-merge v0.4.0, gix-negotiate v0.19.0, gix-pack v0.58.0, gix-odb v0.68.0, gix-refspec v0.29.0, gix-shallow v0.3.0, gix-packetline v0.18.4, gix-transport v0.46.0, gix-protocol v0.49.0, gix-status v0.18.0, gix-submodule v0.18.0, gix-worktree-state v0.18.0, gix v0.71.0, gix-fsck v0.10.0, gitoxide-core v0.46.0, gitoxide v0.42.0 (ada5a94)
  • Release gix-date v0.9.4, gix-utils v0.2.0, gix-actor v0.34.0, gix-features v0.41.0, gix-hash v0.17.0, gix-hashtable v0.8.0, gix-path v0.10.15, gix-validate v0.9.4, gix-object v0.48.0, gix-glob v0.19.0, gix-quote v0.5.0, gix-attributes v0.25.0, gix-command v0.5.0, gix-packetline-blocking v0.18.3, gix-filter v0.18.0, gix-fs v0.14.0, gix-commitgraph v0.27.0, gix-revwalk v0.19.0, gix-traverse v0.45.0, gix-worktree-stream v0.20.0, gix-archive v0.20.0, gix-tempfile v17.0.0, gix-lock v17.0.0, gix-index v0.39.0, gix-config-value v0.14.12, gix-pathspec v0.10.0, gix-ignore v0.14.0, gix-worktree v0.40.0, gix-diff v0.51.0, gix-blame v0.1.0, gix-ref v0.51.0, gix-config v0.44.0, gix-prompt v0.10.0, gix-url v0.30.0, gix-credentials v0.28.0, gix-discover v0.39.0, gix-dir v0.13.0, gix-mailmap v0.26.0, gix-revision v0.33.0, gix-merge v0.4.0, gix-negotiate v0.19.0, gix-pack v0.58.0, gix-odb v0.68.0, gix-refspec v0.29.0, gix-shallow v0.3.0, gix-packetline v0.18.4, gix-transport v0.46.0, gix-protocol v0.49.0, gix-status v0.18.0, gix-submodule v0.18.0, gix-worktree-state v0.18.0, gix v0.71.0, gix-fsck v0.10.0, gitoxide-core v0.46.0, gitoxide v0.42.0, safety bump 48 crates (b41312b)
  • Update changelogs prior to release (38dff41)
  • Merge pull request #​1915 from emilazy/push-qvyqmopsoltr (4660f7a)
  • Migrate gix_object::{try_ =>}compute_hash users (3d7e379)
  • Migrate hashing API users to fallible versions (fbf6cc8)
  • Drop obsolete SHA‐1 features (fd12ef8)
  • Merge pull request #​1851 from GitoxideLabs/fix-1850 (cd96b64)
  • Adapt to changes in gix-features (5f8bff8)
  • Merge pull request #​1916 from GitoxideLabs/fix-1914 (32b54b3)
  • Merge pull request #​1909 from cruessler/take-to-components-in-fs-stack (5cb5337)
  • Use gix_fs::stack::ToNormalPathComponents everywhere. (1f98edb)
  • Update MSRV to 1.75 for access to impl returns in traits. (569c186)
  • Merge pull request #​1911 from GitoxideLabs/improvements (bfa3253)
  • filter::Pipeline::convert_to_git() now also works on Windows under all circumstances. (dcdb8ea)
  • Merge pull request #​1907 from EliahKagan/run-ci/raw (7b17da6)
  • Drop trailing , just before ) on same line in function calls (66a5ae1)
  • Use raw literals for more strings with backslashes (01bd76d)
  • Merge pull request #​1898 from GitoxideLabs/improvements (7255a5f)
  • Improve documentation of a field that one can easily get wrong otherwise. (5a1b3d6)
  • Merge pull request #​1873 from NobodyXu/zlib-rs (316f113)
  • Review adjustments for zlib-rs support. (5e618b6)
  • Add new feature zlib-rs (8b1b55c)
  • Revert "Instrument make_remote_repos.sh to view config corruption" (9061fc4)
  • Instrument make_remote_repos.sh to view config corruption (d290ad9)
  • Merge pull request #​1884 from GitoxideLabs/improvements (0bf1d5b)
  • Merge pull request #​1876 from joshtriplett/fix-tests-in-environments-with-env-variables-set (dc8bd63)
  • Fix tests when GIT_AUTHOR_NAME or GIT_COMMITTER_NAME are set (94dda22)
  • Add Repository::checkout_options(). (5054780)
  • Add Repository::head_tree_id_or_empty() for convenience. (02878c9)
  • Add Repository::workdir_path() to easily obtain a Path for worktree items. (776f9be)
  • Add Repository::workdir() as replacement for Repository::work_dir(). (518fbbc)
  • Merge pull request #​1882 from emilazy/push-ylwwuwymlmwt (10e41ee)
  • Fix cargo-deny using a prodash-update and ignore directive (cf7f34d)
  • Read config losslessly even without debug_assertions (9800e9c)
  • Merge pull request #​1854 from GitoxideLabs/montly-report (16a248b)
  • Thanks clippy (8e96ed3)
  • Merge pull request #​1837 from GitoxideLabs/improvements (b4fe425)
  • Repository::commit() now explains how to create a commit without ref updates. (866affd)
  • Merge pull request #​1835 from GitoxideLabs/fixes (503098d)
  • Merge pull request #​1834 from GitoxideLabs/improvements (5c327bb)
  • filter::Pipeline::worktree_file_to_object() now can add Commit type objects. (27e62d7)
  • Merge pull request #​1833 from GitoxideLabs/improvements (c042813)
  • Add filter::Pipeline::worktree_file_to_object(). (70ebd5f)
  • Make internal repo fields public for ease of use. (23d2bed)
  • Merge pull request #​1821 from GitoxideLabs/improvements (914bf28)
  • Add blob::platform::Resource::intern_source_strip_newline_separators() (37582b0)
  • Merge pull request #​1820 from GitoxideLabs/improvements (daa6d4a)
  • Make clear what with_pruned() is doing by renaming it to with_boundary(). (b78e7dd)
  • Merge pull request #​1807 from bryceberger/bryce/push-xqrmpyoxlosq (79cb655)
  • Refactor (d7ddbb7)
  • Specify ThreadSafeRepository is not Send/Sync without "parallel" (687322b)
  • Merge pull request #​1785 from GitoxideLabs/improvements (1a69c40)
  • Add Repository::big_file_threshold() to easily learn what Git considers a big file. (f3257f3)
  • Merge pull request #​1778 from GitoxideLabs/new-release (8df0db2)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[rustbot]

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[ehuss]

@Byron It looks like the new version of gitoxide is having trouble passing some tests. In particular, it seems to refuse to send credentials over http. Do you think you can take a look?

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[Byron]

I see, sorry for the hassle. I will take a look and post the fix here (if applicable) so one of you can push it to the branch. Alternatively, I can open another PR, but let's hope I get an idea of what's going on here first and swiftly.

[Byron]

And here is the patch for 'git apply 0001-Configure-gix-transport-to-allow-sending-test-creden.patch' and in plain text:

From 4e97bcc2bd61a92684bb411a2d501a8cdb5469a1 Mon Sep 17 00:00:00 2001
From: Sebastian Thiel <[email protected]>
Date: Sat, 5 Apr 2025 14:19:47 +0800
Subject: [PATCH] Configure `gix-transport` to allow sending test-credentials
 over HTTP

Note that this also means there now are two gix-related dependencies to maintain.
One day `gix` might forward the respective feature in `gix-transport`, or maybe
Cargo will support configuring flags in the tree more easily.
---
 Cargo.lock | 1 +
 Cargo.toml | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index fb1a768b8..46e92153d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -327,6 +327,7 @@ dependencies = [
  "git2",
  "git2-curl",
  "gix",
+ "gix-transport",
  "glob",
  "hex",
  "hmac",
diff --git a/Cargo.toml b/Cargo.toml
index fd09de528..61d3aca02 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,6 +48,7 @@ filetime = "0.2.25"
 flate2 = { version = "1.0.35", default-features = false, features = ["zlib"] }
 git2 = "0.20.0"
 git2-curl = "0.21.0"
+# When updating this, also see if `gix-transport` further down needs updating or some auth-related tests will fail.
 gix = { version = "0.71.0", default-features = false, features = ["blocking-http-transport-curl", "progress-tree", "parallel", "dirwalk"] }
 glob = "0.3.2"
 handlebars = { version = "6.3.1", features = ["dir_source"] }
@@ -218,6 +219,11 @@ unicode-width.workspace = true
 url.workspace = true
 walkdir.workspace = true
 
+# When building Cargo for tests, a safety-measure in `gix` needs to be disabled
+# to allow sending credentials over HTTP connections.
+[target.'cfg(debug_assertions)'.dependencies]
+gix-transport = { version = "0.46.0", features = ["http-client-insecure-credentials"] }
+
 [target.'cfg(target_has_atomic = "64")'.dependencies]
 tracing-chrome.workspace = true
 
-- 
2.39.5 (Apple Git-154)

[ehuss]

Hm, I don't think that's going to work as expected. cfg(debug_assertions) is essentially always true.

I suppose we could just always enable that feature, and it wouldn't be any less secure than it was in 0.70 (or compared to libgit2), though I'm not sure if that is what we want to do. We could try to change the test server to use SSL via openssl, though that would require writing a little extra code to generate the certificates. WDYT?

EDIT: Or perhaps we can just move that to a dev-dependency?

[Byron]

I suppose we could just always enable that feature, and it wouldn't be any less secure than it was in 0.70 (or compared to libgit2), though I'm not sure if that is what we want to do.

In gitoxide, this code was present for two years already, but it wasn't enabled in debug mode. This naturally makes it work in testing. Three weeks ago this was changed as a general sweep to not make code appear or disappear based on debug assertions being enabled as it's surprising.

This leaves us in a place where we'd have to set a feature toggle based on some knowledge of what we are building. Maybe cargo is built for testing with special flags that could be hijacked to know that we want to set a feature in gix-transport?

We could try to change the test server to use SSL via openssl, though that would require writing a little extra code to generate the certificates. WDYT?

Somehow I feel that testing should be supported so one doesn't have to go through the trouble locally.

EDIT: Or perhaps we can just move that to a dev-dependency?

That would be great, but I thought these aren't effective in the cargo binary that is built for testing?

[ehuss]

Maybe cargo is built for testing with special flags that could be hijacked to know that we want to set a feature in gix-transport?

I don't think there is a way to really do that without manually setting the feature.

How about we just disable these tests for gitoxide for now, and we open an issue to figure out how to resolve it later?

I personally would prefer to figure out some way to go ahead and support ssl in tests. It's not hard to do with openssl, but unfortunately we don't have openssl on windows, which makes it a lot harder.

[Byron]

Apologies for the late response!

I am quite afraid of disabling tests as it's the first step towards regression. The few bits of gitoxide that are in cargo right now have to stay strong and trustworthy to remain the basis for future improvements, something I definitely want to do.

Thus, my preferred solution here is to disable the feature in production as well, and to create an issue to maybe make this work.
This should work as it's not a regression compared to git2.

From 81970d03b3b2dd966e353e0e284949f0e42ac46b Mon Sep 17 00:00:00 2001
From: Sebastian Thiel <[email protected]>
Date: Fri, 11 Apr 2025 07:49:24 +0200
Subject: [PATCH] Configure `gix-transport` to allow sending test-credentials
 over HTTP

Note that this also means there now are two gix-related dependencies to maintain.
One day `gix` might forward the respective feature in `gix-transport`, or maybe
Cargo will support configuring flags in the tree more easily.

Even though that's a regression compared to the previous builds, it's not a regression
compared to `git2` which also allwows to send credentials over HTTP.
One may also argue that `gitoxide` goes too far, trying to fix potential issues
with the protocol itself.
---
 Cargo.lock | 1 +
 Cargo.toml | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/Cargo.lock b/Cargo.lock
index fb1a768b8..46e92153d 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -327,6 +327,7 @@ dependencies = [
  "git2",
  "git2-curl",
  "gix",
+ "gix-transport",
  "glob",
  "hex",
  "hmac",
diff --git a/Cargo.toml b/Cargo.toml
index fd09de528..f0c170729 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,6 +48,7 @@ filetime = "0.2.25"
 flate2 = { version = "1.0.35", default-features = false, features = ["zlib"] }
 git2 = "0.20.0"
 git2-curl = "0.21.0"
+# When updating this, also see if `gix-transport` further down needs updating or some auth-related tests will fail.
 gix = { version = "0.71.0", default-features = false, features = ["blocking-http-transport-curl", "progress-tree", "parallel", "dirwalk"] }
 glob = "0.3.2"
 handlebars = { version = "6.3.1", features = ["dir_source"] }
@@ -252,6 +253,10 @@ features = [
 annotate-snippets = { workspace = true, features = ["testing-colors"] }
 cargo-test-support.workspace = true
 gix = { workspace = true, features = ["revision"] }
+# When building Cargo for tests, a safety-measure in `gix` needs to be disabled
+# to allow sending credentials over HTTP connections.
+# As we can't set this only for tests, for now it's disabled in production as well.
+gix-transport = { version = "0.46.0", features = ["http-client-insecure-credentials"] }
 same-file.workspace = true
 snapbox.workspace = true
 
-- 
2.39.5 (Apple Git-154)

I'd love if this also works for you, but if not we can of course just disable the affected tests.

[ehuss]

Just to be clear, putting it in dev-dependencies means it is only disabled during testing. This doesn't affect production. You can read more about this here. Essentially when it is building tests, it will unify, but if not it won't.

Does that make sense?

I think that seems good to me.

[Byron]

Actually, I put it into dev-dependencies by accident and think that this would not work as building the cargo binary for tests probably doesn't come into effect.
But… it actually works, the tests pass locally.

This means the most recently provided patch should be good and is good for you, right?
Good to go, and sorry for the hassle, I have been a bit fuzzy lately.