fix!: Limit Commit and Tag parsing to a given gix_hash::Kind

Doing so adds conformity with Git, but also simplifies the parser
which now only parse hex-hashes of a single valid length.

Co-authored-by: Sebastian Thiel <sebastian.thiel@icloud.com>

Author: codex

Cargo.lock

@@ -45,7 +45,6 @@ gix-hashtable = { version = "^0.14.0", path = "../gix-hashtable" }
 gix-validate = { version = "^0.11.1", path = "../gix-validate" }
 gix-actor = { version = "^0.40.1", path = "../gix-actor" }
 gix-date = { version = "^0.15.2", path = "../gix-date" }
-gix-error = { version = "^0.2.2", path = "../gix-error" }
 gix-utils = { version = "^0.3.2", path = "../gix-utils" }
 
 itoa = "1.0.17"

gix-object/Cargo.toml

@@ -3,19 +3,29 @@ use std::hint::black_box;
 
 fn parse_commit(c: &mut Criterion) {
     c.bench_function("CommitRef(sig)", |b| {
-        b.iter(|| black_box(gix_object::CommitRef::from_bytes(COMMIT_WITH_MULTI_LINE_HEADERS)).unwrap());
+        b.iter(|| {
+            black_box(gix_object::CommitRef::from_bytes(
+                COMMIT_WITH_MULTI_LINE_HEADERS,
+                gix_hash::Kind::Sha1,
+            ))
+            .unwrap()
+        });
     });
     c.bench_function("CommitRefIter(sig)", |b| {
-        b.iter(|| black_box(gix_object::CommitRefIter::from_bytes(COMMIT_WITH_MULTI_LINE_HEADERS).count()));
+        b.iter(|| {
+            black_box(
+                gix_object::CommitRefIter::from_bytes(COMMIT_WITH_MULTI_LINE_HEADERS, gix_hash::Kind::Sha1).count(),
+            )
+        });
     });
 }
 
 fn parse_tag(c: &mut Criterion) {
     c.bench_function("TagRef(sig)", |b| {
-        b.iter(|| black_box(gix_object::TagRef::from_bytes(TAG_WITH_SIGNATURE)).unwrap());
+        b.iter(|| black_box(gix_object::TagRef::from_bytes(TAG_WITH_SIGNATURE, gix_hash::Kind::Sha1)).unwrap());
     });
     c.bench_function("TagRefIter(sig)", |b| {
-        b.iter(|| black_box(gix_object::TagRefIter::from_bytes(TAG_WITH_SIGNATURE).count()));
+        b.iter(|| black_box(gix_object::TagRefIter::from_bytes(TAG_WITH_SIGNATURE, gix_hash::Kind::Sha1).count()));
     });
 }
 

gix-object/benches/decode_objects.rs

@@ -3,6 +3,8 @@ use libfuzzer_sys::fuzz_target;
 use std::hint::black_box;
 
 fuzz_target!(|commit: &[u8]| {
-    _ = black_box(gix_object::CommitRef::from_bytes(commit));
-    _ = black_box(gix_object::CommitRefIter::from_bytes(commit)).count();
+    _ = black_box(gix_object::CommitRef::from_bytes(commit, gix_hash::Kind::Sha1));
+    _ = black_box(gix_object::CommitRefIter::from_bytes(commit, gix_hash::Kind::Sha1)).count();
+    _ = black_box(gix_object::CommitRef::from_bytes(commit, gix_hash::Kind::Sha256));
+    _ = black_box(gix_object::CommitRefIter::from_bytes(commit, gix_hash::Kind::Sha256)).count();
 });

gix-object/fuzz/fuzz_targets/fuzz_commit.rs

@@ -4,6 +4,8 @@ use libfuzzer_sys::fuzz_target;
 use std::hint::black_box;
 
 fuzz_target!(|tag: &[u8]| {
-    _ = black_box(gix_object::TagRef::from_bytes(tag));
-    _ = black_box(gix_object::TagRefIter::from_bytes(tag).count());
+    _ = black_box(gix_object::TagRef::from_bytes(tag, gix_hash::Kind::Sha1));
+    _ = black_box(gix_object::TagRefIter::from_bytes(tag, gix_hash::Kind::Sha1).count());
+    _ = black_box(gix_object::TagRef::from_bytes(tag, gix_hash::Kind::Sha256));
+    _ = black_box(gix_object::TagRefIter::from_bytes(tag, gix_hash::Kind::Sha256).count());
 });

gix-object/fuzz/fuzz_targets/fuzz_tag.rs

@@ -37,13 +37,13 @@ pub fn message<'a>(i: &mut &'a [u8]) -> ParseResult<&'a BStr> {
 /// This parser is not transactional as a whole: if a later required field or
 /// the final message parse fails, `i` may already have been advanced past
 /// earlier successfully parsed fields.
-pub fn commit<'a>(i: &mut &'a [u8]) -> ParseResult<CommitRef<'a>> {
-    let tree = parse::header_field(i, b"tree", parse::hex_hash)?;
+pub fn commit<'a>(i: &mut &'a [u8], hash_kind: gix_hash::Kind) -> ParseResult<CommitRef<'a>> {
+    let tree = parse::header_field(i, b"tree", |value| parse::hex_hash(value, hash_kind))?;
 
     let mut parents = SmallVec::new();
     loop {
         let before = *i;
-        match parse::header_field(i, b"parent", parse::hex_hash) {
+        match parse::header_field(i, b"parent", |value| parse::hex_hash(value, hash_kind)) {
             Ok(parent) => parents.push(parent),
             Err(_) => {
                 *i = before;

gix-object/src/commit/decode.rs

@@ -62,10 +62,11 @@ mod write;
 
 /// Lifecycle
 impl<'a> CommitRef<'a> {
-    /// Deserialize a commit from the given `data` bytes while avoiding most allocations.
-    pub fn from_bytes(mut data: &'a [u8]) -> Result<CommitRef<'a>, crate::decode::Error> {
+    /// Deserialize a commit from the given `data` bytes while avoiding most allocations, using `hash_kind` to know
+    /// what kind of hash to expect for validation.
+    pub fn from_bytes(mut data: &'a [u8], hash_kind: gix_hash::Kind) -> Result<CommitRef<'a>, crate::decode::Error> {
         let input = &mut data;
-        match decode::commit(input) {
+        match decode::commit(input, hash_kind) {
             Ok(tag) => Ok(tag),
             Err(err) => Err(err),
         }
@@ -88,7 +89,10 @@ impl<'a> CommitRef<'a> {
 
     /// Returns a convenient iterator over all extra headers.
     pub fn extra_headers(&self) -> ExtraHeaders<impl Iterator<Item = (&BStr, &BStr)>> {
-        ExtraHeaders::new(self.extra_headers.iter().map(|(k, v)| (*k, v.as_ref())))
+        ExtraHeaders::new(
+            self.extra_headers.iter().map(|(k, v)| (*k, v.as_ref())),
+            self.tree().kind(),
+        )
     }
 
     /// Return the author, with whitespace trimmed.
@@ -132,13 +136,17 @@ impl CommitRef<'_> {
 impl Commit {
     /// Returns a convenient iterator over all extra headers.
     pub fn extra_headers(&self) -> ExtraHeaders<impl Iterator<Item = (&BStr, &BStr)>> {
-        ExtraHeaders::new(self.extra_headers.iter().map(|(k, v)| (k.as_bstr(), v.as_bstr())))
+        ExtraHeaders::new(
+            self.extra_headers.iter().map(|(k, v)| (k.as_bstr(), v.as_bstr())),
+            self.tree.kind(),
+        )
     }
 }
 
 /// An iterator over extra headers in [owned][crate::Commit] and [borrowed][crate::CommitRef] commits.
 pub struct ExtraHeaders<I> {
     inner: I,
+    hash_kind: gix_hash::Kind,
 }
 
 /// Instantiation and convenience.
@@ -147,8 +155,8 @@ where
     I: Iterator<Item = (&'a BStr, &'a BStr)>,
 {
     /// Create a new instance from an iterator over tuples of (name, value) pairs.
-    pub fn new(iter: I) -> Self {
-        ExtraHeaders { inner: iter }
+    pub fn new(iter: I, hash_kind: gix_hash::Kind) -> Self {
+        ExtraHeaders { inner: iter, hash_kind }
     }
 
     /// Find the _value_ of the _first_ header with the given `name`.
@@ -175,7 +183,8 @@ where
     /// A merge tag is a tag object embedded within the respective header field of a commit, making
     /// it a child object of sorts.
     pub fn mergetags(self) -> impl Iterator<Item = Result<TagRef<'a>, crate::decode::Error>> {
-        self.find_all("mergetag").map(|b| TagRef::from_bytes(b))
+        let hash_kind = self.hash_kind;
+        self.find_all("mergetag").map(move |b| TagRef::from_bytes(b, hash_kind))
     }
 
     /// Return the cryptographic signature provided by gpg/pgp verbatim.

gix-object/src/commit/mod.rs

@@ -30,29 +30,35 @@ pub(crate) enum State {
 
 /// Lifecycle
 impl<'a> CommitRefIter<'a> {
-    /// Create a commit iterator from data.
-    pub fn from_bytes(data: &'a [u8]) -> CommitRefIter<'a> {
+    /// Create a commit iterator from the given `data`, using `hash_kind` to know
+    /// what kind of hash to expect for validation.
+    pub fn from_bytes(data: &'a [u8], hash_kind: gix_hash::Kind) -> CommitRefIter<'a> {
         CommitRefIter {
             data,
             state: State::default(),
+            hash_kind,
         }
     }
 }
 
 /// Access
 impl<'a> CommitRefIter<'a> {
     /// Parse `data` as commit and return its PGP signature, along with *all non-signature* data as [`SignedData`], or `None`
-    /// if the commit isn't signed.
+    /// if the commit isn't signed. All hashes in `data` are parsed as `hash_kind`.
     ///
     /// This allows the caller to validate the signature by passing the signed data along with the signature back to the program
     /// that created it.
-    pub fn signature(data: &'a [u8]) -> Result<Option<(Cow<'a, BStr>, SignedData<'a>)>, crate::decode::Error> {
+    pub fn signature(
+        data: &'a [u8],
+        hash_kind: gix_hash::Kind,
+    ) -> Result<Option<(Cow<'a, BStr>, SignedData<'a>)>, crate::decode::Error> {
         let mut signature_and_range = None;
 
         let raw_tokens = CommitRefIterRaw {
             data,
             state: State::default(),
             offset: 0,
+            hash_kind,
         };
         for token in raw_tokens {
             let token = token?;
@@ -146,35 +152,43 @@ fn missing_field() -> crate::decode::Error {
 
 impl<'a> CommitRefIter<'a> {
     #[inline]
-    fn next_inner(mut i: &'a [u8], state: &mut State) -> Result<(&'a [u8], Token<'a>), crate::decode::Error> {
+    fn next_inner(
+        mut i: &'a [u8],
+        state: &mut State,
+        hash_kind: gix_hash::Kind,
+    ) -> Result<(&'a [u8], Token<'a>), crate::decode::Error> {
         let input = &mut i;
-        match Self::next_inner_(input, state) {
+        match Self::next_inner_(input, state, hash_kind) {
             Ok(token) => Ok((*input, token)),
             Err(err) => Err(err),
         }
     }
 
-    fn next_inner_(input: &mut &'a [u8], state: &mut State) -> Result<Token<'a>, crate::decode::Error> {
+    fn next_inner_(
+        input: &mut &'a [u8],
+        state: &mut State,
+        hash_kind: gix_hash::Kind,
+    ) -> Result<Token<'a>, crate::decode::Error> {
         use State::*;
         Ok(match state {
             Tree => {
-                let tree = parse::header_field(input, b"tree", parse::hex_hash)?;
+                let tree = parse::header_field(input, b"tree", |value| parse::hex_hash(value, hash_kind))?;
                 *state = State::Parents;
                 Token::Tree {
                     id: ObjectId::from_hex(tree).expect("parsing validation"),
                 }
             }
             Parents => {
                 if input.starts_with(b"parent ") {
-                    let parent = parse::header_field(input, b"parent", parse::hex_hash)?;
+                    let parent = parse::header_field(input, b"parent", |value| parse::hex_hash(value, hash_kind))?;
                     Token::Parent {
                         id: ObjectId::from_hex(parent).expect("parsing validation"),
                     }
                 } else {
                     *state = State::Signature {
                         of: SignatureKind::Author,
                     };
-                    Self::next_inner_(input, state)?
+                    Self::next_inner_(input, state, hash_kind)?
                 }
             }
             Signature { ref mut of } => {
@@ -201,13 +215,13 @@ impl<'a> CommitRefIter<'a> {
                     let encoding = parse::header_field(input, b"encoding", Ok)?;
                     Token::Encoding(encoding.as_bstr())
                 } else {
-                    Self::next_inner_(input, state)?
+                    Self::next_inner_(input, state, hash_kind)?
                 }
             }
             ExtraHeaders => {
                 if input.starts_with(b"\n") {
                     *state = State::Message;
-                    Self::next_inner_(input, state)?
+                    Self::next_inner_(input, state, hash_kind)?
                 } else {
                     let before = *input;
                     match parse::any_header_field_multi_line(input)
@@ -240,7 +254,7 @@ impl<'a> Iterator for CommitRefIter<'a> {
         if self.data.is_empty() {
             return None;
         }
-        match Self::next_inner(self.data, &mut self.state) {
+        match Self::next_inner(self.data, &mut self.state, self.hash_kind) {
             Ok((data, token)) => {
                 self.data = data;
                 Some(Ok(token))
@@ -258,6 +272,7 @@ struct CommitRefIterRaw<'a> {
     data: &'a [u8],
     state: State,
     offset: usize,
+    hash_kind: gix_hash::Kind,
 }
 
 impl<'a> Iterator for CommitRefIterRaw<'a> {
@@ -267,7 +282,7 @@ impl<'a> Iterator for CommitRefIterRaw<'a> {
         if self.data.is_empty() {
             return None;
         }
-        match CommitRefIter::next_inner(self.data, &mut self.state) {
+        match CommitRefIter::next_inner(self.data, &mut self.state, self.hash_kind) {
             Ok((remaining, token)) => {
                 let consumed = self.data.len() - remaining.len();
                 let start = self.offset;

gix-object/src/commit/ref_iter.rs

@@ -16,8 +16,8 @@ impl<'a> Data<'a> {
         Ok(match self.kind {
             Kind::Tree => ObjectRef::Tree(TreeRef::from_bytes(self.data, self.hash_kind)?),
             Kind::Blob => ObjectRef::Blob(BlobRef { data: self.data }),
-            Kind::Commit => ObjectRef::Commit(CommitRef::from_bytes(self.data)?),
-            Kind::Tag => ObjectRef::Tag(TagRef::from_bytes(self.data)?),
+            Kind::Commit => ObjectRef::Commit(CommitRef::from_bytes(self.data, self.hash_kind)?),
+            Kind::Tag => ObjectRef::Tag(TagRef::from_bytes(self.data, self.hash_kind)?),
         })
     }
 
@@ -34,7 +34,7 @@ impl<'a> Data<'a> {
     /// `None` if this is not a commit object.
     pub fn try_into_commit_iter(self) -> Option<CommitRefIter<'a>> {
         match self.kind {
-            Kind::Commit => Some(CommitRefIter::from_bytes(self.data)),
+            Kind::Commit => Some(CommitRefIter::from_bytes(self.data, self.hash_kind)),
             _ => None,
         }
     }
@@ -43,7 +43,7 @@ impl<'a> Data<'a> {
     /// `None` if this is not a tag object.
     pub fn try_into_tag_iter(self) -> Option<TagRefIter<'a>> {
         match self.kind {
-            Kind::Tag => Some(TagRefIter::from_bytes(self.data)),
+            Kind::Tag => Some(TagRefIter::from_bytes(self.data, self.hash_kind)),
             _ => None,
         }
     }

gix-object/src/data.rs

@@ -109,7 +109,7 @@ pub struct Blob {
 #[derive(PartialEq, Eq, Debug, Hash, Ord, PartialOrd, Clone)]
 #[cfg_attr(feature = "serde", derive(serde::Serialize, serde::Deserialize))]
 pub struct CommitRef<'a> {
-    /// HEX hash of tree object we point to. Usually 40 bytes long.
+    /// HEX hash of tree object we point to.
     ///
     /// Use [`tree()`](CommitRef::tree()) to obtain a decoded version of it.
     #[cfg_attr(feature = "serde", serde(borrow))]
@@ -140,6 +140,7 @@ pub struct CommitRef<'a> {
 pub struct CommitRefIter<'a> {
     data: &'a [u8],
     state: commit::ref_iter::State,
+    hash_kind: gix_hash::Kind,
 }
 
 /// A mutable git commit, representing an annotated state of a working tree along with a reference to its historical commits.
@@ -194,6 +195,7 @@ pub struct TagRef<'a> {
 pub struct TagRefIter<'a> {
     data: &'a [u8],
     state: tag::ref_iter::State,
+    hash_kind: gix_hash::Kind,
 }
 
 /// A mutable git tag.