git-core 0.1.0

Git object-store reader: loose + packfile (v2, OFS/REF delta) objects, refs, commits, trees over a content-addressed Merkle DAG
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370

//! Packfile reading (pack v2 + index v2), the normal post-`gc`/clone storage.
//!
//! A `.idx` (version 2) maps object hashes to byte offsets in the sibling
//! `.pack`; each pack object is a varint-headed, zlib-compressed blob that may be
//! whole (commit/tree/blob/tag) or a delta (`OFS_DELTA`/`REF_DELTA`) against
//! another object. This module resolves deltas recursively and verifies the
//! SHA-1 of every reconstructed object.
//!
//! Reference: git `Documentation/gitformat-pack.txt` (pack + index v2 layouts,
//! delta instruction encoding).

use std::fs;
use std::io::Read;
use std::path::Path;

use flate2::read::ZlibDecoder;
use sha1::{Digest, Sha1};

use crate::error::{GitError, Result};
use crate::hash::GitHash;
use crate::object::{ObjectKind, RawObject};

/// `.idx` version-2 magic: `\377tOc`.
const IDX_V2_MAGIC: [u8; 4] = [0xff, 0x74, 0x4f, 0x63];
/// Deflate-bomb guard: reject any object decompressing past 512 MiB.
const MAX_OBJECT_SIZE: u64 = 512 * 1024 * 1024;
/// Guard against a pathological delta-base chain (cycles / fuzzed packs).
const MAX_DELTA_DEPTH: u32 = 64;

/// Read `hash` from any packfile under `objects_dir`. Returns `Ok(None)` when no
/// pack contains it (so the caller can report a genuine not-found).
pub fn read_packed(objects_dir: &Path, hash: &GitHash) -> Result<Option<RawObject>> {
    let pack_dir = objects_dir.join("pack");
    let Ok(entries) = fs::read_dir(&pack_dir) else {
        return Ok(None);
    };
    let mut idx_paths: Vec<_> = entries
        .flatten()
        .map(|e| e.path())
        .filter(|p| p.extension().is_some_and(|x| x == "idx"))
        .collect();
    idx_paths.sort(); // deterministic order across packs
    for idx_path in idx_paths {
        let idx = fs::read(&idx_path)?;
        if let Some(offset) = idx_lookup(&idx, hash)? {
            let pack = fs::read(idx_path.with_extension("pack"))?;
            let (kind, data) = read_object_at(&pack, offset, objects_dir, 0)?;
            let verified = verify(hash, kind, &data);
            return Ok(Some(RawObject {
                kind,
                data,
                verified,
            }));
        }
    }
    Ok(None)
}

/// Enumerate every object SHA across all packfiles under `objects_dir`.
///
/// Walks the sorted name table of each `.idx` (version 2). A missing pack
/// directory yields an empty list; an unsupported (non-v2) index fails loud.
///
/// # Errors
/// Returns [`GitError`] on an I/O failure or a malformed/unsupported index.
pub fn list_packed(objects_dir: &Path) -> Result<Vec<GitHash>> {
    let pack_dir = objects_dir.join("pack");
    let Ok(entries) = fs::read_dir(&pack_dir) else {
        return Ok(Vec::new());
    };
    let mut idx_paths: Vec<_> = entries
        .flatten()
        .map(|e| e.path())
        .filter(|p| p.extension().is_some_and(|x| x == "idx"))
        .collect();
    idx_paths.sort();

    let mut out = Vec::new();
    for idx_path in idx_paths {
        let idx = fs::read(&idx_path)?;
        idx_names(&idx, &mut out)?;
    }
    Ok(out)
}

/// Append every SHA in an index-v2 name table to `out`.
fn idx_names(idx: &[u8], out: &mut Vec<GitHash>) -> Result<()> {
    if idx.len() < 8 || idx[0..4] != IDX_V2_MAGIC || be_u32(idx, 4)? != 2 {
        // Mirror `idx_lookup`: a v1 index or anything else is not supported.
        // The hash is unknown here, so report bounds rather than guess one.
        return Err(GitError::OutOfBounds);
    }
    const FANOUT: usize = 8;
    let count = be_u32(idx, FANOUT + 255 * 4)? as usize;
    let names = FANOUT + 256 * 4;
    for i in 0..count {
        let name = idx
            .get(names + i * 20..names + i * 20 + 20)
            .ok_or(GitError::OutOfBounds)?;
        out.push(GitHash::from_bytes(name)?);
    }
    Ok(())
}

/// Binary-search an index-v2 fanout/name table for `hash`, returning its pack
/// byte offset. Non-v2 indexes fail loud rather than silently miss.
fn idx_lookup(idx: &[u8], hash: &GitHash) -> Result<Option<u64>> {
    if idx.len() < 8 || idx[0..4] != IDX_V2_MAGIC {
        // A v1 index (no magic) or anything else: don't guess.
        return Err(GitError::PackfileUnsupported(*hash));
    }
    if be_u32(idx, 4)? != 2 {
        return Err(GitError::PackfileUnsupported(*hash));
    }
    const FANOUT: usize = 8;
    let want = hash.as_bytes();
    let first = want[0] as usize;
    let mut lo = if first == 0 {
        0
    } else {
        be_u32(idx, FANOUT + (first - 1) * 4)?
    } as usize;
    let mut hi = be_u32(idx, FANOUT + first * 4)? as usize;
    let count = be_u32(idx, FANOUT + 255 * 4)? as usize;
    let names = FANOUT + 256 * 4;
    while lo < hi {
        let mid = lo + (hi - lo) / 2;
        let name = idx
            .get(names + mid * 20..names + mid * 20 + 20)
            .ok_or(GitError::OutOfBounds)?;
        match name.cmp(want.as_slice()) {
            std::cmp::Ordering::Less => lo = mid + 1,
            std::cmp::Ordering::Greater => hi = mid,
            std::cmp::Ordering::Equal => {
                // names(count*20) then CRCs(count*4) then small offsets(count*4).
                let offsets = names + count * 20 + count * 4;
                let raw = be_u32(idx, offsets + mid * 4)?;
                if raw & 0x8000_0000 == 0 {
                    return Ok(Some(u64::from(raw)));
                }
                // MSB set: index into the 8-byte large-offset table.
                let large = offsets + count * 4;
                let slot = (raw & 0x7fff_ffff) as usize;
                return Ok(Some(be_u64(idx, large + slot * 8)?));
            }
        }
    }
    Ok(None)
}

/// Read and fully resolve the object at `offset` in `pack`.
fn read_object_at(
    pack: &[u8],
    offset: u64,
    objects_dir: &Path,
    depth: u32,
) -> Result<(ObjectKind, Vec<u8>)> {
    if depth > MAX_DELTA_DEPTH {
        return Err(GitError::InvalidObject("delta chain too deep".into()));
    }
    let off = usize::try_from(offset).map_err(|_| GitError::OutOfBounds)?;
    let (type_id, _size, body) = parse_object_header(pack, off)?;
    match type_id {
        1..=4 => Ok((kind_from_type(type_id)?, inflate(pack, body)?)),
        6 => {
            // OFS_DELTA: a negative offset (varint) to the base, then the delta.
            let (back, delta_start) = parse_ofs_delta(pack, body)?;
            let base_off = off.checked_sub(back).ok_or(GitError::OutOfBounds)?;
            let (kind, base) = read_object_at(pack, base_off as u64, objects_dir, depth + 1)?;
            Ok((kind, apply_delta(&base, &inflate(pack, delta_start)?)?))
        }
        7 => {
            // REF_DELTA: a 20-byte base hash, then the delta.
            let base_hash =
                GitHash::from_bytes(pack.get(body..body + 20).ok_or(GitError::OutOfBounds)?)?;
            let delta = inflate(pack, body + 20)?;
            let (kind, base) = resolve_base(objects_dir, &base_hash, depth + 1)?;
            Ok((kind, apply_delta(&base, &delta)?))
        }
        other => Err(GitError::InvalidObject(format!(
            "unknown pack object type {other}"
        ))),
    }
}

/// Resolve a `REF_DELTA` base by hash — it may live in a pack or as a loose object.
fn resolve_base(objects_dir: &Path, hash: &GitHash, depth: u32) -> Result<(ObjectKind, Vec<u8>)> {
    if depth > MAX_DELTA_DEPTH {
        return Err(GitError::InvalidObject("delta chain too deep".into()));
    }
    if let Some(obj) = read_packed(objects_dir, hash)? {
        return Ok((obj.kind, obj.data));
    }
    let obj = crate::loose::read_loose(objects_dir, hash)?;
    Ok((obj.kind, obj.data))
}

/// Parse a pack object header: 3-bit type + variable-length size. Returns
/// `(type_id, size, body_offset)`.
fn parse_object_header(pack: &[u8], off: usize) -> Result<(u8, usize, usize)> {
    let mut pos = off;
    let b = *pack.get(pos).ok_or(GitError::OutOfBounds)?;
    pos += 1;
    let type_id = (b >> 4) & 0x7;
    let mut size = (b & 0x0f) as usize;
    let mut shift = 4;
    let mut more = b & 0x80 != 0;
    while more {
        let b = *pack.get(pos).ok_or(GitError::OutOfBounds)?;
        pos += 1;
        size |= ((b & 0x7f) as usize)
            .checked_shl(shift)
            .ok_or(GitError::OutOfBounds)?;
        shift += 7;
        more = b & 0x80 != 0;
    }
    Ok((type_id, size, pos))
}

/// Parse the `OFS_DELTA` negative base offset. Returns `(distance, body_offset)`.
fn parse_ofs_delta(pack: &[u8], off: usize) -> Result<(usize, usize)> {
    let mut pos = off;
    let mut b = *pack.get(pos).ok_or(GitError::OutOfBounds)?;
    pos += 1;
    let mut value = (b & 0x7f) as usize;
    while b & 0x80 != 0 {
        b = *pack.get(pos).ok_or(GitError::OutOfBounds)?;
        pos += 1;
        value = value
            .checked_add(1)
            .and_then(|v| v.checked_shl(7))
            .map(|v| v | (b & 0x7f) as usize)
            .ok_or(GitError::OutOfBounds)?;
    }
    Ok((value, pos))
}

/// Apply a git delta (`base` + delta instructions → reconstructed object).
///
/// Exposed for fuzzing: `delta` is fully attacker-controlled, so this must never
/// panic or read out of bounds regardless of input.
///
/// # Errors
/// Returns [`GitError`] on a malformed delta (bad opcode, out-of-range copy, or
/// a size disagreeing with the delta header).
pub fn apply_delta(base: &[u8], delta: &[u8]) -> Result<Vec<u8>> {
    let (_src, mut p) = read_delta_size(delta, 0)?;
    let (target_size, q) = read_delta_size(delta, p)?;
    p = q;
    let mut out = Vec::with_capacity(target_size.min(MAX_OBJECT_SIZE as usize));
    while p < delta.len() {
        let cmd = delta[p];
        p += 1;
        if cmd & 0x80 != 0 {
            // COPY <offset,size> from base; bytes present per the cmd bitmask.
            let mut copy_off = 0usize;
            for i in 0..4 {
                if cmd & (1 << i) != 0 {
                    copy_off |= (*delta.get(p).ok_or(GitError::OutOfBounds)? as usize) << (8 * i);
                    p += 1;
                }
            }
            let mut copy_size = 0usize;
            for i in 0..3 {
                if cmd & (1 << (4 + i)) != 0 {
                    copy_size |= (*delta.get(p).ok_or(GitError::OutOfBounds)? as usize) << (8 * i);
                    p += 1;
                }
            }
            if copy_size == 0 {
                copy_size = 0x1_0000;
            }
            let end = copy_off
                .checked_add(copy_size)
                .ok_or(GitError::OutOfBounds)?;
            out.extend_from_slice(base.get(copy_off..end).ok_or(GitError::OutOfBounds)?);
        } else if cmd != 0 {
            // INSERT: `cmd` literal bytes follow in the delta stream.
            let n = cmd as usize;
            out.extend_from_slice(delta.get(p..p + n).ok_or(GitError::OutOfBounds)?);
            p += n;
        } else {
            return Err(GitError::InvalidObject("delta opcode 0 is reserved".into()));
        }
    }
    if out.len() != target_size {
        return Err(GitError::InvalidObject(format!(
            "delta produced {} bytes, header said {target_size}",
            out.len()
        )));
    }
    Ok(out)
}

/// Read a little-endian 7-bit varint (delta source/target sizes).
fn read_delta_size(delta: &[u8], mut p: usize) -> Result<(usize, usize)> {
    let mut value = 0usize;
    let mut shift = 0u32;
    loop {
        let b = *delta.get(p).ok_or(GitError::OutOfBounds)?;
        p += 1;
        value |= ((b & 0x7f) as usize)
            .checked_shl(shift)
            .ok_or(GitError::OutOfBounds)?;
        shift += 7;
        if b & 0x80 == 0 {
            break;
        }
    }
    Ok((value, p))
}

/// Inflate the zlib stream beginning at `start`, with a bomb guard.
fn inflate(pack: &[u8], start: usize) -> Result<Vec<u8>> {
    let compressed = pack.get(start..).ok_or(GitError::OutOfBounds)?;
    let mut out = Vec::new();
    ZlibDecoder::new(compressed)
        .take(MAX_OBJECT_SIZE + 1)
        .read_to_end(&mut out)
        .map_err(|e| GitError::InvalidObject(format!("pack zlib failed: {e}")))?;
    if out.len() as u64 > MAX_OBJECT_SIZE {
        return Err(GitError::DeflateBomb);
    }
    Ok(out)
}

fn kind_from_type(type_id: u8) -> Result<ObjectKind> {
    match type_id {
        1 => Ok(ObjectKind::Commit),
        2 => Ok(ObjectKind::Tree),
        3 => Ok(ObjectKind::Blob),
        4 => Ok(ObjectKind::Tag),
        other => Err(GitError::InvalidObject(format!(
            "pack object type {other} is not a base type"
        ))),
    }
}

fn kind_str(kind: ObjectKind) -> &'static [u8] {
    match kind {
        ObjectKind::Commit => b"commit",
        ObjectKind::Tree => b"tree",
        ObjectKind::Blob => b"blob",
        ObjectKind::Tag => b"tag",
    }
}

/// SHA-1 over `"<kind> <len>\0<data>"` must equal the object's name.
fn verify(hash: &GitHash, kind: ObjectKind, data: &[u8]) -> bool {
    let mut h = Sha1::new();
    h.update(kind_str(kind));
    h.update(b" ");
    h.update(data.len().to_string().as_bytes());
    h.update(b"\0");
    h.update(data);
    let digest: [u8; 20] = h.finalize().into();
    &digest == hash.as_bytes()
}

fn be_u32(b: &[u8], off: usize) -> Result<u32> {
    let s = b.get(off..off + 4).ok_or(GitError::OutOfBounds)?;
    Ok(u32::from_be_bytes([s[0], s[1], s[2], s[3]]))
}

fn be_u64(b: &[u8], off: usize) -> Result<u64> {
    let s = b.get(off..off + 8).ok_or(GitError::OutOfBounds)?;
    let mut a = [0u8; 8];
    a.copy_from_slice(s);
    Ok(u64::from_be_bytes(a))
}