git-forensic is designed to parse untrusted Git object stores — including .git directories acquired from compromised or actively hostile systems. Hostile input is the expected case, not an edge case. Robustness against crafted objects, packfiles, and delta chains is a core design goal, and we take reports of crashes, hangs, or memory-safety issues seriously.

Security fixes are released against the latest published 0.1.x line.

Do not open a public GitHub issue for a security vulnerability.

Report privately, by either:

• GitHub Security Advisories — open a private advisory on the git-forensic repository, or
• Email — albert@securityronin.com.

Please include:

• the affected version and target triple,
• a minimal reproducing object, packfile, or byte buffer (a fuzz corpus entry is ideal),
• the observed behaviour (panic, hang, excessive allocation, mis-parse) and the expected behaviour.

We aim to acknowledge a report within a few business days and to coordinate disclosure once a fix is available.

git-forensic is hardened against adversarial input by construction:

• #![forbid(unsafe_code)] across both crates — no unsafe, no libgit2, no C bindings, anywhere.
• No panics on malicious input — every length, offset, and delta instruction is validated against both the structure's declared size and the actual buffer; arithmetic is checked or saturating.
• Bounded reads — object and delta-target sizes are capped, refusing allocation bombs (e.g. a crafted delta that claims an enormous result).
• Loop caps — delta chains and object walks are bounded against non-terminating traversals.
• Fail loud — malformed input surfaces as a typed GitError rather than a silent default or a silently-wrong parse.

Continuous fuzzing with cargo-fuzz backs the hardening above. Four targets cover the parsers that consume attacker-controlled bytes:

Panics found by fuzzing are fixed and pinned as regression tests.

For how to run the targets yourself, see CONTRIBUTING.md.