Summary
ExpandGit is a widely deployed distributed version control system that serves as foundational infrastructure for software development workflows worldwide. The codebase is primarily written in C with extensive shell scripting for its test harness and ancillary tooling. The audited scope spans ten sections encompassing core builtin commands, the credential storage subsystem, contributor-maintained extensions, fuzz testing infrastructure, and a comprehensive test suite including unit tests, performance benchmarks, and integration helpers. The architecture reflects decades of incremental development with a modular command structure, where each builtin operation is implemented as a discrete compilation unit linked against shared library routines for object manipulation, network transport, and platform abstraction.
The codebase demonstrates a mature security posture informed by its position as critical infrastructure. Git employs cryptographic object verification via SHA-1 and SHA-256 hash algorithms, implements careful input validation at protocol boundaries, and maintains a defense-in-depth approach to handling untrusted repository data. The credential helper subsystem implements platform-specific secure storage integration through the Windows Credential Manager API, using wide-character string conversions and Windows security APIs. The fuzz testing infrastructure under oss-fuzz reflects a proactive approach to discovering memory safety issues, and the extensive test suite—spanning thousands of test cases across multiple frameworks—provides meaningful regression coverage against security-relevant behavioral changes.
The overall security posture of the Git codebase is strong, consistent with its maturity and the scrutiny it receives as critical open-source infrastructure. One low-severity finding was identified, localized to the Windows credential helper (`contrib/credential/wincred`), a platform-specific component that handles sensitive authentication material. The heap buffer overflow arises from a subtle size calculation error when converting between multibyte and wide-character string representations—a well-known class of vulnerability in Windows C code that interacts with `wchar_t` APIs. While the affected code path requires local credential storage operations to trigger, the fact that it processes authentication credentials elevates the risk profile beyond a typical buffer overflow, as exploitation could potentially lead to credential disclosure or corruption. No findings were identified, and the core Git object model, transport protocols, and command implementations exhibited no vulnerabilities at the medium threshold or above.
Findings
1 issue identified
Heap buffer overflow in store_credential due to missing null terminator allocation and incorrect _snwprintf_s size parameter
contrib/credential/wincred/git-credential-wincred.c:171
View Details
Description
In store_credential(), when oauth_refresh_token is present, _scwprintf returns the character count excluding the null terminator. The buffer is allocated as sizeof(WCHAR) * wlen with no space for the null terminator. Additionally, _snwprintf_s receives sizeof(WCHAR) * wlen (bytes) as sizeOfBuffer when it expects wide-character count. This causes a 2-byte heap buffer overflow when the null terminator is written past the allocation.
Impact
A 2-byte heap buffer overflow occurs when storing credentials with an OAuth refresh token. Heap metadata corruption could lead to crashes or potentially exploitable conditions. A malicious OAuth server could trigger this during credential storage.
Recommendation
Allocate sizeof(WCHAR) * (wlen + 1) to include space for the null terminator, and pass wlen + 1 as the sizeOfBuffer parameter in character units.
Fix
The fix adds 1 to the allocation to account for the null terminator and passes the correct character count (wlen + 1) as sizeOfBuffer instead of a byte count.
contrib/credential/wincred/git-credential-wincred.c
Conclusion
ExpandThe Git codebase reflects exceptional software engineering maturity, with clear separation of concerns between its core object store, command dispatch layer, and platform-specific subsystems. The C code in the core paths demonstrates disciplined memory management practices, careful bounds checking on user-supplied input, and consistent use of safe string handling functions. The presence of a dedicated fuzz testing corpus and a test suite that exercises both unit-level and integration-level behaviors indicates an active commitment to defect prevention. The single identified vulnerability, while meaningful, is confined to a contributor-maintained credential helper and does not reflect systemic weaknesses in the project’s security engineering practices.
The low-severity finding [M-1] targets the wincred credential helper’s handling of wide-character string buffers in the store_credential function. The allocation size for the credential target string fails to account for the null terminator, and the subsequent _snwprintf_s call receives an incorrect buffer size parameter, creating a one-or-more-wide-character heap overflow. In a real-world attack scenario, a malicious credential response from a compromised remote or a crafted Git configuration could trigger this overflow during credential storage operations, potentially enabling code execution in the context of the user’s session where authentication tokens are in memory.
The Git core is deployment-ready with high confidence at the low-severity threshold. The identified heap buffer overflow in the Windows credential helper should be remediated before any Windows distribution that includes git-credential-wincred, as the component directly handles authentication secrets and operates without additional sandboxing. The recommended fix is surgical: adjusting the allocation in store_credential to include space for the null terminator and correcting the size parameter passed to _snwprintf_s from bytes to the correct wide-character count. This correction is a minimal, low-risk change that does not alter control flow or require architectural modification. Following remediation, a targeted fuzz campaign against the credential helper’s string conversion paths would provide additional assurance against similar size-confusion defects.
On-Chain Verification
Compare these values with the on-chain attestation
Verify: download the markdown and compare the hash
sha256sum git.md
Legal Disclaimer: This report covers the code submitted for analysis. It does not account for infrastructure, deployment configuration, third-party dependencies, or changes made after the audit date. Automated analysis may produce false positives or miss context-dependent vulnerabilities. audited.xyz provides this report “as is” without warranty of any kind.