Cargo does not treat globs under negation(`!`) correctly when parsing `known_hosts`

[TanmayArya-1p]

Problem

Say we had a hostname as follows in the known_hosts file : *github.com,!*h.github.com ecdsa-sha2-nistp256 AAAAC3NzaC1lZDI...
The expected behaviour as per the sshd manual is to not recognise ssh.github.com.
Using git or ssh in the above case will prompt you to add the fingerprint to known_hosts.

However, when cargo update is run with a dependency: ripgrep = { git = "ssh://git@ssh.github.com/BurntSushi/ripgrep.git" }, Cargo fetches the dependencies without throwing an error (which should be expected when a host is not recognised).

Upon some investigation, the issue comes from this block of code here

cargo/src/cargo/sources/git/known_hosts.rs

Lines 610 to 632 in b9f0d83

	for pattern in self.patterns.split(',') {
	let pattern = pattern.to_lowercase();
	let is_glob = is_glob_pattern(&pattern);
	if is_glob {
	match glob::Pattern::new(&pattern) {
	Ok(glob) => match_found |= glob.matches(&host),
	Err(e) => {
	tracing::warn!(
	"failed to interpret hostname `{pattern}` as glob pattern: {e}"
	)
	}
	}
	}
	if let Some(pattern) = pattern.strip_prefix('!') {
	if pattern == host {
	return false;
	}
	} else {
	match_found |= pattern == host;
	}
	}

The first pattern (*github.com) matches and sets match_found = true. For the second pattern (!*h.github.com ), It validates the host against the glob(which should return false but match_found is already true) and it gets trough the negation check.

Steps

1. Remove the existing github.com entries from known_hosts and add this fingerprint:
   *github.com,!*h.github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=

2. Add a dependency to your manifest that uses ssh.github.com:

[dependencies]
ripgrep = { git = "ssh://git@ssh.github.com/BurntSushi/ripgrep.git" }

3. To not use the git cli, add this to your config.toml

[net]
git-fetch-with-cli = false

4. Run cargo update and you should not see any error (but Cargo should throw an error here)
5. Try the same with git-fetch-with-cli = true and you should see git asking to add a fingerprint to know_hosts

Possible Solution(s)

In the block of code above, we could just first check if its a negation and then parse the glob. if the glob matches under negation then outright return false.

Notes

No response

Version

cargo 1.94.0-nightly (b54051b15 2025-12-30)
release: 1.94.0-nightly
commit-hash: b54051b1505281ec7a45a250140a0ff25d33f319
commit-date: 2025-12-30
host: x86_64-unknown-linux-gnu
libgit2: 1.9.1 (sys:0.20.2 vendored)
libcurl: 8.15.0-DEV (sys:0.4.83+curl-8.15.0 vendored ssl:OpenSSL/3.5.4)
ssl: OpenSSL 3.5.4 30 Sep 2025
os: Ubuntu 24.4.0 (noble) [64-bit]

[TanmayArya-1p]

@rustbot label: +A-git

[TanmayArya-1p]

If this issue sounds sane then I'm happy to work on this, I've already spent some time scratching my head about where this problem was coming from.

[Eh2406]

This line https://github.com/rust-lang/cargo/blame/master/src/cargo/sources/git/known_hosts.rs#L626
checks for exact match when it needs to check for globs.

Looks like it was missed in #15508

[TanmayArya-1p]

@rustbot label: -S-triage