Summary
printf "%.65536f" 1.0 triggers a thread panic in Rust's format! macro because the precision value exceeds u16 max (65535). No bounds check exists before passing user-controlled precision to format!. The panic dumps a full stack backtrace to stderr, leaking internal file paths and dependency versions.
Severity: Medium
Category: DoS / Information Disclosure (TM-DOS / TM-INT)
Affected Files
crates/bashkit/src/builtins/printf.rs line 382
Steps to Reproduce
printf "%.65536f" 1.0
# Thread panics with:
# thread 'main' panicked at 'Formatting argument out of range'
# Full backtrace with internal paths leaked to stderr
Impact
- Crash: Interpreter thread panics on attacker-controlled input
- Information disclosure: Stack backtrace reveals internal source paths (
./crates/bashkit/src/builtins/printf.rs:382:37), cargo registry paths, dependency versions (tokio, anyhow versions), and function names
Acceptance Criteria
Summary
printf "%.65536f" 1.0triggers a thread panic in Rust'sformat!macro because the precision value exceeds u16 max (65535). No bounds check exists before passing user-controlled precision toformat!. The panic dumps a full stack backtrace to stderr, leaking internal file paths and dependency versions.Severity: Medium
Category: DoS / Information Disclosure (TM-DOS / TM-INT)
Affected Files
crates/bashkit/src/builtins/printf.rsline 382Steps to Reproduce
Impact
./crates/bashkit/src/builtins/printf.rs:382:37), cargo registry paths, dependency versions (tokio, anyhow versions), and function namesAcceptance Criteria
fmt_spec.precisionto maximum 65535 (or lower, e.g., 10000) before theformat!callprintf "%.99999f" 1.0returns graceful error or clamped outputprintf "%.100f" 1.0still works correctly