Source: DeepSec Rust-focused direct pass 20260507013924-5f4812745ba339b2.
Severity: HIGH_BUG
Confidence: high
File: crates/bashkit/src/interop/fs.rs:223
Slug: other-memory-safety
Finding
import_filesystem and ImportedFileSystem::from_handle are safe public APIs, but they accept a handle containing raw instance/vtable pointers, dereference handle.vtable during validation, call retain on handle.instance, later dereference the raw vtable again, and mark the imported wrapper Send / Sync.
A malformed, stale, or non-thread-safe native-extension handle can therefore crash or corrupt the host process through safe Rust or binding-level capsule/external import paths. This should be treated as an unsafe FFI boundary, not a fully safe API.
Suggested Fix
Make raw handle import / from_handle unsafe or hide it behind binding-owned opaque tokens.
Store NonNull pointers only after unsafe validation, copy the vtable into owned immutable state, document lifetime/thread-safety invariants, and avoid exposing safe APIs that can dereference arbitrary foreign pointers.
Source: DeepSec Rust-focused direct pass
20260507013924-5f4812745ba339b2.Severity: HIGH_BUG
Confidence: high
File:
crates/bashkit/src/interop/fs.rs:223Slug:
other-memory-safetyFinding
import_filesystemandImportedFileSystem::from_handleare safe public APIs, but they accept a handle containing raw instance/vtable pointers, dereferencehandle.vtableduring validation, callretainonhandle.instance, later dereference the raw vtable again, and mark the imported wrapperSend/Sync.A malformed, stale, or non-thread-safe native-extension handle can therefore crash or corrupt the host process through safe Rust or binding-level capsule/external import paths. This should be treated as an unsafe FFI boundary, not a fully safe API.
Suggested Fix
Make raw handle import /
from_handleunsafe or hide it behind binding-owned opaque tokens.Store
NonNullpointers only after unsafe validation, copy the vtable into owned immutable state, document lifetime/thread-safety invariants, and avoid exposing safe APIs that can dereference arbitrary foreign pointers.