DeepSec finding from bashkit scan.
- Run:
None
- Generated:
2026-06-05T00:13:18.516Z
- Severity:
MEDIUM
- Confidence:
medium
- Slug:
other-resource-exhaustion
- File:
crates/bashkit/src/builtins/sqlite/dot_commands.rs
- Lines:
92, 287, 318, 324
Finding
The .dump command returns a single DotOutcome::Stdout String, and dump() constructs that String by appending schema and every table's rows before the caller can apply max_output_bytes. QueryLimits are applied to each SELECT separately, so max_result_bytes bounds one query/table result but not the cumulative dump across many tables. An attacker controlling shell input can create many tables/rows and run .dump, causing memory growth beyond the configured rendered-output cap before rejection. The SQL identifier quoting at line 318 is safe against injection; the issue is the late aggregate output enforcement.
Recommendation
Make dot-command output bounded during construction: pass the remaining output budget into dump(), append through a checked writer, or stream chunks through push_stdout_bounded after each schema/row append. Apply the cap cumulatively across all tables before allocating the next chunk.
DeepSec finding from bashkit scan.
None2026-06-05T00:13:18.516ZMEDIUMmediumother-resource-exhaustioncrates/bashkit/src/builtins/sqlite/dot_commands.rs92, 287, 318, 324Finding
The .dump command returns a single DotOutcome::Stdout String, and dump() constructs that String by appending schema and every table's rows before the caller can apply max_output_bytes. QueryLimits are applied to each SELECT separately, so max_result_bytes bounds one query/table result but not the cumulative dump across many tables. An attacker controlling shell input can create many tables/rows and run .dump, causing memory growth beyond the configured rendered-output cap before rejection. The SQL identifier quoting at line 318 is safe against injection; the issue is the late aggregate output enforcement.
Recommendation
Make dot-command output bounded during construction: pass the remaining output budget into dump(), append through a checked writer, or stream chunks through push_stdout_bounded after each schema/row append. Apply the cap cumulatively across all tables before allocating the next chunk.