Finding C-1: Arithmetic Panic/DoS
Severity: CRITICAL
File: crates/bashkit/src/interpreter/mod.rs:7444
Threat ID: TM-DOS-029 (new)
Description
The arithmetic exponentiation operator casts i64 to u32 unsafely:
return left.pow(right as u32);
Negative right values wrap (e.g., -1 becomes 4294967295). Large exponents cause panic in debug builds or CPU hang in release. Even $(( 2 ** 63 )) overflows i64.
Related arithmetic issues in the same file
- Shift operators (lines 7343/7353):
left << right / left >> right panic if right >= 64 or right < 0
- Standard arithmetic (lines 7379-7407):
+, -, * panic on overflow in debug builds
- Division (line 7413):
i64::MIN / -1 panics (not caught by the right != 0 check)
Attack Vector
$(( 2 ** -1 )) # wraps to 2^4294967295 - hang/panic
$(( 2 ** 999999999999 )) # huge exponent - hang
$(( 1 << 64 )) # shift panic
$(( -9223372036854775808 / -1 )) # i64::MIN / -1 - panic
Recommended Fix
// Exponentiation: clamp and use wrapping
let exp = right.clamp(0, 63) as u32;
return left.wrapping_pow(exp);
// Shifts: clamp shift amount
let shift = right.clamp(0, 63) as u32;
return left.wrapping_shl(shift);
// All arithmetic: use wrapping_add, wrapping_sub, wrapping_mul
// Division: add check for left == i64::MIN && right == -1
Write a failing test first per AGENTS.md.
Finding C-1: Arithmetic Panic/DoS
Severity: CRITICAL
File:
crates/bashkit/src/interpreter/mod.rs:7444Threat ID: TM-DOS-029 (new)
Description
The arithmetic exponentiation operator casts
i64tou32unsafely:Negative
rightvalues wrap (e.g.,-1becomes4294967295). Large exponents cause panic in debug builds or CPU hang in release. Even$(( 2 ** 63 ))overflowsi64.Related arithmetic issues in the same file
left << right/left >> rightpanic ifright >= 64orright < 0+,-,*panic on overflow in debug buildsi64::MIN / -1panics (not caught by theright != 0check)Attack Vector
Recommended Fix
Write a failing test first per AGENTS.md.