[L-9] Network allowlist byte/char index mismatch on Unicode URLs (TM-UNI-019)

## Summary

The network allowlist path matching uses `pattern_path.len()` (byte count) as a char index into `url_path`, causing wrong path comparison on URLs with multi-byte characters.

**Threat Model ID:** TM-UNI-019

## Affected Code

- `crates/bashkit/src/network/allowlist.rs:194` — `url_path.chars().nth(pattern_path.len())` uses byte count as char index

```rust
// pattern_path.len() is BYTE count
// but chars().nth() expects CHAR index
url_path.chars().nth(pattern_path.len())
```

## Impact

- Path prefix matching may check the wrong character position when pattern contains multi-byte UTF-8
- Could allow a URL that should be blocked, or block one that should be allowed
- Low severity: URL paths with multi-byte chars in allowlist patterns are uncommon

## Fix

Use `pattern_path.chars().count()` or use byte-based comparison consistently:
```rust
if url_path.len() > pattern_path.len() {
    url_path.as_bytes().get(pattern_path.len()) == Some(&b'/')
}
```

## Related

- #395 (awk parser panics on Unicode char boundaries)
- TM-UNI-015 through TM-UNI-018 (other byte-boundary issues)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[L-9] Network allowlist byte/char index mismatch on Unicode URLs (TM-UNI-019) #438

Summary

Affected Code

Impact

Fix

Related

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[L-9] Network allowlist byte/char index mismatch on Unicode URLs (TM-UNI-019) #438

Description

Summary

Affected Code

Impact

Fix

Related

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions