Summary
In replace_pattern with global=true (from ${var//pattern/replacement}), if replacement is longer than the matched text, the output string grows without any size check. Parameter expansion results are intermediate computation values not checked against max_stdout_bytes or MemoryLimits. A 10KB input can produce a 10MB output.
Severity: Low
Category: TM-DOS (Denial of Service)
Affected Files
crates/bashkit/src/interpreter/mod.rs lines 6741-6751
Steps to Reproduce
val=$(printf 'x%.0s' {1..10000})
replacement=$(printf 'A%.0s' {1..1000})
result="${val//x/$replacement}"
# result is ~10,000,000 characters (10MB) from a 10KB input
echo "${#result}"Impact
Memory amplification during parameter expansion. Can cause OOM before memory budget catches it.
Acceptance Criteria
Summary
In
replace_patternwithglobal=true(from${var//pattern/replacement}), ifreplacementis longer than the matched text, the output string grows without any size check. Parameter expansion results are intermediate computation values not checked againstmax_stdout_bytesorMemoryLimits. A 10KB input can produce a 10MB output.Severity: Low
Category: TM-DOS (Denial of Service)
Affected Files
crates/bashkit/src/interpreter/mod.rslines 6741-6751Steps to Reproduce
Impact
Memory amplification during parameter expansion. Can cause OOM before memory budget catches it.
Acceptance Criteria