Summary
looks_like_brace_expansion clones the char iterator and scans forward to find a matching }. If input contains { with no matching }, it scans the entire remaining input. Since this happens per { in the token-reading hot path, input with many unmatched { characters causes O(n^2) total scanning. This lookahead doesn't consume parser fuel ticks.
Severity: Low
Category: TM-DOS (Denial of Service)
Affected Files
crates/bashkit/src/parser/lexer.rs lines 1415-1449
Steps to Reproduce
# Input with many unmatched { characters
python3 -c "print('echo ' + '{ ' * 50000)" | bashkit
# Each { triggers scan to end of input: O(n^2) total workImpact
CPU consumption in parser not accounted for by fuel model. For inputs near 10MB max_input_bytes limit, this could cause significant delays. The parser_timeout (5s default) provides a backstop.
Acceptance Criteria
Summary
looks_like_brace_expansionclones the char iterator and scans forward to find a matching}. If input contains{with no matching}, it scans the entire remaining input. Since this happens per{in the token-reading hot path, input with many unmatched{characters causes O(n^2) total scanning. This lookahead doesn't consume parser fuel ticks.Severity: Low
Category: TM-DOS (Denial of Service)
Affected Files
crates/bashkit/src/parser/lexer.rslines 1415-1449Steps to Reproduce
Impact
CPU consumption in parser not accounted for by fuel model. For inputs near 10MB
max_input_byteslimit, this could cause significant delays. Theparser_timeout(5s default) provides a backstop.Acceptance Criteria
looks_like_brace_expansion(e.g., 10,000 chars){completes within parser timeout