fix(builtins): limit AWK getline file cache to prevent memory exhaustion

Closes #988

Author: chaliy

crates/bashkit/src/builtins/awk.rs

@@ -25,6 +25,10 @@ use crate::error::{Error, Result};
 use crate::fs::FileSystem;
 use crate::interpreter::ExecResult;
 
+/// THREAT[TM-DOS-988]: Maximum number of distinct files cached by `getline var < file`.
+/// Prevents memory exhaustion from unbounded file caching.
+const MAX_GETLINE_CACHED_FILES: usize = 100;
+
 /// awk command - pattern scanning and processing
 pub struct Awk;
 
@@ -2100,6 +2104,9 @@ struct AwkInterpreter {
     file_appends: HashMap<String, String>,
     /// Cached file inputs for `getline var < file` redirection.
     /// Maps resolved path -> (lines, current_position).
+    /// THREAT[TM-DOS-988]: Bounded to `MAX_GETLINE_CACHED_FILES` entries and
+    /// per-file size capped by `FsLimits::max_file_size` to prevent memory
+    /// exhaustion via unbounded file caching.
     file_inputs: HashMap<String, (Vec<String>, usize)>,
     /// VFS reference for lazy file reads (getline < file).
     fs: Option<Arc<dyn FileSystem>>,
@@ -2128,13 +2135,22 @@ impl AwkInterpreter {
     /// Load a file into the `file_inputs` cache if not already present.
     /// Uses a separate thread + tokio runtime to bridge async VFS → sync context.
     /// Returns true on success, false on error.
+    ///
+    /// THREAT[TM-DOS-988]: Enforces two limits:
+    /// 1. Max `MAX_GETLINE_CACHED_FILES` distinct files cached at once.
+    /// 2. Per-file byte size capped by `FsLimits::max_file_size`.
     fn ensure_file_loaded(&mut self, resolved: &str) -> bool {
         if self.file_inputs.contains_key(resolved) {
             return true;
         }
+        // Enforce cached-file count limit.
+        if self.file_inputs.len() >= MAX_GETLINE_CACHED_FILES {
+            return false;
+        }
         let Some(fs) = &self.fs else {
             return false;
         };
+        let max_file_size = fs.limits().max_file_size;
         let fs = fs.clone();
         let p = PathBuf::from(resolved);
         // Spawn a thread with its own runtime to avoid blocking the current async runtime.
@@ -2148,6 +2164,10 @@ impl AwkInterpreter {
         .join();
         match result {
             Ok(Ok(bytes)) => {
+                // Enforce per-file size limit.
+                if bytes.len() as u64 > max_file_size {
+                    return false;
+                }
                 let text = String::from_utf8_lossy(&bytes).into_owned();
                 let lines: Vec<String> = text.lines().map(|l| l.to_string()).collect();
                 self.file_inputs.insert(resolved.to_string(), (lines, 0));
@@ -4379,4 +4399,129 @@ mod tests {
             .unwrap();
         assert_eq!(result.stdout, "ok\n");
     }
+
+    /// Helper: run AWK with a caller-provided VFS.
+    async fn run_awk_with_custom_fs(
+        args: &[&str],
+        stdin: Option<&str>,
+        fs: Arc<InMemoryFs>,
+    ) -> Result<ExecResult> {
+        let awk = Awk;
+        let mut vars = HashMap::new();
+        let mut cwd = PathBuf::from("/");
+        let args: Vec<String> = args.iter().map(|s| s.to_string()).collect();
+
+        let ctx = Context {
+            args: &args,
+            env: &HashMap::new(),
+            variables: &mut vars,
+            cwd: &mut cwd,
+            fs,
+            stdin,
+            #[cfg(feature = "http_client")]
+            http_client: None,
+            #[cfg(feature = "git")]
+            git_client: None,
+            shell: None,
+        };
+
+        awk.execute(ctx).await
+    }
+
+    #[tokio::test]
+    async fn test_awk_getline_file_cache_limit_exceeded() {
+        // Opening more than MAX_GETLINE_CACHED_FILES distinct files must fail
+        // gracefully (getline returns -1 for new files beyond the limit).
+        use crate::fs::FsLimits;
+
+        let limits = FsLimits {
+            max_file_count: 200_000,
+            max_total_bytes: 200_000_000,
+            ..FsLimits::default()
+        };
+        let fs = Arc::new(InMemoryFs::with_limits(limits));
+        let count = MAX_GETLINE_CACHED_FILES + 5;
+        for i in 0..count {
+            fs.write_file(
+                std::path::Path::new(&format!("/tmp/f{i}.txt")),
+                format!("line{i}").as_bytes(),
+            )
+            .await
+            .unwrap();
+        }
+
+        // AWK program: read one line from each file, count successes
+        let prog = format!(
+            r#"BEGIN{{ ok=0; for(i=0;i<{count};i++) {{ f="/tmp/f"i".txt"; if((getline x < f)>0) ok++ }} print ok }}"#,
+        );
+        let result = run_awk_with_custom_fs(&[&prog], None, fs).await.unwrap();
+        let ok: usize = result.stdout.trim().parse().unwrap();
+        // Exactly MAX_GETLINE_CACHED_FILES should succeed, rest should fail
+        assert_eq!(ok, MAX_GETLINE_CACHED_FILES);
+    }
+
+    #[tokio::test]
+    async fn test_awk_getline_file_cache_within_limit() {
+        // Opening a reasonable number of files should all succeed.
+        let fs = Arc::new(InMemoryFs::new());
+        let count = 10;
+        for i in 0..count {
+            fs.write_file(
+                std::path::Path::new(&format!("/tmp/f{i}.txt")),
+                format!("data{i}").as_bytes(),
+            )
+            .await
+            .unwrap();
+        }
+
+        let prog = format!(
+            r#"BEGIN{{ ok=0; for(i=0;i<{count};i++) {{ f="/tmp/f"i".txt"; if((getline x < f)>0) ok++ }} print ok }}"#,
+        );
+        let result = run_awk_with_custom_fs(&[&prog], None, fs).await.unwrap();
+        let ok: usize = result.stdout.trim().parse().unwrap();
+        assert_eq!(ok, count);
+    }
+
+    #[tokio::test]
+    async fn test_awk_getline_file_size_limit() {
+        // A file exceeding FsLimits::max_file_size is rejected by getline.
+        // Defense-in-depth: VFS also enforces limits, so a file at exactly
+        // the boundary is accepted while one over is rejected at VFS level.
+        use crate::fs::FsLimits;
+
+        let limits = FsLimits {
+            max_file_size: 100,
+            ..FsLimits::unlimited()
+        };
+        let fs = Arc::new(InMemoryFs::with_limits(limits));
+        // Write a file within limits -- should be readable via getline.
+        fs.write_file(std::path::Path::new("/tmp/ok.txt"), &[b'a'; 100])
+            .await
+            .unwrap();
+        // Attempt to write an oversized file -- VFS rejects it, so getline
+        // returns -1 (file not found).
+        let _ = fs
+            .write_file(std::path::Path::new("/tmp/big.txt"), &[b'x'; 101])
+            .await;
+
+        // Within-limit file succeeds
+        let result = run_awk_with_custom_fs(
+            &[r#"BEGIN{r=(getline x < "/tmp/ok.txt"); print r}"#],
+            None,
+            fs.clone(),
+        )
+        .await
+        .unwrap();
+        assert_eq!(result.stdout, "1\n");
+
+        // Over-limit file fails (not stored by VFS)
+        let result = run_awk_with_custom_fs(
+            &[r#"BEGIN{r=(getline x < "/tmp/big.txt"); print r}"#],
+            None,
+            fs,
+        )
+        .await
+        .unwrap();
+        assert_eq!(result.stdout, "-1\n");
+    }
 }