Summary
try_expand_range() at interpreter/mod.rs:8049-8060 expands {N..M} into a Vec with no cap on (M - N). Also, expand_braces() at mod.rs:7967-8035 recurses without limiting the total number of expanded strings from combinatorial patterns.
Impact — HIGH
{1..999999999} allocates billions of strings → OOM{1..100}{1..100}{1..100} = 1M strings → OOM- Expansion happens before command dispatch, so command limits don't catch it
Reproduction
echo {1..999999999} > /dev/null # OOM
echo {1..100}{1..100}{1..100} # 1M stringsRecommended fix
Cap range size in try_expand_range() (e.g., 10,000 elements):
if (end_num - start_num).unsigned_abs() > 10_000 {
return None; // Treat as literal
}Cap total expansion count in expand_braces().
Tests
Regression test: security_audit_brace_expansion_capped (currently #[ignore])
Cross-references
Summary
try_expand_range()atinterpreter/mod.rs:8049-8060expands{N..M}into aVecwith no cap on(M - N). Also,expand_braces()atmod.rs:7967-8035recurses without limiting the total number of expanded strings from combinatorial patterns.Impact — HIGH
{1..999999999}allocates billions of strings → OOM{1..100}{1..100}{1..100}= 1M strings → OOMReproduction
Recommended fix
Cap range size in
try_expand_range()(e.g., 10,000 elements):Cap total expansion count in
expand_braces().Tests
Regression test:
security_audit_brace_expansion_capped(currently#[ignore])Cross-references