fix(awk): cap multi-subscript arrays#2055
Merged
Merged
Conversation
Deploying with
|
| Status | Name | Latest Commit | Preview URL | Updated (UTC) |
|---|---|---|---|---|
| ✅ Deployment successful! View logs |
bashkit | 2776e75 | Commit Preview URL Branch Preview URL |
Jun 12 2026, 10:08 AM |
There was a problem hiding this comment.
Pull request overview
This PR mitigates an awk DoS vector by bounding how many subscripts can appear in a single multi-subscript array key (e.g. a[i,j,k]), preventing unbounded left-deep SUBSEP_CONCAT AST construction and recursive evaluation.
Changes:
- Added a centralized limit constant (
AWK_MAX_MULTI_SUBSCRIPTS) for awk multi-subscript array keys. - Enforced the cap in the awk parser when collecting comma-separated subscripts, returning an error when exceeded.
- Added an end-to-end regression test ensuring excessively long subscript lists are rejected.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| crates/bashkit/src/builtins/limits.rs | Introduces a centralized awk limit for maximum multi-subscript count. |
| crates/bashkit/src/builtins/awk/parser.rs | Applies the new cap while parsing arr[e1,e2,...] to prevent pathological AST growth. |
| crates/bashkit/src/builtins/awk/tests.rs | Adds a regression test verifying rejection when the multi-subscript cap is exceeded. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Avoids hardcoded 101 drifting from the limit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #2046
Introduces
AWK_MAX_MULTI_SUBSCRIPTS(100) and enforces it at parse time when collecting comma-separated subscripts inarr[e1,e2,...]expressions. The parser rejects any subscript list longer than the cap, preventing pathological left-deepSUBSEP_CONCATAST construction from adversarial scripts. Adds a regression test that verifies rejection when the cap is exceeded (usingAWK_MAX_MULTI_SUBSCRIPTS + 1so it tracks the constant).