Merged
Conversation
- #488: Add is_internal_variable() guard to declare/readonly/local/export builtins that previously bypassed the check via direct HashMap insert (TM-INJ-012 to TM-INJ-015) - #489: Add _ARRAY_READ_ and _EVAL_CMD to is_internal_variable() check, preventing arbitrary array creation via marker prefix injection (TM-INJ-016) - #490: Filter internal marker variables from set and declare -p output, preventing information disclosure of nameref/readonly/case markers (TM-INF-017) - #491: Replace native +/-/* operators with wrapping variants in compound assignment paths; clamp shift amounts to 0..63 in <<=/>>=; add i64::MIN/-1 overflow protection for / and % (TM-DOS-043) - #492: Add depth tracking to lexer read_command_subst_into() to prevent stack overflow from deeply nested $() in double-quoted strings (TM-DOS-044) Closes #488, closes #489, closes #490, closes #491, closes #492
Fixes cargo-vet audit failure for ipnet version bump.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes 5 security issues from the 2026-03 audit (batch 1 of 3):
declare/readonly/local/exportbypassis_internal_variable()guard (TM-INJ-012–015)_ARRAY_READ_prefix not protected byis_internal_variable()(TM-INJ-016)setanddeclare -pleak internal marker variables (TM-INF-017)$()in double-quotes (TM-DOS-044)Changes
is_internal_variable()guards to all builtin variable insertion pathsis_internal_variable()with_ARRAY_READ_and_EVAL_CMDsetanddeclare -poutputwrapping_*variants in compound assignmentread_command_subst_into()Test plan
cargo test --all-features)cargo fmt --checkcleancargo clippy --all-targets --all-features -- -D warningscleanCloses #488, closes #489, closes #490, closes #491, closes #492