bashkit 0.5.0

Awesomely fast virtual sandbox with bash and file system
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110

//! Regex size limit tests for grep, sed, and awk builtins
//!
//! Verifies that oversized regex patterns are rejected rather than causing
//! resource exhaustion (issue #984).

use bashkit::Bash;
use std::time::Duration;

/// Helper: generate a large alternation pattern like "1|2|3|...|N"
fn huge_alternation_pattern(n: usize) -> String {
    (1..=n).map(|i| i.to_string()).collect::<Vec<_>>().join("|")
}

fn test_bash() -> Bash {
    Bash::builder()
        .limits(bashkit::ExecutionLimits::new().timeout(Duration::from_secs(10)))
        .build()
}

#[tokio::test]
async fn grep_rejects_huge_regex() {
    let mut bash = test_bash();
    let pattern = huge_alternation_pattern(50_000);
    let script = format!("echo test | grep '{}'", pattern);
    match bash.exec(&script).await {
        Ok(result) => {
            assert_ne!(result.exit_code, 0, "grep should fail with oversized regex");
        }
        Err(e) => {
            let msg = e.to_string();
            assert!(
                msg.contains("size limit") || msg.contains("invalid pattern"),
                "error should mention size limit, got: {}",
                msg
            );
        }
    }
}

#[tokio::test]
async fn grep_accepts_normal_regex() {
    let mut bash = Bash::new();
    let result = bash
        .exec("echo 'hello world' | grep 'hello'")
        .await
        .unwrap();
    assert_eq!(result.exit_code, 0);
    assert_eq!(result.stdout.trim(), "hello world");
}

#[tokio::test]
async fn sed_rejects_huge_regex() {
    let mut bash = test_bash();
    let pattern = huge_alternation_pattern(50_000);
    let script = format!("echo test | sed 's/{}/replaced/'", pattern);
    match bash.exec(&script).await {
        Ok(result) => {
            // sed error propagates through pipeline — the key security
            // property is it completes quickly without resource exhaustion.
            // Depending on how the interpreter handles pipeline errors,
            // exit code may or may not be non-zero.
            assert!(
                result.exit_code != 0 || result.stdout.trim() == "test",
                "sed should either fail or pass input through with oversized regex, \
                 exit={}, stdout='{}'",
                result.exit_code,
                result.stdout.trim()
            );
        }
        Err(e) => {
            let msg = e.to_string();
            assert!(
                msg.contains("size limit") || msg.contains("invalid"),
                "error should mention size limit, got: {}",
                msg
            );
        }
    }
}

#[tokio::test]
async fn awk_rejects_huge_regex_in_match() {
    let mut bash = test_bash();
    let pattern = huge_alternation_pattern(50_000);
    let script = format!(
        "echo test | awk '{{ if (match($0, \"{}\" )) print }}'",
        pattern
    );
    match bash.exec(&script).await {
        Ok(result) => {
            // awk silently handles invalid regex in match() — the key security
            // property is it completes quickly without resource exhaustion.
            assert!(
                result.stdout.trim().is_empty() || result.exit_code != 0,
                "awk should not match with oversized regex, \
                 exit={}, stdout='{}'",
                result.exit_code,
                result.stdout.trim()
            );
        }
        Err(e) => {
            let msg = e.to_string();
            assert!(
                msg.contains("size limit") || msg.contains("invalid"),
                "error should mention size limit, got: {}",
                msg
            );
        }
    }
}