Skip to content

fix(parser): charge heredoc reinjection to parser fuel#1827

Merged
chaliy merged 1 commit into
mainfrom
2026-06-02-fix-quadratic-cpu-dos-in-heredoc-parsing
Jun 2, 2026
Merged

fix(parser): charge heredoc reinjection to parser fuel#1827
chaliy merged 1 commit into
mainfrom
2026-06-02-fix-quadratic-cpu-dos-in-heredoc-parsing

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented Jun 2, 2026

Motivation

  • Heredoc handling re-injected the rest-of-line suffix into the lexer and pushed it character-by-character, allowing many << heredocs on one logical line to repeatedly copy the same suffix and produce O(n^2) CPU work not accounted to parser fuel, enabling a CPU DoS.
  • The intent is to prevent chained heredocs from hiding repeated suffix-copy work outside max_parser_operations while preserving heredoc semantics (pipes/redirects visible after the heredoc body).

Description

  • Added Lexer::read_heredoc_with_strip_metered which returns (content, rest_of_line_chars) so callers know how many characters were re-injected. The existing read_heredoc_with_strip delegates to the new metered helper to preserve the public lexer API and tests.
  • Added Parser::tick_units(units: usize) to consume multiple parser fuel units at once and fail early if fuel/timeouts are insufficient.
  • Parser now calls the metered lexer API and charges the returned rest_of_line_chars to fuel via tick_units(...) in the heredoc paths (both inline trailing-redirect and parse_heredoc_redirect flows), and adjusted parse_trailing_redirects to return Result<Vec<Redirect>> accordingly.
  • Added a unit test test_chained_heredoc_reinjection_consumes_parser_fuel that asserts chained : <<E && : <<E ... scripts consume parser fuel (fail with parser fuel exhausted), and documented the mitigation as TM-DOS-064 in specs/threat-model.md.

Testing

  • Ran cargo fmt --check (passed).
  • Ran targeted parser unit tests cargo test -p bashkit parser:: --lib which passed, including the new regression test test_chained_heredoc_reinjection_consumes_parser_fuel (ok).
  • Ran the full crate unit test suite cargo test -p bashkit --lib which completed successfully (all tests passed).

Codex Task

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented Jun 2, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit 382417c Commit Preview URL Jun 02 2026, 09:28 AM

@chaliy chaliy force-pushed the 2026-06-02-fix-quadratic-cpu-dos-in-heredoc-parsing branch from ebfc651 to 382417c Compare June 2, 2026 09:19
@chaliy chaliy merged commit 6bf0d3d into main Jun 2, 2026
34 checks passed
@chaliy chaliy deleted the 2026-06-02-fix-quadratic-cpu-dos-in-heredoc-parsing branch June 2, 2026 13:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy