security: _ARRAY_READ_ prefix not protected by is_internal_variable() (TM-INJ-016)

[chaliy]

Summary

_ARRAY_READ_ prefix is not included in is_internal_variable() at interpreter/mod.rs:7634. Scripts can inject _ARRAY_READ_ markers through any builtin that bypasses the guard (declare, export, etc.), and the post-processing code at interpreter/mod.rs:4042-4057 will create arrays from these markers after any builtin execution.

Impact — HIGH

Arbitrary array creation/overwrite through internal variable prefix injection.

Reproduction

export "_ARRAY_READ_injected=val0\x1Fval1\x1Fval2"
true  # triggers post-processing
echo "${injected[0]} ${injected[1]} ${injected[2]}"  # prints "val0 val1 val2"

Recommended fix

Add _ARRAY_READ_ (and _EVAL_CMD) to is_internal_variable():

fn is_internal_variable(name: &str) -> bool {
    name.starts_with("_NAMEREF_")
        || name.starts_with("_READONLY_")
        || name.starts_with("_UPPER_")
        || name.starts_with("_LOWER_")
        || name.starts_with("_ARRAY_READ_")  // ADD
        || name == "_EVAL_CMD"               // ADD
        || name == "_SHIFT_COUNT"
        || name == "_SET_POSITIONAL"
}

Tests

Regression test: security_audit_array_read_prefix_blocked (currently #[ignore])

Cross-references

• Threat model: TM-INJ-016
• Related: security: declare/readonly/local/export bypass is_internal_variable() (TM-INJ-012–015) #488 (builtin bypass of is_internal_variable)
• PR: test(security): deep security audit with regression tests #487