security: lexer stack overflow on nested $() in double-quotes (TM-DOS-044) #492
Description
Summary
read_command_subst_into() in parser/lexer.rs:1109-1188 recurses for nested $() inside double-quoted strings without any depth tracking. The parser has max_ast_depth limits, but the lexer runs first and overflows the stack before the parser limit is reached.
Impact — HIGH
Process crash (SIGABRT via stack overflow) with ~50 nesting levels in debug mode or ~200 in release mode. This is a hard crash that cannot be caught by catch_unwind.
Reproduction
# Generates ~50 levels of nesting — crashes the process
echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo "$(echo hi)") ...Recommended fix
Add a depth parameter to read_command_subst_into() and read_double_quoted() that tracks nesting level. Return a lexer error when depth exceeds a configurable limit (e.g., 50).
Tests
Active test: security_audit_nested_subst_graceful_error (tests safe depth=15)
The crash at depth=50 is documented but not tested to avoid killing the test runner.
Cross-references
- Threat model: TM-DOS-044
- PR: test(security): deep security audit with regression tests #487