security: brace expansion {N..M} has no upper bound (TM-DOS-041, TM-DOS-042)

[chaliy]

Summary

try_expand_range() at interpreter/mod.rs:8049-8060 expands {N..M} into a Vec with no cap on (M - N). Also, expand_braces() at mod.rs:7967-8035 recurses without limiting the total number of expanded strings from combinatorial patterns.

Impact — HIGH

• {1..999999999} allocates billions of strings → OOM
• {1..100}{1..100}{1..100} = 1M strings → OOM
• Expansion happens before command dispatch, so command limits don't catch it

Reproduction

echo {1..999999999} > /dev/null   # OOM
echo {1..100}{1..100}{1..100}     # 1M strings

Recommended fix

Cap range size in try_expand_range() (e.g., 10,000 elements):

if (end_num - start_num).unsigned_abs() > 10_000 {
    return None; // Treat as literal
}

Cap total expansion count in expand_braces().

Tests

Regression test: security_audit_brace_expansion_capped (currently #[ignore])

Cross-references

• Threat model: TM-DOS-041, TM-DOS-042
• PR: test(security): deep security audit with regression tests #487