security: brace expansion {N..M} has no upper bound on range size (TM-DOS-041, TM-DOS-042)

[chaliy]

Summary

try_expand_range() at interpreter/mod.rs:8049-8060 expands {N..M} into a Vec with no upper bound on (M - N). Additionally, expand_braces() at :7967-8035 recurses without depth or count limits, enabling combinatorial explosion via chained expansions.

Impact — HIGH

• {1..999999999} allocates billions of strings → OOM
• {1..100}{1..100}{1..100} = 1M strings → OOM
• Brace expansion happens before command dispatch, so execution limits don't help

Recommended fix

1. Cap range size in try_expand_range() (e.g., max 10,000 elements)
2. Cap total expansion count in expand_braces() (e.g., max 100,000 total strings)
3. Return an error or truncate when limits exceeded

Tests

Regression test (currently #[ignore]):

• security_audit_brace_expansion_capped

Cross-references

• Threat model: TM-DOS-041, TM-DOS-042
• PR: test(security): deep security audit with regression tests #487