No regex size/complexity limit in sed, grep, and awk enables resource exhaustion

[chaliy]

Summary

All Regex::new() and RegexBuilder::new() calls in sed, grep, and awk use default settings allowing arbitrarily complex patterns. While the Rust regex crate resists classic ReDoS, it can consume significant memory and CPU time compiling very large patterns. The size_limit() method on RegexBuilder is never used.

Severity: Medium
Category: Denial of Service / ReDoS (TM-DOS)

Affected Files

• crates/bashkit/src/builtins/sed.rs lines 344, 380, 401, 499
• crates/bashkit/src/builtins/grep.rs line 298
• crates/bashkit/src/builtins/awk.rs lines 689, 2165, 2517
• crates/bashkit/src/builtins/search_common.rs line 63

Steps to Reproduce

# Large alternation pattern consuming excessive compile time/memory
pattern=$(seq 1 10000 | tr '\n' '|' | sed 's/|$//')
echo "test" | grep "$pattern"

Impact

CPU and memory exhaustion during regex compilation for user-controlled patterns.

Acceptance Criteria

• Set .size_limit(1_000_000) (1MB) on all RegexBuilder instances
• Set .dfa_size_limit(1_000_000) where applicable
• Return a clear error when pattern exceeds limit
• Test: Multi-megabyte pattern is rejected with error
• Test: Normal patterns still compile and work correctly