Parallel builtin cartesian product enables exponential memory blowup

## Summary

The `cartesian_product()` function in the parallel builtin computes the full cartesian product of all `:::` argument groups with no limit on groups or product size. Multiple groups produce exponentially growing combinations.

**Severity:** Low  
**Category:** Denial of Service / Memory Exhaustion (TM-DOS)

## Affected Files

- `crates/bashkit/src/builtins/parallel.rs` lines 110-127

## Steps to Reproduce

```bash
parallel echo ::: $(seq 1 1000) ::: $(seq 1 1000)
# Attempts to generate 1,000,000 combinations, each a Vec<String>
```

## Impact

Memory and CPU exhaustion from generating massive cartesian products.

## Acceptance Criteria

- [ ] Cap total generated combinations (e.g., 100,000) and return error if exceeded
- [ ] Test: `parallel echo ::: $(seq 1 1000) ::: $(seq 1 1000)` returns error
- [ ] Test: Small cartesian products still work correctly

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Parallel builtin cartesian product enables exponential memory blowup #991

Summary

Affected Files

Steps to Reproduce

Impact

Acceptance Criteria

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Parallel builtin cartesian product enables exponential memory blowup #991

Description

Summary

Affected Files

Steps to Reproduce

Impact

Acceptance Criteria

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions