fix(rg): bound gzip decompression in search-zip mode

[chaliy]

Motivation

• Prevent untrusted gzip payloads from causing unbounded heap growth or OOM when rg -z/--search-zip is used by streaming decompression instead of allocating entire output.
• The previous implementation used read_to_end on a GzDecoder, which allowed small compressed inputs to expand to arbitrarily large decompressed buffers.

Description

• Replace unbounded read_to_end in rg_search_bytes with a chunked read loop that enforces limits. Added RG_GZIP_MAX_DECOMPRESSED_BYTES (10 MiB) and RG_GZIP_MAX_DECOMPRESSION_RATIO (100:1) guards and return read-style errors when exceeded.
• Preserve plain-file behavior when search_zip is disabled or content is not gzip; only gzip path is limited.
• Add focused unit tests and helpers in crates/bashkit/src/builtins/rg/mod.rs that generate gzip payloads and assert the function rejects oversized decompression and suspicious compression ratios.
• Add small test-only imports (flate2::write::GzEncoder, Compression, std::io::Write) and a search_zip_opts() helper to construct RgOptions for tests.

Testing

• Ran cargo test -p bashkit rg_search_zip_rejects -- --nocapture; both new tests passed (rg_search_zip_rejects_large_gzip_decompression and rg_search_zip_rejects_suspicious_decompression_ratio).
• Full test run executed as part of the crate test run; the two targeted tests reported ok and did not regress other unit tests.

---

Codex Task

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	b005660	Commit Preview URL	May 22 2026, 10:20 PM