Skip to content

fix(rg): cap brace alternation recursion depth#1743

Merged
chaliy merged 1 commit into
mainfrom
2026-05-25-propose-fix-for-rg-brace-vulnerability
May 25, 2026
Merged

fix(rg): cap brace alternation recursion depth#1743
chaliy merged 1 commit into
mainfrom
2026-05-25-propose-fix-for-rg-brace-vulnerability

Conversation

@chaliy
Copy link
Copy Markdown
Contributor

@chaliy chaliy commented May 25, 2026

Motivation

  • Brace-alternation parsing in rg’s glob converter recursed unboundedly on attacker-controlled input, enabling CPU exhaustion and stack-overflow aborts.
  • The vuln is reachable from user-controlled inputs (-g, --iglob, --type-add, --ignore-file, etc.) and VFS ignore files, so it must be mitigated at conversion time.
  • The fix needs to stop recursive expansion while preserving normal glob behavior for reasonable inputs.

Description

  • Introduce RG_GLOB_MAX_BRACE_DEPTH and route conversion through a new glob_to_regex_with_depth(pattern, depth) entrypoint to track recursion depth.
  • When the depth cap is reached glob_to_regex_with_depth falls back to returning a literal-escaped regex for the remaining pattern instead of recursing further.
  • Update glob_alternation_to_regex to accept a depth parameter, return None when the cap is reached, and call glob_to_regex_with_depth for each alternative.
  • Add a unit test glob_brace_alternation_depth_limit_does_not_expand_nested_pattern to assert the depth-limit fallback behavior.

Testing

  • Added and ran the unit test rg::tests::glob_brace_alternation_depth_limit_does_not_expand_nested_pattern, which passed.
  • Ran cargo test -p bashkit (library test run) which completed with the test-suite passing for the executed targets in this environment.

Codex Task

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages Bot commented May 25, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit afbf3da Commit Preview URL May 25 2026, 04:35 PM

@chaliy
fix(rg): cap brace alternation recursion depth
afbf3da 
Brace-alternation parsing in rg's glob converter recursed unboundedly
on attacker-controlled input, enabling CPU exhaustion and
stack-overflow aborts. Reachable from user-controlled inputs (-g,
--iglob, --type-add, --ignore-file) and VFS ignore files, so mitigated
at conversion time.

Add RG_GLOB_MAX_BRACE_DEPTH (32) and route conversion through
glob_to_regex_with_depth(pattern, depth). At the cap, return a
literal-escaped regex for the remaining pattern instead of recursing
further. glob_alternation_to_regex accepts a recursion_depth parameter
and returns None when the cap is reached.

Rebased on current main; original PR #1743 by chaliy.
@chaliy chaliy force-pushed the 2026-05-25-propose-fix-for-rg-brace-vulnerability branch from 38dac03 to afbf3da Compare May 25, 2026 15:21
@chaliy chaliy merged commit 7e6022b into main May 25, 2026
33 checks passed
@chaliy chaliy deleted the 2026-05-25-propose-fix-for-rg-brace-vulnerability branch May 25, 2026 15:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@chaliy