Skip to content

fix(snapshot): validate restored last background pid#2114

Merged
chaliy merged 1 commit into
mainfrom
2026-06-21-fix-snapshot-memory-limit-validation
Jun 21, 2026
Merged

fix(snapshot): validate restored last background pid#2114
chaliy merged 1 commit into
mainfrom
2026-06-21-fix-snapshot-memory-limit-validation

Conversation

@chaliy

@chaliy chaliy commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Motivation

  • ShellState::last_bg_pid is now serialized into snapshots but was not validated during restore, allowing a crafted snapshot to set an arbitrarily large or non-numeric $! and bypass memory limits.
  • This can amplify memory pressure when $! is expanded, creating an availability risk under tight MemoryLimits.

Description

  • Add MAX_RESTORED_LAST_BG_PID_LEN and reject restored last_bg_pid that is empty, non-numeric, or longer than the constant. (edit: crates/bashkit/src/interpreter/mod.rs)
  • Include the restored last_bg_pid length in the snapshot-restore MemoryBudget so it counts toward max_total_variable_bytes. (edit: crates/bashkit/src/interpreter/mod.rs)
  • Add an integration regression test snapshot_restore_rejects_invalid_last_bg_pid that tampers shell.last_bg_pid with oversized and non-numeric values and asserts restore failure under tight limits. (edit: crates/bashkit/tests/integration/snapshot_tests.rs)

Testing

  • Ran cargo fmt --check which succeeded.
  • Ran cargo test -p bashkit --test integration snapshot_restore_rejects and the snapshot restore tests including the new snapshot_restore_rejects_invalid_last_bg_pid passed.
  • The added integration test verifies that oversized and non-numeric last_bg_pid values are rejected during restore_snapshot under a small MemoryLimits budget.

Codex Task

Copilot AI review requested due to automatic review settings June 21, 2026 16:28
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 21, 2026
edited
Loading

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs		 bashkit 80b4433 Commit Preview URL Jun 21 2026, 06:19 PM

Copilot AI reviewed Jun 21, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens snapshot restore by validating ShellState::last_bg_pid (used for $!) and charging its size against snapshot restore memory budgeting to prevent crafted snapshots from injecting oversized or malformed values.

Changes:

  • Add MAX_RESTORED_LAST_BG_PID_LEN and reject restored last_bg_pid values that are empty, non-numeric, or too long.
  • Include restored last_bg_pid length in the computed MemoryBudget for snapshot restore checks.
  • Add an integration regression test that tampers shell.last_bg_pid and expects restore to fail.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
crates/bashkit/src/interpreter/mod.rs Adds validation for restored last_bg_pid and charges its length to the restore-time memory budget.
crates/bashkit/tests/integration/snapshot_tests.rs Adds an integration test that tampers snapshot JSON to set invalid last_bg_pid.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread crates/bashkit/tests/integration/snapshot_tests.rs Outdated
Comment on lines +708 to +714
let limits = MemoryLimits::new().max_total_variable_bytes(1);
let mut restored = Bash::builder().memory_limits(limits).build();
let result = restored.restore_snapshot(&tampered_bytes);
assert!(
result.is_err(),
"restore must reject invalid snapshot-controlled last_bg_pid"
);
Comment thread crates/bashkit/src/interpreter/mod.rs
Comment on lines +2275 to +2277
if let Some(last_bg_pid) = &state.last_bg_pid {
budget.variable_bytes = budget.variable_bytes.saturating_add(last_bg_pid.len());
}
@chaliy chaliy force-pushed the 2026-06-21-fix-snapshot-memory-limit-validation branch from 071f095 to 54e386e Compare June 21, 2026 18:10
@chaliy
fix(snapshot): validate restored last background pid
80b4433 
Reject empty, non-numeric, or oversized restored $! and count it toward
the snapshot restore memory budget, keeping the live budget consistent
after restore. Adds a regression test under permissive limits that asserts
the last_bg_pid validation error.
@chaliy chaliy force-pushed the 2026-06-21-fix-snapshot-memory-limit-validation branch from 54e386e to 80b4433 Compare June 21, 2026 18:18
@chaliy chaliy merged commit 81f505a into main Jun 21, 2026
36 checks passed
@chaliy chaliy deleted the 2026-06-21-fix-snapshot-memory-limit-validation branch June 21, 2026 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

aardvark codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chaliy