From e6ab2b3645ccaabeb1e443446a427e7004758159 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marc=20Cornell=C3=A0?= <marc@mcornella.com>
Date: Thu, 5 Mar 2026 10:29:05 +0100
Subject: [PATCH] feat(dotenv): check for .env file size to prevent DoS

---
 plugins/dotenv/dotenv.plugin.zsh         | 13 +++++++++++++
 plugins/dotenv/tests/basic-parsing.zunit |  7 +++++++
 2 files changed, 20 insertions(+)

diff --git a/plugins/dotenv/dotenv.plugin.zsh b/plugins/dotenv/dotenv.plugin.zsh
index edc119af3..7ba6a69d4 100644
--- a/plugins/dotenv/dotenv.plugin.zsh
+++ b/plugins/dotenv/dotenv.plugin.zsh
@@ -25,6 +25,19 @@ parse_dotenv() {
       ;;
   esac
 
+  # Fail if file is too large to avoid DoS
+  zmodload -F zsh/stat b:zstat
+  local -i file_size max_size=10485760  # 10MiB
+  if ! file_size=$(zstat -L +size "$filename" 2>/dev/null); then
+    echo "dotenv: unable to determine size of file '$filename'" >&2
+    return 1
+  fi
+
+  if (( file_size > max_size )); then
+    echo "dotenv: file '$filename' is too large to parse (size: $file_size bytes)" >&2
+    return 1
+  fi
+
   local content node line key value
   local -A parsed_vars
   local -a nodes lines
diff --git a/plugins/dotenv/tests/basic-parsing.zunit b/plugins/dotenv/tests/basic-parsing.zunit
index bbd46e3d6..f91275fba 100644
--- a/plugins/dotenv/tests/basic-parsing.zunit
+++ b/plugins/dotenv/tests/basic-parsing.zunit
@@ -27,6 +27,13 @@
   assert $state equals 1
 }
 
+@test 'parse returns error for oversized file (> 10MiB)' {
+  command truncate -s 11M "$fixture" 2>/dev/null
+
+  run _parse_dotenv_quiet "$fixture" "test"
+  assert $state equals 1
+}
+
 @test 'parse returns error for non-existent file' {
   run _parse_dotenv_quiet "/nonexistent/path/.env" "test"
   assert $state equals 1