linux/ohmyzsh
1
0
Fork 0
mirror of https://github.com/ohmyzsh/ohmyzsh.git synced 2026-05-29 04:53:17 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat(dotenv): check for .env file size to prevent DoS

Browse source
This commit is contained in:
Marc Cornellà 2026-03-05 10:29:05 +01:00
commit e6ab2b3645
2 changed files with 20 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
plugins/dotenv/dotenv.plugin.zsh
View file

@ -25,6 +25,19 @@ parse_dotenv() {
;; ;;
esac esac
# Fail if file is too large to avoid DoS
zmodload -F zsh/stat b:zstat
local -i file_size max_size=10485760 # 10MiB
if ! file_size=$(zstat -L +size "$filename" 2>/dev/null); then
echo "dotenv: unable to determine size of file '$filename'" >&2
return 1
fi
if (( file_size > max_size )); then
echo "dotenv: file '$filename' is too large to parse (size: $file_size bytes)" >&2
return 1
fi
local content node line key value local content node line key value
local -A parsed_vars local -A parsed_vars
local -a nodes lines local -a nodes lines

7
plugins/dotenv/tests/basic-parsing.zunit
View file

@ -27,6 +27,13 @@
assert $state equals 1 assert $state equals 1
} }
@test 'parse returns error for oversized file (> 10MiB)' {
command truncate -s 11M "$fixture" 2>/dev/null
run _parse_dotenv_quiet "$fixture" "test"
assert $state equals 1
}
@test 'parse returns error for non-existent file' { @test 'parse returns error for non-existent file' {
run _parse_dotenv_quiet "/nonexistent/path/.env" "test" run _parse_dotenv_quiet "/nonexistent/path/.env" "test"
assert $state equals 1 assert $state equals 1