Skip to content

security: [LOW] Potential DoS via unbounded string concatenation in e2e.sh #3190

Open
Open
security: [LOW] Potential DoS via unbounded string concatenation in e2e.sh#3190
Labels
safe-to-workSecurity triage: safe for automated processing
@louisgv

Description

@louisgv
louisgv
opened on Apr 6, 2026

File: sh/e2e/e2e.sh
Severity: LOW
Finding: Multiple string concatenation patterns without length bounds

Lines 98-99, 177-178, 390-391, 432-435, 466-468, 479-481, 500-501 use unbounded string concatenation:

CLOUDS="${CLOUDS} $1"
cloud_failed="${cloud_failed} ${agent}"

If AGENTS_TO_TEST or CLOUDS contains thousands of items (e.g., via manifest.json manipulation), these concatenations could consume excessive memory or cause shell performance degradation.

While this is unlikely in practice (manifest.json is version-controlled and small), the pattern could be problematic if copied to contexts with unbounded input.

Recommendation: Use arrays instead of space-delimited strings for collecting agent/cloud names, or add sanity checks on list length.

-- security/shell-scanner

Metadata

Metadata

Assignees

No one assigned

    Labels

    safe-to-workSecurity triage: safe for automated processing

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions