From 67dced2f10d4afd575005ec2d075b05f1f4903a0 Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 9 Mar 2026 16:09:32 +0000 Subject: [PATCH 1/2] chore: run maintenance checklist (012-maintenance) - Add atomic-polyfill advisory ignore in deny.toml (upstream monty dep) - Fix trap incorrectly listed as security exclusion in compatibility.md - Update POSIX special built-in count to 14/15 (trap is implemented) - Update Quick Status table with accurate command counts - Add custom builtins feature to README.md - Add 2>&1 to README.md redirections list - Add Unreleased section to CHANGELOG.md for PR #513 https://claude.ai/code/session_01NdiHcfCjDaa8o5uG1Zebtq --- CHANGELOG.md | 6 ++++++ README.md | 3 ++- crates/bashkit/docs/compatibility.md | 22 ++++++++++++++-------- deny.toml | 3 +++ specs/009-implementation-status.md | 2 +- 5 files changed, 26 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index bcd9a1f4..82d1298a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,11 @@ # Changelog +## [Unreleased] + +### What's Changed + +* fix: prevent fuzz-found panics on multi-byte input ([#513](https://github.com/everruns/bashkit/pull/513)) + ## [0.1.9] - 2026-03-04 ### Highlights diff --git a/README.md b/README.md index 29ee094c..c75eb618 100644 --- a/README.md +++ b/README.md @@ -15,6 +15,7 @@ Virtual bash interpreter for multi-tenant environments. Written in Rust. - **Virtual filesystem** - InMemoryFs, OverlayFs, MountableFs - **Resource limits** - Command count, loop iterations, function depth - **Network allowlist** - Control HTTP access per-domain +- **Custom builtins** - Extend with domain-specific commands - **Async-first** - Built on tokio - **Experimental: Git support** - Virtual git operations on the virtual filesystem (`git` feature) - **Experimental: Python support** - Embedded Python interpreter via [Monty](https://github.com/pydantic/monty) (`python` feature) @@ -88,7 +89,7 @@ async fn main() -> anyhow::Result<()> { - Variables and parameter expansion (`$VAR`, `${VAR:-default}`, `${#VAR}`) - Command substitution (`$(cmd)`) - Arithmetic expansion (`$((1 + 2))`) -- Pipelines and redirections (`|`, `>`, `>>`, `<`, `<<<`) +- Pipelines and redirections (`|`, `>`, `>>`, `<`, `<<<`, `2>&1`) - Control flow (`if`/`elif`/`else`, `for`, `while`, `case`) - Functions (POSIX and bash-style) - Arrays (`arr=(a b c)`, `${arr[@]}`, `${#arr[@]}`) diff --git a/crates/bashkit/docs/compatibility.md b/crates/bashkit/docs/compatibility.md index 311d1e2b..4d7589af 100644 --- a/crates/bashkit/docs/compatibility.md +++ b/crates/bashkit/docs/compatibility.md @@ -19,22 +19,28 @@ for detailed compliance status. |----------------|--------| | Reserved Words (16) | Full compliance | | Special Parameters (8) | Full compliance | -| Special Built-ins (15) | 13/15 implemented | +| Special Built-ins (15) | 14/15 implemented | | Word Expansions | Substantial compliance | | Redirections | Full compliance | | Compound Commands | Full compliance | -**Security Exclusions**: `exec` and `trap` are intentionally not implemented +**Security Exclusions**: `exec` is intentionally not implemented for sandbox security reasons. See the compliance spec for details. ## Quick Status -| Category | Implemented | Planned | Total | -|----------|-------------|---------|-------| -| Shell Builtins | 85 | 0 | 85 | -| Text Processing | 14 | 0 | 14 | -| File Operations | 10 | 0 | 10 | -| Network | 2 | 0 | 2 | +| Category | Count | +|----------|-------| +| Core & Navigation | 12 | +| Flow Control & Variables | 21 | +| Shell | 7 | +| Text Processing | 20 | +| File Operations & Inspection | 17 | +| Archives & Byte Tools | 6 | +| Utilities & System | 20 | +| Network | 2 | +| Experimental | 3 | +| **Total** | **~106** | --- diff --git a/deny.toml b/deny.toml index 423aab4a..f5e35daa 100644 --- a/deny.toml +++ b/deny.toml @@ -37,6 +37,9 @@ ignore = [ # paste: transitive via bashkit-bench -> statrs -> nalgebra -> simba # No security impact; bench-only dependency "RUSTSEC-2024-0436", + # atomic-polyfill: transitive via monty -> postcard -> heapless + # Unmaintained but no security vulnerability; upstream dep we can't control + "RUSTSEC-2023-0089", ] [bans] diff --git a/specs/009-implementation-status.md b/specs/009-implementation-status.md index 452c1084..944cb9b3 100644 --- a/specs/009-implementation-status.md +++ b/specs/009-implementation-status.md @@ -62,7 +62,7 @@ Bashkit implements IEEE 1003.1-2024 Shell Command Language. See |----------|--------|-------| | Reserved Words | Full | All 16 reserved words supported | | Special Parameters | Full | All 8 POSIX parameters supported | -| Special Built-in Utilities | Substantial | 13/15 implemented (2 excluded) | +| Special Built-in Utilities | Substantial | 14/15 implemented (1 excluded: exec) | | Regular Built-in Utilities | Full | Core set implemented | | Quoting | Full | All quoting mechanisms supported | | Word Expansions | Substantial | Most expansions supported | From 5dd6071564c9b2bd9791c078e0a3ee5fc30aac9a Mon Sep 17 00:00:00 2001 From: Claude Date: Mon, 9 Mar 2026 16:19:05 +0000 Subject: [PATCH 2/2] chore: update cargo-vet exemptions for bumped deps Add exemptions for minor version bumps: - libc 0.2.183 - quinn-proto 0.11.14 - socket2 0.6.3 - zerocopy 0.8.41, 0.8.42 - zerocopy-derive 0.8.41, 0.8.42 https://claude.ai/code/session_01NdiHcfCjDaa8o5uG1Zebtq --- supply-chain/config.toml | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 1a74df00..b5c0ad92 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -646,6 +646,10 @@ criteria = "safe-to-deploy" version = "0.2.182" criteria = "safe-to-deploy" +[[exemptions.libc]] +version = "0.2.183" +criteria = "safe-to-deploy" + [[exemptions.libm]] version = "0.2.16" criteria = "safe-to-deploy" @@ -894,6 +898,10 @@ criteria = "safe-to-deploy" version = "0.11.13" criteria = "safe-to-deploy" +[[exemptions.quinn-proto]] +version = "0.11.14" +criteria = "safe-to-deploy" + [[exemptions.quinn-udp]] version = "0.5.14" criteria = "safe-to-deploy" @@ -1174,6 +1182,10 @@ criteria = "safe-to-deploy" version = "0.6.2" criteria = "safe-to-deploy" +[[exemptions.socket2]] +version = "0.6.3" +criteria = "safe-to-deploy" + [[exemptions.spin]] version = "0.9.8" criteria = "safe-to-deploy" @@ -1738,10 +1750,26 @@ criteria = "safe-to-deploy" version = "0.8.40" criteria = "safe-to-deploy" +[[exemptions.zerocopy]] +version = "0.8.41" +criteria = "safe-to-deploy" + +[[exemptions.zerocopy]] +version = "0.8.42" +criteria = "safe-to-deploy" + [[exemptions.zerocopy-derive]] version = "0.8.40" criteria = "safe-to-deploy" +[[exemptions.zerocopy-derive]] +version = "0.8.41" +criteria = "safe-to-deploy" + +[[exemptions.zerocopy-derive]] +version = "0.8.42" +criteria = "safe-to-deploy" + [[exemptions.zerofrom]] version = "0.1.6" criteria = "safe-to-deploy"