From 1fad28387eb43770f210216ffa0c59a5b48839c4 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Sun, 10 May 2026 09:06:37 +0000 Subject: [PATCH] fix(fuzz): drop arithmetic_fuzz inputs that contain banned debug shapes The nightly fuzz job on main is red. `arithmetic_fuzz` inlines fuzz input directly into `echo $(({input}))`. With unbalanced parens the arithmetic expansion closes early and the remainder is parsed as commands; bash then echoes the unknown command verbatim ("bash: /.rustup/toolchains/gww: No such file or directory"). That is real-shell stderr, not a TM-INF-022 leak. Last run: input bytes contained `/.rustup/toolchains/` literally and the fuzz harness's leak detector tripped on the banned host-path shape. Fix: at the fuzz-input layer, drop inputs that already contain any `UNIVERSAL_BANNED` substring. This keeps TM-INF-022 detection strict on real builtin internals while removing the false-positive class. Mirrors the same fix applied to `glob_fuzz` in #1621. --- .../bashkit/fuzz/fuzz_targets/arithmetic_fuzz.rs | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/crates/bashkit/fuzz/fuzz_targets/arithmetic_fuzz.rs b/crates/bashkit/fuzz/fuzz_targets/arithmetic_fuzz.rs index 8ec129256..5a1ee18f2 100644 --- a/crates/bashkit/fuzz/fuzz_targets/arithmetic_fuzz.rs +++ b/crates/bashkit/fuzz/fuzz_targets/arithmetic_fuzz.rs @@ -38,6 +38,21 @@ fuzz_target!(|data: &[u8]| { return; } + // Reject inputs that themselves contain banned substrings — this + // target inlines `input` into `echo $((input))`. With unbalanced + // parens the arithmetic expansion can close early and the + // remainder is parsed as commands; bash then echoes the unknown + // command verbatim ("bash: /.rustup/toolchains/gww: No such file + // or directory"). That is real-shell stderr, not a TM-INF-022 + // leak. Filtering at the fuzz-input layer keeps the harness's + // leak detector strict for real internals while avoiding false + // positives. (Mirrors glob_fuzz.) + for pat in bashkit::testing::UNIVERSAL_BANNED { + if input.contains(pat) { + return; + } + } + // Wrap input in arithmetic expansion context let script = format!("echo $(({}))", input);