fix(agents): prevent ReDoS in background-session name derivation

clawsweeper[bot] · clawsweeper[bot] · commit 0a38952fc866 · 2026-06-07T19:45:20.000Z
diff --git a/src/agents/bash-tools.shared.test.ts b/src/agents/bash-tools.shared.test.ts
@@ -133,12 +133,14 @@ describe("deriveSessionName", () => {
     expect(deriveSessionName("cmd 'a b\\' next")).toBe("cmd a b\\");
   });
 
-  it("returns a label without catastrophic backtracking on an unterminated quote followed by backslashes", () => {
-    const malicious = `node "${"\\".repeat(50000)}`;
-    const start = process.hrtime.bigint();
-    const label = deriveSessionName(malicious);
-    const elapsedMs = Number(process.hrtime.bigint() - start) / 1e6;
-    expect(typeof label).toBe("string");
-    expect(elapsedMs).toBeLessThan(100);
+  it("returns a label without catastrophic backtracking on unterminated quoted backslash runs", () => {
+    for (const quote of [`"`, `'`]) {
+      const malicious = `node ${quote}${"\\".repeat(50000)}`;
+      const start = process.hrtime.bigint();
+      const label = deriveSessionName(malicious);
+      const elapsedMs = Number(process.hrtime.bigint() - start) / 1e6;
+      expect(typeof label).toBe("string");
+      expect(elapsedMs).toBeLessThan(100);
+    }
   });
 });
