From f515613fa999dcba77aa39dbf2c0cce966d0fed0 Mon Sep 17 00:00:00 2001
From: Matthew DeGuzman <matthew.deguzman@datadoghq.com>
Date: Wed, 22 Apr 2026 11:29:52 -0400
Subject: [PATCH 1/6] fix(interp): block $(<file) to prevent command allowlist
 bypass

The $(<file) POSIX shortcut read files directly from cmdSubst, bypassing
AllowedCommands. Reject any < redirect that is not paired with a command
so the only way to read a file is through an allowed builtin
(e.g. $(cat file)).
---
 SHELL_FEATURES.md                             |   3 +-
 analysis/symbols_interp.go                    |   2 -
 interp/runner_expand.go                       |  56 +-----
 interp/tests/cmdsubst_hardening_test.go       |  12 +-
 interp/tests/cmdsubst_pentest_test.go         |  45 +++--
 interp/tests/cmdsubst_test.go                 |  48 ++++-
 .../tests/redir_input_bypass_pentest_test.go  | 188 ++++++++++++++++++
 interp/validate.go                            |  14 ++
 .../cat_shortcut_bypass.yaml                  |  17 ++
 .../command_substitution/cat_shortcut.yaml    |  11 +-
 .../cat_shortcut_directory.yaml               |  11 +-
 .../cat_shortcut_exit_status.yaml             |  11 +-
 .../cat_shortcut_trailing_newlines.yaml       |   4 +-
 13 files changed, 318 insertions(+), 104 deletions(-)
 create mode 100644 interp/tests/redir_input_bypass_pentest_test.go
 create mode 100644 tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml

diff --git a/SHELL_FEATURES.md b/SHELL_FEATURES.md
index 0d341544..0693bda0 100644
--- a/SHELL_FEATURES.md
+++ b/SHELL_FEATURES.md
@@ -42,7 +42,8 @@ Blocked features are rejected before execution with exit code 2.
 - ✅ Expansion: `$VAR`, `${VAR}`
 - ✅ `$?` — last exit code (the only supported special variable)
 - ✅ Inline assignment: `VAR=value command` (scoped to that command)
-- ✅ Command substitution: `$(cmd)`, `` `cmd` `` — captures stdout; trailing newlines stripped; `$(<file)` shortcut reads file directly; output capped at 1 MiB
+- ✅ Command substitution: `$(cmd)`, `` `cmd` `` — captures stdout; trailing newlines stripped; output capped at 1 MiB
+- ❌ `$(<file)` shortcut — bypasses the command allowlist; use `$(cat file)` (or another allowed file-reading builtin) instead
 - ❌ Arithmetic expansion: `$(( expr ))`
 - ❌ Array assignment: `arr=(a b c)`, `arr[0]=x`
 - ❌ Append assignment: `VAR+=value`
diff --git a/analysis/symbols_interp.go b/analysis/symbols_interp.go
index 3c52e7d5..01663f1c 100644
--- a/analysis/symbols_interp.go
+++ b/analysis/symbols_interp.go
@@ -30,9 +30,7 @@ var interpAllowedSymbols = []string{
 	"fmt.Fprintln",                // 🟠 writes to an io.Writer with newline; delegates to Write, no filesystem access.
 	"fmt.Sprintf",                 // 🟢 string formatting; pure function, no I/O.
 	"io.Closer",                   // 🟢 interface type for closing; no side effects.
-	"io.Copy",                     // 🟠 copies from Reader to Writer; no filesystem access, delegates to Read/Write.
 	"io.Discard",                  // 🟢 write sink that discards all data; no side effects.
-	"io.LimitReader",              // 🟢 wraps a Reader with a byte cap; pure function, no I/O.
 	"io.Reader",                   // 🟢 interface type for reading; no side effects.
 	"io.ReadWriteCloser",          // 🟢 combined interface type; no side effects.
 	"io.Writer",                   // 🟢 interface type for writing; no side effects.
diff --git a/interp/runner_expand.go b/interp/runner_expand.go
index 42252e19..c11f7080 100644
--- a/interp/runner_expand.go
+++ b/interp/runner_expand.go
@@ -12,7 +12,6 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
-	"os"
 	"strings"
 	"sync"
 
@@ -64,42 +63,18 @@ const MaxGlobReadDirCalls = 10_000
 
 // cmdSubst handles command substitution ($(...) and `...`).
 // It runs the commands in a subshell and writes their stdout to w.
+//
+// The $(<file) POSIX shortcut is intentionally NOT implemented here: it
+// reads file contents without invoking any command and thus bypasses the
+// AllowedCommands allowlist. Scripts that need file contents must invoke
+// an allowed file-reading command explicitly, e.g. $(cat file). Bare
+// input redirection without a command is rejected at validation time by
+// validateRedirectHasCommand.
 func (r *Runner) cmdSubst(w io.Writer, cs *syntax.CmdSubst) error {
 	if len(cs.Stmts) == 0 {
 		return nil
 	}
 
-	// $(<file) shortcut: read file contents directly without a subshell.
-	if word := catShortcutArg(cs.Stmts[0]); word != nil && len(cs.Stmts) == 1 {
-		path := r.literal(word)
-		f, err := r.open(r.ectx, path, os.O_RDONLY, 0, true)
-		if err != nil {
-			// r.open already printed the error; set exit status and
-			// return nil so the expand layer does not double-report.
-			r.lastExpandExit = exitStatus{code: 1}
-			r.lastExit = r.lastExpandExit
-			return nil
-		}
-		defer f.Close()
-		// If the path is a directory, silently produce empty output (matches bash).
-		if st, ok := f.(interface{ Stat() (fs.FileInfo, error) }); ok {
-			if fi, serr := st.Stat(); serr == nil && fi.IsDir() {
-				r.lastExpandExit = exitStatus{code: 0}
-				r.lastExit = r.lastExpandExit
-				return nil
-			}
-		}
-		_, err = io.Copy(w, io.LimitReader(f, maxCmdSubstOutput))
-		var exitCode uint8
-		if err != nil {
-			exitCode = 1
-		}
-		r.lastExpandExit = exitStatus{code: exitCode}
-		r.lastExit = r.lastExpandExit
-		return err
-	}
-
-	// General case: run statements in a subshell, capturing stdout.
 	var buf bytes.Buffer
 	r2 := r.subshell(false)
 	r2.stdout = &limitWriter{w: &buf, limit: maxCmdSubstOutput}
@@ -119,23 +94,6 @@ func (r *Runner) cmdSubst(w io.Writer, cs *syntax.CmdSubst) error {
 	return err
 }
 
-// catShortcutArg detects the $(<file) pattern: a single statement with no
-// command and exactly one input redirection. Returns the redirect word if
-// matched, nil otherwise.
-func catShortcutArg(stmt *syntax.Stmt) *syntax.Word {
-	if stmt.Cmd != nil || stmt.Negated || stmt.Background || stmt.Coprocess || stmt.Disown {
-		return nil
-	}
-	if len(stmt.Redirs) != 1 {
-		return nil
-	}
-	rd := stmt.Redirs[0]
-	if rd.Op != syntax.RdrIn {
-		return nil
-	}
-	return rd.Word
-}
-
 // limitWriter wraps a writer and stops writing after limit bytes.
 // When the limit is exceeded, exceeded is set to true and further writes
 // are silently discarded so that callers do not see spurious short-write
diff --git a/interp/tests/cmdsubst_hardening_test.go b/interp/tests/cmdsubst_hardening_test.go
index 6108727b..b8a13f63 100644
--- a/interp/tests/cmdsubst_hardening_test.go
+++ b/interp/tests/cmdsubst_hardening_test.go
@@ -163,11 +163,13 @@ func TestCmdSubstOutputCapped(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 
-	// Using $(<file) shortcut with a large file — verify truncation via wc -c.
-	// The substitution captures at most 1 MiB (1048576 bytes). Trailing newline
-	// stripping does not apply here because the content has no trailing newlines.
-	// echo adds a newline, so wc -c sees 1048576 + 1 = 1048577.
-	stdout, _, code := cmdSubstRunCtx(ctx, t, `x=$(<big.txt); echo "$x" | wc -c`, dir)
+	// Use $(cat file) with a large file — verify truncation via wc -c.
+	// ($(<file) is rejected at validation because it would bypass the
+	// command allowlist.) The substitution captures at most 1 MiB
+	// (1048576 bytes). Trailing newline stripping does not apply here
+	// because the content has no trailing newlines. echo adds a newline,
+	// so wc -c sees 1048576 + 1 = 1048577.
+	stdout, _, code := cmdSubstRunCtx(ctx, t, `x=$(cat big.txt); echo "$x" | wc -c`, dir)
 	assert.Equal(t, 0, code)
 	// wc -c output may have leading whitespace on some platforms
 	assert.Equal(t, "1048577", strings.TrimSpace(stdout))
diff --git a/interp/tests/cmdsubst_pentest_test.go b/interp/tests/cmdsubst_pentest_test.go
index efc3f7c1..7f538803 100644
--- a/interp/tests/cmdsubst_pentest_test.go
+++ b/interp/tests/cmdsubst_pentest_test.go
@@ -50,18 +50,20 @@ func TestCmdSubstPentestFuncInSubst(t *testing.T) {
 
 func TestCmdSubstPentestPathTraversal(t *testing.T) {
 	dir := t.TempDir()
-	// Attempt to read /etc/passwd via $(<file) - should fail due to sandbox
+	// Attempt to read /etc/passwd via $(<file) — must be rejected at
+	// validation because $(<file) is no longer supported (it bypasses
+	// the command allowlist).
 	_, stderr, code := cmdSubstRun(t, `x=$(<../../../../../../etc/passwd)`, dir)
-	assert.NotEqual(t, 0, code)
-	_ = stderr
+	assert.Equal(t, 2, code)
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
 func TestCmdSubstPentestAbsolutePath(t *testing.T) {
 	dir := t.TempDir()
-	// Absolute path outside sandbox should fail
+	// Absolute path outside sandbox via $(<…) — rejected at validation.
 	_, stderr, code := cmdSubstRun(t, `x=$(<"/etc/hosts")`, dir)
-	assert.NotEqual(t, 0, code)
-	_ = stderr
+	assert.Equal(t, 2, code)
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
 // --- No allowed paths at all ---
@@ -69,10 +71,10 @@ func TestCmdSubstPentestAbsolutePath(t *testing.T) {
 func TestCmdSubstPentestNoAllowedPaths(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "test.txt"), []byte("data"), 0644))
-	// With no allowed paths, file access should be blocked
+	// $(<file) is rejected regardless of path sandbox state.
 	_, stderr, code := cmdSubstRunWithOpts(t, `x=$(<test.txt)`, dir)
-	assert.NotEqual(t, 0, code)
-	_ = stderr
+	assert.Equal(t, 2, code)
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
 // --- Subshell pentest: exit doesn't kill parent ---
@@ -161,24 +163,29 @@ func TestSubshellPentestBackgroundInSubshell(t *testing.T) {
 	assert.Contains(t, stderr, "background execution (&) is not supported")
 }
 
-// --- Cat shortcut edge cases ---
+// --- Cat shortcut rejection ---
+//
+// The $(<file) POSIX shortcut is rejected at validation because it
+// bypasses the AllowedCommands allowlist. Both directory and empty-file
+// invocations must be blocked symmetrically — there is no case where
+// $(<…) performs an actual read.
 
-func TestCmdSubstPentestCatShortcutDirectory(t *testing.T) {
+func TestCmdSubstPentestCatShortcutDirectoryRejected(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.MkdirAll(filepath.Join(dir, "subdir"), 0755))
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<subdir); echo "[$x]"`, dir)
-	// Bash silently produces empty output with exit 0 for $(<dir).
-	assert.Equal(t, 0, code)
-	assert.Equal(t, "[]\n", stdout)
-	assert.Equal(t, "", stderr)
+	assert.Equal(t, 2, code)
+	assert.Equal(t, "", stdout)
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
-func TestCmdSubstPentestCatShortcutEmptyFile(t *testing.T) {
+func TestCmdSubstPentestCatShortcutEmptyFileRejected(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "empty.txt"), []byte{}, 0644))
-	stdout, _, code := cmdSubstRun(t, `x=$(<empty.txt); echo "[$x]"`, dir)
-	assert.Equal(t, 0, code)
-	assert.Equal(t, "[]\n", stdout)
+	stdout, stderr, code := cmdSubstRun(t, `x=$(<empty.txt); echo "[$x]"`, dir)
+	assert.Equal(t, 2, code)
+	assert.Equal(t, "", stdout)
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
 // --- Subshell with redirect ---
diff --git a/interp/tests/cmdsubst_test.go b/interp/tests/cmdsubst_test.go
index bd40c573..fb49f1dd 100644
--- a/interp/tests/cmdsubst_test.go
+++ b/interp/tests/cmdsubst_test.go
@@ -163,23 +163,49 @@ func TestCmdSubstWordSplitting(t *testing.T) {
 	assert.Equal(t, "[a]\n[b]\n[c]\n", stdout)
 }
 
-// --- $(<file) shortcut ---
-
-func TestCmdSubstCatShortcut(t *testing.T) {
+// --- $(<file) shortcut rejection ---
+//
+// The POSIX $(<file) shortcut is intentionally NOT supported because it
+// reads file contents without invoking any command, bypassing the
+// AllowedCommands allowlist. Scripts must use $(cat file) or an
+// equivalent allowed builtin instead. Both of the tests below verify
+// that the shortcut is rejected at validation (exit code 2) rather
+// than silently performing the read.
+
+func TestCmdSubstCatShortcutRejected(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("file content"), 0644))
-	stdout, _, code := cmdSubstRun(t, `x=$(<data.txt); echo "$x"`, dir)
-	assert.Equal(t, 0, code)
-	assert.Equal(t, "file content\n", stdout)
+	stdout, stderr, code := cmdSubstRun(t, `x=$(<data.txt); echo "$x"`, dir)
+	assert.Equal(t, 2, code, "$(<file) must be rejected at validation")
+	assert.Equal(t, "", stdout, "must not emit any file content")
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
-func TestCmdSubstCatShortcutMissingFile(t *testing.T) {
+func TestCmdSubstCatShortcutMissingFileRejected(t *testing.T) {
 	dir := t.TempDir()
-	// Missing file in $(<file) sets $?=1 but does not abort the script.
+	// Even with a nonexistent file, the shortcut must be rejected at
+	// validation before any file access is attempted.
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<nonexistent.txt); echo "$?"`, dir)
-	assert.Equal(t, 0, code, "overall script should succeed")
-	assert.Contains(t, stderr, "no such file")
-	assert.Equal(t, "1\n", stdout, "$? should be 1 from the failed substitution")
+	assert.Equal(t, 2, code)
+	assert.Equal(t, "", stdout)
+	assert.Contains(t, stderr, "< input redirection requires a command")
+}
+
+func TestCmdSubstCatShortcutCommandAllowlistBypass(t *testing.T) {
+	// Regression test for the original vulnerability: with the file in
+	// AllowedPaths but no file-reading commands in the allowlist, the
+	// shortcut must not leak file contents.
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "secret.txt"), []byte("top secret"), 0644))
+	stdout, stderr, code := cmdSubstRunWithOpts(t,
+		`x=$(<secret.txt); echo "$x"`,
+		dir,
+		interp.AllowedPaths([]string{dir}),
+		interp.AllowedCommands([]string{"rshell:echo"}),
+	)
+	assert.Equal(t, 2, code, "must reject at validation before any read occurs")
+	assert.Equal(t, "", stdout, "must not leak the file contents")
+	assert.Contains(t, stderr, "< input redirection requires a command")
 }
 
 // --- For loop integration ---
diff --git a/interp/tests/redir_input_bypass_pentest_test.go b/interp/tests/redir_input_bypass_pentest_test.go
new file mode 100644
index 00000000..fd9b754c
--- /dev/null
+++ b/interp/tests/redir_input_bypass_pentest_test.go
@@ -0,0 +1,188 @@
+// Unless explicitly stated otherwise all files in this repository are licensed
+// under the Apache License Version 2.0.
+// This product includes software developed at Datadog (https://www.datadoghq.com/).
+// Copyright 2026-present Datadog, Inc.
+
+package tests_test
+
+import (
+	"bytes"
+	"context"
+	"errors"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"mvdan.cc/sh/v3/syntax"
+
+	"github.com/DataDog/rshell/interp"
+)
+
+// Pentest suite for the `$(<file)` command-allowlist bypass.
+//
+// Historical vulnerability: the `$(<file)` POSIX shortcut in command
+// substitution was resolved by reading the file directly from the
+// interpreter, short-circuiting the normal command dispatch. That path
+// never consulted AllowedCommands, so a caller who had `rshell:echo`
+// whitelisted but not `rshell:cat` could still read any file inside
+// AllowedPaths via `x=$(<file); echo "$x"`.
+//
+// The mitigation rejects any `<` input redirect that is not attached to a
+// command. These tests verify every reachable shape of that construct is
+// now blocked at validation (exit 2) before any file I/O occurs, while
+// the legitimate `cmd < file` form keeps working.
+
+// runBypass runs script with AllowedPaths=[dir] and the given allowed
+// commands. It returns stdout, stderr, and exit code.
+func runBypass(t *testing.T, script, dir string, allowedCmds []string) (string, string, int) {
+	t.Helper()
+	parser := syntax.NewParser()
+	prog, err := parser.Parse(strings.NewReader(script), "")
+	if err != nil {
+		return "", err.Error(), 2
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var outBuf, errBuf bytes.Buffer
+	opts := []interp.RunnerOption{
+		interp.StdIO(nil, &outBuf, &errBuf),
+		interp.AllowedPaths([]string{dir}),
+		interp.AllowedCommands(allowedCmds),
+	}
+	runner, err := interp.New(opts...)
+	require.NoError(t, err)
+	defer runner.Close()
+	runner.Dir = dir
+
+	err = runner.Run(ctx, prog)
+	exitCode := 0
+	if err != nil {
+		var es interp.ExitStatus
+		if errors.As(err, &es) {
+			exitCode = int(es)
+		} else if ctx.Err() == nil {
+			t.Fatalf("unexpected error: %v", err)
+		}
+	}
+	return outBuf.String(), errBuf.String(), exitCode
+}
+
+// TestPentestInputRedirBypass_OriginalExploit is the exact exploit
+// reported: cat is NOT in the allowlist, but a caller uses $(<file) to
+// read the file anyway.
+func TestPentestInputRedirBypass_OriginalExploit(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "secret.txt"), []byte("TOP SECRET"), 0644))
+
+	stdout, stderr, code := runBypass(t,
+		`x=$(<secret.txt); echo "$x"`,
+		dir,
+		[]string{"rshell:echo"},
+	)
+	assert.Equal(t, 2, code, "must reject at validation")
+	assert.NotContains(t, stdout, "TOP SECRET", "must not leak file contents")
+	assert.Contains(t, stderr, "< input redirection requires a command")
+}
+
+// TestPentestInputRedirBypass_EvenWithCatAllowed verifies the fix does
+// not depend on which commands are allowed — $(<file) is structurally
+// rejected even when cat is available (users must write $(cat file)).
+func TestPentestInputRedirBypass_EvenWithCatAllowed(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("content"), 0644))
+
+	_, stderr, code := runBypass(t,
+		`x=$(<data.txt); echo "$x"`,
+		dir,
+		[]string{"rshell:echo", "rshell:cat"},
+	)
+	assert.Equal(t, 2, code)
+	assert.Contains(t, stderr, "< input redirection requires a command")
+}
+
+// TestPentestInputRedirBypass_VariousShapes exercises every syntactic
+// shape where `<` could appear without an attached command. All must be
+// rejected — if any shape slipped through, it would be a new bypass
+// vector equivalent to the original vulnerability.
+func TestPentestInputRedirBypass_VariousShapes(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("leak"), 0644))
+
+	cases := []struct {
+		name   string
+		script string
+	}{
+		{"dollar-paren shortcut", `x=$(<data.txt); echo "$x"`},
+		{"backtick shortcut", "x=`<data.txt`; echo \"$x\""},
+		{"bare redirect", `<data.txt`},
+		{"bare redirect with semicolon", `<data.txt; echo done`},
+		{"brace group bare redirect", `{ <data.txt; }`},
+		{"subshell bare redirect", `( <data.txt )`},
+		{"explicit fd 0 shortcut", `x=$(0<data.txt); echo "$x"`},
+		{"nested in echo", `echo "prefix $(<data.txt) suffix"`},
+		{"in if condition", `if $(<data.txt); then echo yes; fi`},
+		{"in for items", `for x in $(<data.txt); do echo "$x"; done`},
+		{"multiple redirects, one bare <", `<data.txt >/dev/null`},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			stdout, stderr, code := runBypass(t, tc.script, dir, []string{"rshell:echo"})
+			assert.Equal(t, 2, code, "script must be rejected at validation")
+			assert.NotContains(t, stdout, "leak", "file contents must not leak")
+			assert.Contains(t, stderr, "< input redirection requires a command",
+				"rejection message should mention the input redirect rule")
+		})
+	}
+}
+
+// TestPentestInputRedirBypass_NegativeCases verifies we did NOT break
+// the legitimate `cmd < file` form. These must continue to work when
+// the command is in the allowlist.
+func TestPentestInputRedirBypass_NegativeCases(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("hello\n"), 0644))
+
+	cases := []struct {
+		name   string
+		script string
+		want   string
+	}{
+		{"cat with <", `cat < data.txt`, "hello\n"},
+		{"head with <", `head < data.txt`, "hello\n"},
+		{"tail with <", `tail < data.txt`, "hello\n"},
+		{"explicit fd 0", `cat 0< data.txt`, "hello\n"},
+		{"in cmdsubst via cat", `x=$(cat < data.txt); echo "$x"`, "hello\n"},
+		{"pipe then <", `cat < data.txt | cat`, "hello\n"},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			stdout, stderr, code := runBypass(t, tc.script, dir,
+				[]string{"rshell:cat", "rshell:head", "rshell:tail", "rshell:echo"})
+			assert.Equal(t, 0, code, "legitimate cmd<file must still work; stderr: %s", stderr)
+			assert.Equal(t, tc.want, stdout)
+		})
+	}
+}
+
+// TestPentestInputRedirBypass_FilesystemUntouched verifies that when
+// $(<file) is rejected at validation, no filesystem read is attempted —
+// even if the target file does not exist, the interpreter emits no
+// "no such file" diagnostic.
+func TestPentestInputRedirBypass_FilesystemUntouched(t *testing.T) {
+	dir := t.TempDir()
+	_, stderr, code := runBypass(t,
+		`x=$(<nonexistent-path.txt); echo "$x"`,
+		dir,
+		[]string{"rshell:echo"},
+	)
+	assert.Equal(t, 2, code)
+	assert.Contains(t, stderr, "< input redirection requires a command")
+	// Validation must short-circuit before any open() — no filesystem
+	// errors should leak in the stderr output.
+	assert.NotContains(t, strings.ToLower(stderr), "no such file")
+}
diff --git a/interp/validate.go b/interp/validate.go
index e04cfcb3..b0d7db6b 100644
--- a/interp/validate.go
+++ b/interp/validate.go
@@ -93,6 +93,20 @@ func validateNode(node syntax.Node) error {
 				err = fmt.Errorf("background execution (&) is not supported")
 				return false
 			}
+			// A `<` input redirection must be paired with a command that
+			// performs the read (e.g. `cat < file`). Without a command,
+			// bash implements the POSIX `$(<file)` shortcut by reading the
+			// file directly — which bypasses the AllowedCommands allowlist.
+			// Reject any bare `<` redirection here so the only way to read
+			// a file is through an allowed builtin.
+			if n.Cmd == nil {
+				for _, rd := range n.Redirs {
+					if rd.Op == syntax.RdrIn {
+						err = fmt.Errorf("< input redirection requires a command (e.g. cat < file); $(<file) is not supported")
+						return false
+					}
+				}
+			}
 
 		// Blocked pipe operators.
 		case *syntax.BinaryCmd:
diff --git a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
new file mode 100644
index 00000000..17d4cf22
--- /dev/null
+++ b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
@@ -0,0 +1,17 @@
+description: $(<file) must not bypass the command allowlist — even with the file in allowed_paths and no file-reading commands allowed, the read is rejected at validation.
+skip_assert_against_bash: true
+setup:
+  files:
+    - path: secret.txt
+      content: "top secret"
+input:
+  allowed_paths: ["$DIR"]
+  allowed_commands: ["rshell:echo"]
+  script: |+
+    x=$(<secret.txt)
+    echo "$x"
+expect:
+  stdout: ""
+  stderr_contains:
+    - "< input redirection requires a command"
+  exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
index 6afc9f4c..57b8880e 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
@@ -1,4 +1,5 @@
-description: $(<file) shortcut reads file contents directly.
+description: $(<file) is rejected because it bypasses the command allowlist; use $(cat file) instead.
+skip_assert_against_bash: true
 setup:
   files:
     - path: data.txt
@@ -9,7 +10,7 @@ input:
     x=$(<data.txt)
     echo "$x"
 expect:
-  stdout: |+
-    file content here
-  stderr: ""
-  exit_code: 0
+  stdout: ""
+  stderr_contains:
+    - "< input redirection requires a command"
+  exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
index c9eff434..1a8e48e6 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
@@ -1,4 +1,5 @@
-description: $(<dir) silently produces empty output (matches bash).
+description: $(<dir) is also rejected at validation because it uses the blocked $(<file) shortcut.
+skip_assert_against_bash: true
 setup:
   files:
     - path: subdir/placeholder.txt
@@ -9,7 +10,7 @@ input:
     x=$(<subdir)
     echo "[$x]"
 expect:
-  stdout: |+
-    []
-  stderr: ""
-  exit_code: 0
+  stdout: ""
+  stderr_contains:
+    - "< input redirection requires a command"
+  exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
index 8854eb7a..bb231454 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
@@ -1,4 +1,5 @@
-description: $(<file) shortcut resets exit status after prior failed substitution.
+description: $(<file) shortcut is rejected at validation even when combined with other assignments.
+skip_assert_against_bash: true
 setup:
   files:
     - path: ok.txt
@@ -9,7 +10,7 @@ input:
     a=$(false) b=$(<ok.txt)
     echo "$?"
 expect:
-  stdout: |+
-    0
-  stderr: ""
-  exit_code: 0
+  stdout: ""
+  stderr_contains:
+    - "< input redirection requires a command"
+  exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml
index 1d64e228..2943e956 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml
@@ -1,4 +1,4 @@
-description: $(<file) strips trailing newlines from file content.
+description: The $(<file) shortcut is rejected; $(cat file) is the allowed equivalent and still strips trailing newlines.
 setup:
   files:
     - path: trailing.txt
@@ -6,7 +6,7 @@ setup:
 input:
   allowed_paths: ["$DIR"]
   script: |+
-    x=$(<trailing.txt)
+    x=$(cat trailing.txt)
     echo "[$x]"
 expect:
   stdout: |+

From 397aaeba55055adff5dcc7a326e0d34f077aa36c Mon Sep 17 00:00:00 2001
From: Matthew DeGuzman <matthew.deguzman@datadoghq.com>
Date: Wed, 22 Apr 2026 12:53:36 -0400
Subject: [PATCH 2/6] fix(interp): restrict < to file-reading builtins

The previous commit rejected bare < redirects but accepted any command
paired with <. That is broader than needed: `echo < file` would open a
file purely to hand its stdin to a command that ignores it. Narrow the
rule to the 11 file-reading builtins (cat, cut, grep, head, sed, sort,
strings, tail, tr, uniq, wc) so < only applies where reading is the
command's actual purpose. Also reject dynamic command names since they
cannot be validated statically.
---
 SHELL_FEATURES.md                             |   2 +-
 interp/tests/cmdsubst_pentest_test.go         |  10 +-
 interp/tests/cmdsubst_test.go                 |   6 +-
 .../tests/redir_input_bypass_pentest_test.go  | 123 +++++++++++++++++-
 interp/validate.go                            | 113 ++++++++++++++--
 .../cat_shortcut_bypass.yaml                  |   2 +-
 .../input_non_file_reader.yaml                |  16 +++
 .../command_substitution/cat_shortcut.yaml    |   2 +-
 .../cat_shortcut_directory.yaml               |   2 +-
 .../cat_shortcut_exit_status.yaml             |   2 +-
 10 files changed, 248 insertions(+), 30 deletions(-)
 create mode 100644 tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml

diff --git a/SHELL_FEATURES.md b/SHELL_FEATURES.md
index 0693bda0..b7c35bf5 100644
--- a/SHELL_FEATURES.md
+++ b/SHELL_FEATURES.md
@@ -70,7 +70,7 @@ Blocked features are rejected before execution with exit code 2.
 ## Pipes and Redirections
 
 - ✅ `|` — pipe stdout
-- ✅ `<` — input redirection (read-only, within AllowedPaths)
+- ✅ `<` — input redirection (read-only, within AllowedPaths); only permitted directly on file-reading builtins: `cat`, `cut`, `grep`, `head`, `sed`, `sort`, `strings`, `tail`, `tr`, `uniq`, `wc`
 - ✅ `<<DELIM` — heredoc
 - ✅ `<<-DELIM` — heredoc with tab stripping
 - ✅ `>/dev/null`, `2>/dev/null` — redirect stdout or stderr to /dev/null (output is discarded; only `/dev/null` is allowed as target)
diff --git a/interp/tests/cmdsubst_pentest_test.go b/interp/tests/cmdsubst_pentest_test.go
index 7f538803..58b8161e 100644
--- a/interp/tests/cmdsubst_pentest_test.go
+++ b/interp/tests/cmdsubst_pentest_test.go
@@ -55,7 +55,7 @@ func TestCmdSubstPentestPathTraversal(t *testing.T) {
 	// the command allowlist).
 	_, stderr, code := cmdSubstRun(t, `x=$(<../../../../../../etc/passwd)`, dir)
 	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 func TestCmdSubstPentestAbsolutePath(t *testing.T) {
@@ -63,7 +63,7 @@ func TestCmdSubstPentestAbsolutePath(t *testing.T) {
 	// Absolute path outside sandbox via $(<…) — rejected at validation.
 	_, stderr, code := cmdSubstRun(t, `x=$(<"/etc/hosts")`, dir)
 	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 // --- No allowed paths at all ---
@@ -74,7 +74,7 @@ func TestCmdSubstPentestNoAllowedPaths(t *testing.T) {
 	// $(<file) is rejected regardless of path sandbox state.
 	_, stderr, code := cmdSubstRunWithOpts(t, `x=$(<test.txt)`, dir)
 	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 // --- Subshell pentest: exit doesn't kill parent ---
@@ -176,7 +176,7 @@ func TestCmdSubstPentestCatShortcutDirectoryRejected(t *testing.T) {
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<subdir); echo "[$x]"`, dir)
 	assert.Equal(t, 2, code)
 	assert.Equal(t, "", stdout)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 func TestCmdSubstPentestCatShortcutEmptyFileRejected(t *testing.T) {
@@ -185,7 +185,7 @@ func TestCmdSubstPentestCatShortcutEmptyFileRejected(t *testing.T) {
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<empty.txt); echo "[$x]"`, dir)
 	assert.Equal(t, 2, code)
 	assert.Equal(t, "", stdout)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 // --- Subshell with redirect ---
diff --git a/interp/tests/cmdsubst_test.go b/interp/tests/cmdsubst_test.go
index fb49f1dd..57d25339 100644
--- a/interp/tests/cmdsubst_test.go
+++ b/interp/tests/cmdsubst_test.go
@@ -178,7 +178,7 @@ func TestCmdSubstCatShortcutRejected(t *testing.T) {
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<data.txt); echo "$x"`, dir)
 	assert.Equal(t, 2, code, "$(<file) must be rejected at validation")
 	assert.Equal(t, "", stdout, "must not emit any file content")
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 func TestCmdSubstCatShortcutMissingFileRejected(t *testing.T) {
@@ -188,7 +188,7 @@ func TestCmdSubstCatShortcutMissingFileRejected(t *testing.T) {
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<nonexistent.txt); echo "$?"`, dir)
 	assert.Equal(t, 2, code)
 	assert.Equal(t, "", stdout)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 func TestCmdSubstCatShortcutCommandAllowlistBypass(t *testing.T) {
@@ -205,7 +205,7 @@ func TestCmdSubstCatShortcutCommandAllowlistBypass(t *testing.T) {
 	)
 	assert.Equal(t, 2, code, "must reject at validation before any read occurs")
 	assert.Equal(t, "", stdout, "must not leak the file contents")
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 // --- For loop integration ---
diff --git a/interp/tests/redir_input_bypass_pentest_test.go b/interp/tests/redir_input_bypass_pentest_test.go
index fd9b754c..5651288f 100644
--- a/interp/tests/redir_input_bypass_pentest_test.go
+++ b/interp/tests/redir_input_bypass_pentest_test.go
@@ -86,7 +86,7 @@ func TestPentestInputRedirBypass_OriginalExploit(t *testing.T) {
 	)
 	assert.Equal(t, 2, code, "must reject at validation")
 	assert.NotContains(t, stdout, "TOP SECRET", "must not leak file contents")
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 // TestPentestInputRedirBypass_EvenWithCatAllowed verifies the fix does
@@ -102,7 +102,7 @@ func TestPentestInputRedirBypass_EvenWithCatAllowed(t *testing.T) {
 		[]string{"rshell:echo", "rshell:cat"},
 	)
 	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 }
 
 // TestPentestInputRedirBypass_VariousShapes exercises every syntactic
@@ -134,7 +134,7 @@ func TestPentestInputRedirBypass_VariousShapes(t *testing.T) {
 			stdout, stderr, code := runBypass(t, tc.script, dir, []string{"rshell:echo"})
 			assert.Equal(t, 2, code, "script must be rejected at validation")
 			assert.NotContains(t, stdout, "leak", "file contents must not leak")
-			assert.Contains(t, stderr, "< input redirection requires a command",
+			assert.Contains(t, stderr, "file-reading command",
 				"rejection message should mention the input redirect rule")
 		})
 	}
@@ -181,8 +181,123 @@ func TestPentestInputRedirBypass_FilesystemUntouched(t *testing.T) {
 		[]string{"rshell:echo"},
 	)
 	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "< input redirection requires a command")
+	assert.Contains(t, stderr, "file-reading command")
 	// Validation must short-circuit before any open() — no filesystem
 	// errors should leak in the stderr output.
 	assert.NotContains(t, strings.ToLower(stderr), "no such file")
 }
+
+// TestPentestInputRedir_NonFileReadersRejected verifies that `<` is
+// rejected when paired with a command that does not consume stdin as
+// file content. These commands either ignore stdin (echo/printf/true),
+// operate on path arguments (ls/find), or read kernel pseudo-files
+// (ps/uname) — pairing them with `<` would not be a legitimate file
+// read, only a way to probe AllowedPaths without a stdin consumer.
+func TestPentestInputRedir_NonFileReadersRejected(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("leak"), 0644))
+
+	cases := []struct {
+		name   string
+		script string
+	}{
+		{"echo", `echo hi < data.txt`},
+		{"printf", `printf 'x\n' < data.txt`},
+		{"true", `true < data.txt`},
+		{"false", `false < data.txt`},
+		{"ls", `ls < data.txt`},
+		{"ps", `ps < data.txt`},
+		{"uname", `uname < data.txt`},
+		{"find", `find . < data.txt`},
+		{"help", `help < data.txt`},
+		{"test", `test -e data.txt < data.txt`},
+	}
+	allAllowed := []string{
+		"rshell:echo", "rshell:printf", "rshell:true", "rshell:false",
+		"rshell:ls", "rshell:ps", "rshell:uname", "rshell:find",
+		"rshell:help", "rshell:test",
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			stdout, stderr, code := runBypass(t, tc.script, dir, allAllowed)
+			assert.Equal(t, 2, code,
+				"< must be rejected on non-file-reader %q", tc.name)
+			assert.NotContains(t, stdout, "leak",
+				"must not emit file contents when rejecting")
+			assert.Contains(t, stderr, "file-reading command",
+				"rejection should cite the file-reading-command rule")
+		})
+	}
+}
+
+// TestPentestInputRedir_AllFileReadersAccepted verifies that every
+// builtin in the fileReadingCommands allowlist accepts `<`. If a new
+// builtin is added to that set, it belongs here too.
+func TestPentestInputRedir_AllFileReadersAccepted(t *testing.T) {
+	dir := t.TempDir()
+	// Text-only content so every command — including `strings` —
+	// produces a deterministic, non-empty result.
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"),
+		[]byte("alpha\nbeta\n"), 0644))
+
+	cases := []struct {
+		cmd    string
+		script string
+	}{
+		{"cat", `cat < data.txt`},
+		{"cut", `cut -c1-2 < data.txt`},
+		{"grep", `grep alpha < data.txt`},
+		{"head", `head -n 1 < data.txt`},
+		{"sed", `sed -n 1p < data.txt`},
+		{"sort", `sort < data.txt`},
+		{"strings", `strings < data.txt`},
+		{"tail", `tail -n 1 < data.txt`},
+		{"tr", `tr a A < data.txt`},
+		{"uniq", `uniq < data.txt`},
+		{"wc", `wc -l < data.txt`},
+	}
+	allAllowed := []string{
+		"rshell:cat", "rshell:cut", "rshell:grep", "rshell:head",
+		"rshell:sed", "rshell:sort", "rshell:strings", "rshell:tail",
+		"rshell:tr", "rshell:uniq", "rshell:wc",
+	}
+	for _, tc := range cases {
+		t.Run(tc.cmd, func(t *testing.T) {
+			stdout, stderr, code := runBypass(t, tc.script, dir, allAllowed)
+			assert.Equal(t, 0, code,
+				"file-reader %q must be allowed to pair with <; stderr: %s",
+				tc.cmd, stderr)
+			assert.NotEmpty(t, stdout,
+				"file-reader %q should produce output when reading data.txt",
+				tc.cmd)
+		})
+	}
+}
+
+// TestPentestInputRedir_DynamicCommandNameRejected guards against
+// indirect invocations (`$CMD < file`, `"cat" < file`) slipping past
+// the static allowlist check. A dynamic command name cannot be
+// validated at parse time, so we reject it outright rather than permit
+// a smuggling vector.
+func TestPentestInputRedir_DynamicCommandNameRejected(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("leak"), 0644))
+
+	cases := []struct {
+		name   string
+		script string
+	}{
+		{"variable command", `CMD=cat; $CMD < data.txt`},
+		{"quoted command", `"cat" < data.txt`},
+		{"command with concat", `ca"t" < data.txt`},
+	}
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			stdout, stderr, code := runBypass(t, tc.script, dir,
+				[]string{"rshell:cat"})
+			assert.Equal(t, 2, code)
+			assert.NotContains(t, stdout, "leak")
+			assert.Contains(t, stderr, "file-reading command")
+		})
+	}
+}
diff --git a/interp/validate.go b/interp/validate.go
index b0d7db6b..eb937ff4 100644
--- a/interp/validate.go
+++ b/interp/validate.go
@@ -93,19 +93,9 @@ func validateNode(node syntax.Node) error {
 				err = fmt.Errorf("background execution (&) is not supported")
 				return false
 			}
-			// A `<` input redirection must be paired with a command that
-			// performs the read (e.g. `cat < file`). Without a command,
-			// bash implements the POSIX `$(<file)` shortcut by reading the
-			// file directly — which bypasses the AllowedCommands allowlist.
-			// Reject any bare `<` redirection here so the only way to read
-			// a file is through an allowed builtin.
-			if n.Cmd == nil {
-				for _, rd := range n.Redirs {
-					if rd.Op == syntax.RdrIn {
-						err = fmt.Errorf("< input redirection requires a command (e.g. cat < file); $(<file) is not supported")
-						return false
-					}
-				}
+			if rerr := validateInputRedirection(n); rerr != nil {
+				err = rerr
+				return false
 			}
 
 		// Blocked pipe operators.
@@ -215,6 +205,103 @@ func validateAssign(as *syntax.Assign) error {
 	return nil
 }
 
+// fileReadingCommands enumerates the builtins whose semantics is "read
+// stdin (or a file arg) and process its contents". These are the only
+// commands the `<` input redirection may be applied to — commands that
+// ignore stdin (echo, printf, true, ps, …) cannot be used to smuggle
+// file reads past the AllowedCommands allowlist via constructs like
+// `echo < file` being rewritten into `$(<file)` by the cmdsubst layer.
+//
+// Keep this list in sync with builtins/ — a command belongs here iff
+// its implementation actually consumes stdin as file-like content.
+var fileReadingCommands = map[string]bool{
+	"cat":     true,
+	"cut":     true,
+	"grep":    true,
+	"head":    true,
+	"sed":     true,
+	"sort":    true,
+	"strings": true,
+	"tail":    true,
+	"tr":      true,
+	"uniq":    true,
+	"wc":      true,
+}
+
+// fileReadingCommandList is the human-readable form of the set above,
+// used in validation error messages so callers know which commands are
+// acceptable on the LHS of `<`.
+const fileReadingCommandList = "cat, cut, grep, head, sed, sort, strings, tail, tr, uniq, wc"
+
+// validateInputRedirection enforces the rule that `<` input redirection
+// may only be applied to a simple call to one of the fileReadingCommands
+// builtins. This closes the `$(<file)` bypass and the equivalent
+// bare/compound forms — bash implements that shortcut by reading the
+// file directly, which skips the AllowedCommands check entirely.
+//
+// The rule deliberately requires a static (literal) command name: a
+// dynamic name like `$CMD < file` cannot be validated without running
+// the expansion, so we reject it rather than permit a bypass surface.
+func validateInputRedirection(stmt *syntax.Stmt) error {
+	var in *syntax.Redirect
+	for _, rd := range stmt.Redirs {
+		if rd.Op != syntax.RdrIn {
+			continue
+		}
+		// Non-default fds (e.g. `3< file`) are rejected by
+		// validateRedirect with a more precise error message. Skip them
+		// here so the fd-level diagnostic surfaces instead of this rule.
+		if rd.N != nil && rd.N.Value != "0" {
+			continue
+		}
+		in = rd
+		break
+	}
+	if in == nil {
+		return nil
+	}
+
+	// Bare `< file` with no command — this is the shape used by
+	// `$(<file)`, `( <file )`, `{ <file; }`, etc. and is exactly the
+	// allowlist-bypass path.
+	if stmt.Cmd == nil {
+		return fmt.Errorf("< input redirection requires a file-reading command (%s); bare <file and $(<file) are not supported because they bypass the command allowlist", fileReadingCommandList)
+	}
+
+	// `< file` must attach directly to a simple command, never to a
+	// compound construct like `{ … } < file` or `if … < file`. Those
+	// would apply the redirect transitively to whatever inner command
+	// reads stdin first, which makes it hard to reason about which
+	// command is actually consuming the file.
+	call, ok := stmt.Cmd.(*syntax.CallExpr)
+	if !ok {
+		return fmt.Errorf("< input redirection must be attached directly to a file-reading command (%s), not to a compound statement", fileReadingCommandList)
+	}
+
+	// A CallExpr with only assignments (e.g. `FOO=bar < file`) runs no
+	// command — the redirect has no consumer, so the file read is
+	// unbound. Treat it the same as the bare-< case.
+	if len(call.Args) == 0 {
+		return fmt.Errorf("< input redirection requires a file-reading command (%s); assignment-only statements do not qualify", fileReadingCommandList)
+	}
+
+	// The command name must be a single literal part. Dynamic forms
+	// (variable expansion, command substitution in the name, quoted
+	// words) cannot be validated statically, so we reject them.
+	first := call.Args[0]
+	if len(first.Parts) != 1 {
+		return fmt.Errorf("< input redirection requires a statically-known file-reading command (%s); dynamic command names are not permitted", fileReadingCommandList)
+	}
+	lit, ok := first.Parts[0].(*syntax.Lit)
+	if !ok {
+		return fmt.Errorf("< input redirection requires a statically-known file-reading command (%s); dynamic command names are not permitted", fileReadingCommandList)
+	}
+	if !fileReadingCommands[lit.Value] {
+		return fmt.Errorf("< input redirection is only allowed with file-reading commands (%s); %q is not one of them", fileReadingCommandList, lit.Value)
+	}
+	return nil
+}
+
 func validateRedirect(rd *syntax.Redirect) error {
 	switch rd.Op {
 	case syntax.WordHdoc:
diff --git a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
index 17d4cf22..bf9167bd 100644
--- a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
+++ b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
@@ -13,5 +13,5 @@ input:
 expect:
   stdout: ""
   stderr_contains:
-    - "< input redirection requires a command"
+    - "file-reading command"
   exit_code: 2
diff --git a/tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml b/tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml
new file mode 100644
index 00000000..2738e6a7
--- /dev/null
+++ b/tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml
@@ -0,0 +1,16 @@
+description: < input redirection is rejected when paired with a command that does not read file contents (echo just writes its args).
+skip_assert_against_bash: true
+setup:
+  files:
+    - path: secret.txt
+      content: "do not leak"
+input:
+  allowed_paths: ["$DIR"]
+  allowed_commands: ["rshell:echo"]
+  script: |+
+    echo hi < secret.txt
+expect:
+  stdout: ""
+  stderr_contains:
+    - "file-reading command"
+  exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
index 57b8880e..7c82f721 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
@@ -12,5 +12,5 @@ input:
 expect:
   stdout: ""
   stderr_contains:
-    - "< input redirection requires a command"
+    - "file-reading command"
   exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
index 1a8e48e6..318b374e 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
@@ -12,5 +12,5 @@ input:
 expect:
   stdout: ""
   stderr_contains:
-    - "< input redirection requires a command"
+    - "file-reading command"
   exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
index bb231454..9cd2e60f 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
@@ -12,5 +12,5 @@ input:
 expect:
   stdout: ""
   stderr_contains:
-    - "< input redirection requires a command"
+    - "file-reading command"
   exit_code: 2

From ebc4a66d7e110ed6fffdce84f2fb796bba936f62 Mon Sep 17 00:00:00 2001
From: Matthew DeGuzman <matthew.deguzman@datadoghq.com>
Date: Wed, 22 Apr 2026 13:06:41 -0400
Subject: [PATCH 3/6] fix(interp): gate $(<file) shortcut on cat being in the
 allowlist

Revert the overly-broad validation that blocked $(<file) entirely and
restricted < to a fixed set of commands. The report's remediation keeps
the shortcut functional but checks AllowedCommands at runtime: $(<file)
is treated as an implicit $(cat file), so the read only proceeds when
cat is allowed. This matches bash semantics and keeps legitimate uses
working while closing the original allowlist bypass.
---
 SHELL_FEATURES.md                             |   5 +-
 analysis/symbols_interp.go                    |   2 +
 interp/runner_expand.go                       |  67 ++++-
 interp/tests/cmdsubst_hardening_test.go       |  12 +-
 interp/tests/cmdsubst_pentest_test.go         |  45 ++-
 interp/tests/cmdsubst_test.go                 |  63 +++--
 .../tests/redir_input_bypass_pentest_test.go  | 262 +++++-------------
 interp/validate.go                            | 101 -------
 .../cat_shortcut_bypass.yaml                  |  10 +-
 .../input_non_file_reader.yaml                |  16 --
 .../command_substitution/cat_shortcut.yaml    |  11 +-
 .../cat_shortcut_directory.yaml               |  11 +-
 .../cat_shortcut_exit_status.yaml             |  11 +-
 .../cat_shortcut_trailing_newlines.yaml       |   4 +-
 14 files changed, 217 insertions(+), 403 deletions(-)
 delete mode 100644 tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml

diff --git a/SHELL_FEATURES.md b/SHELL_FEATURES.md
index b7c35bf5..7c7a7aea 100644
--- a/SHELL_FEATURES.md
+++ b/SHELL_FEATURES.md
@@ -42,8 +42,7 @@ Blocked features are rejected before execution with exit code 2.
 - ✅ Expansion: `$VAR`, `${VAR}`
 - ✅ `$?` — last exit code (the only supported special variable)
 - ✅ Inline assignment: `VAR=value command` (scoped to that command)
-- ✅ Command substitution: `$(cmd)`, `` `cmd` `` — captures stdout; trailing newlines stripped; output capped at 1 MiB
-- ❌ `$(<file)` shortcut — bypasses the command allowlist; use `$(cat file)` (or another allowed file-reading builtin) instead
+- ✅ Command substitution: `$(cmd)`, `` `cmd` `` — captures stdout; trailing newlines stripped; `$(<file)` shortcut reads file directly (gated on `cat` being in the command allowlist); output capped at 1 MiB
 - ❌ Arithmetic expansion: `$(( expr ))`
 - ❌ Array assignment: `arr=(a b c)`, `arr[0]=x`
 - ❌ Append assignment: `VAR+=value`
@@ -70,7 +69,7 @@ Blocked features are rejected before execution with exit code 2.
 ## Pipes and Redirections
 
 - ✅ `|` — pipe stdout
-- ✅ `<` — input redirection (read-only, within AllowedPaths); only permitted directly on file-reading builtins: `cat`, `cut`, `grep`, `head`, `sed`, `sort`, `strings`, `tail`, `tr`, `uniq`, `wc`
+- ✅ `<` — input redirection (read-only, within AllowedPaths)
 - ✅ `<<DELIM` — heredoc
 - ✅ `<<-DELIM` — heredoc with tab stripping
 - ✅ `>/dev/null`, `2>/dev/null` — redirect stdout or stderr to /dev/null (output is discarded; only `/dev/null` is allowed as target)
diff --git a/analysis/symbols_interp.go b/analysis/symbols_interp.go
index 01663f1c..3c52e7d5 100644
--- a/analysis/symbols_interp.go
+++ b/analysis/symbols_interp.go
@@ -30,7 +30,9 @@ var interpAllowedSymbols = []string{
 	"fmt.Fprintln",                // 🟠 writes to an io.Writer with newline; delegates to Write, no filesystem access.
 	"fmt.Sprintf",                 // 🟢 string formatting; pure function, no I/O.
 	"io.Closer",                   // 🟢 interface type for closing; no side effects.
+	"io.Copy",                     // 🟠 copies from Reader to Writer; no filesystem access, delegates to Read/Write.
 	"io.Discard",                  // 🟢 write sink that discards all data; no side effects.
+	"io.LimitReader",              // 🟢 wraps a Reader with a byte cap; pure function, no I/O.
 	"io.Reader",                   // 🟢 interface type for reading; no side effects.
 	"io.ReadWriteCloser",          // 🟢 combined interface type; no side effects.
 	"io.Writer",                   // 🟢 interface type for writing; no side effects.
diff --git a/interp/runner_expand.go b/interp/runner_expand.go
index c11f7080..ef46d64f 100644
--- a/interp/runner_expand.go
+++ b/interp/runner_expand.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"io"
 	"io/fs"
+	"os"
 	"strings"
 	"sync"
 
@@ -64,17 +65,54 @@ const MaxGlobReadDirCalls = 10_000
 // cmdSubst handles command substitution ($(...) and `...`).
 // It runs the commands in a subshell and writes their stdout to w.
 //
-// The $(<file) POSIX shortcut is intentionally NOT implemented here: it
-// reads file contents without invoking any command and thus bypasses the
-// AllowedCommands allowlist. Scripts that need file contents must invoke
-// an allowed file-reading command explicitly, e.g. $(cat file). Bare
-// input redirection without a command is rejected at validation time by
-// validateRedirectHasCommand.
+// Special case: the POSIX `$(<file)` shortcut reads file contents
+// directly without spawning a subshell. Because that path performs a
+// file read without invoking any command, it would bypass the
+// AllowedCommands allowlist if left unchecked. We therefore gate the
+// shortcut on `cat` being an allowed command — `$(<file)` is treated as
+// an implicit `$(cat file)` for allowlist purposes.
 func (r *Runner) cmdSubst(w io.Writer, cs *syntax.CmdSubst) error {
 	if len(cs.Stmts) == 0 {
 		return nil
 	}
 
+	// $(<file) shortcut: read file contents directly without a subshell.
+	if word := catShortcutArg(cs.Stmts[0]); word != nil && len(cs.Stmts) == 1 {
+		if !r.allowAllCommands && !r.allowedCommands["cat"] {
+			r.errf("$(<file): file read not permitted (cat not in allowed commands)\n")
+			r.lastExpandExit = exitStatus{code: 1}
+			r.lastExit = r.lastExpandExit
+			return nil
+		}
+		path := r.literal(word)
+		f, err := r.open(r.ectx, path, os.O_RDONLY, 0, true)
+		if err != nil {
+			// r.open already printed the error; set exit status and
+			// return nil so the expand layer does not double-report.
+			r.lastExpandExit = exitStatus{code: 1}
+			r.lastExit = r.lastExpandExit
+			return nil
+		}
+		defer f.Close()
+		// If the path is a directory, silently produce empty output (matches bash).
+		if st, ok := f.(interface{ Stat() (fs.FileInfo, error) }); ok {
+			if fi, serr := st.Stat(); serr == nil && fi.IsDir() {
+				r.lastExpandExit = exitStatus{code: 0}
+				r.lastExit = r.lastExpandExit
+				return nil
+			}
+		}
+		_, err = io.Copy(w, io.LimitReader(f, maxCmdSubstOutput))
+		var exitCode uint8
+		if err != nil {
+			exitCode = 1
+		}
+		r.lastExpandExit = exitStatus{code: exitCode}
+		r.lastExit = r.lastExpandExit
+		return err
+	}
+
+	// General case: run statements in a subshell, capturing stdout.
 	var buf bytes.Buffer
 	r2 := r.subshell(false)
 	r2.stdout = &limitWriter{w: &buf, limit: maxCmdSubstOutput}
@@ -94,6 +132,23 @@ func (r *Runner) cmdSubst(w io.Writer, cs *syntax.CmdSubst) error {
 	return err
 }
 
+// catShortcutArg detects the $(<file) pattern: a single statement with no
+// command and exactly one input redirection. Returns the redirect word if
+// matched, nil otherwise.
+func catShortcutArg(stmt *syntax.Stmt) *syntax.Word {
+	if stmt.Cmd != nil || stmt.Negated || stmt.Background || stmt.Coprocess || stmt.Disown {
+		return nil
+	}
+	if len(stmt.Redirs) != 1 {
+		return nil
+	}
+	rd := stmt.Redirs[0]
+	if rd.Op != syntax.RdrIn {
+		return nil
+	}
+	return rd.Word
+}
+
 // limitWriter wraps a writer and stops writing after limit bytes.
 // When the limit is exceeded, exceeded is set to true and further writes
 // are silently discarded so that callers do not see spurious short-write
diff --git a/interp/tests/cmdsubst_hardening_test.go b/interp/tests/cmdsubst_hardening_test.go
index b8a13f63..6108727b 100644
--- a/interp/tests/cmdsubst_hardening_test.go
+++ b/interp/tests/cmdsubst_hardening_test.go
@@ -163,13 +163,11 @@ func TestCmdSubstOutputCapped(t *testing.T) {
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()
 
-	// Use $(cat file) with a large file — verify truncation via wc -c.
-	// ($(<file) is rejected at validation because it would bypass the
-	// command allowlist.) The substitution captures at most 1 MiB
-	// (1048576 bytes). Trailing newline stripping does not apply here
-	// because the content has no trailing newlines. echo adds a newline,
-	// so wc -c sees 1048576 + 1 = 1048577.
-	stdout, _, code := cmdSubstRunCtx(ctx, t, `x=$(cat big.txt); echo "$x" | wc -c`, dir)
+	// Using $(<file) shortcut with a large file — verify truncation via wc -c.
+	// The substitution captures at most 1 MiB (1048576 bytes). Trailing newline
+	// stripping does not apply here because the content has no trailing newlines.
+	// echo adds a newline, so wc -c sees 1048576 + 1 = 1048577.
+	stdout, _, code := cmdSubstRunCtx(ctx, t, `x=$(<big.txt); echo "$x" | wc -c`, dir)
 	assert.Equal(t, 0, code)
 	// wc -c output may have leading whitespace on some platforms
 	assert.Equal(t, "1048577", strings.TrimSpace(stdout))
diff --git a/interp/tests/cmdsubst_pentest_test.go b/interp/tests/cmdsubst_pentest_test.go
index 58b8161e..efc3f7c1 100644
--- a/interp/tests/cmdsubst_pentest_test.go
+++ b/interp/tests/cmdsubst_pentest_test.go
@@ -50,20 +50,18 @@ func TestCmdSubstPentestFuncInSubst(t *testing.T) {
 
 func TestCmdSubstPentestPathTraversal(t *testing.T) {
 	dir := t.TempDir()
-	// Attempt to read /etc/passwd via $(<file) — must be rejected at
-	// validation because $(<file) is no longer supported (it bypasses
-	// the command allowlist).
+	// Attempt to read /etc/passwd via $(<file) - should fail due to sandbox
 	_, stderr, code := cmdSubstRun(t, `x=$(<../../../../../../etc/passwd)`, dir)
-	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "file-reading command")
+	assert.NotEqual(t, 0, code)
+	_ = stderr
 }
 
 func TestCmdSubstPentestAbsolutePath(t *testing.T) {
 	dir := t.TempDir()
-	// Absolute path outside sandbox via $(<…) — rejected at validation.
+	// Absolute path outside sandbox should fail
 	_, stderr, code := cmdSubstRun(t, `x=$(<"/etc/hosts")`, dir)
-	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "file-reading command")
+	assert.NotEqual(t, 0, code)
+	_ = stderr
 }
 
 // --- No allowed paths at all ---
@@ -71,10 +69,10 @@ func TestCmdSubstPentestAbsolutePath(t *testing.T) {
 func TestCmdSubstPentestNoAllowedPaths(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "test.txt"), []byte("data"), 0644))
-	// $(<file) is rejected regardless of path sandbox state.
+	// With no allowed paths, file access should be blocked
 	_, stderr, code := cmdSubstRunWithOpts(t, `x=$(<test.txt)`, dir)
-	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "file-reading command")
+	assert.NotEqual(t, 0, code)
+	_ = stderr
 }
 
 // --- Subshell pentest: exit doesn't kill parent ---
@@ -163,29 +161,24 @@ func TestSubshellPentestBackgroundInSubshell(t *testing.T) {
 	assert.Contains(t, stderr, "background execution (&) is not supported")
 }
 
-// --- Cat shortcut rejection ---
-//
-// The $(<file) POSIX shortcut is rejected at validation because it
-// bypasses the AllowedCommands allowlist. Both directory and empty-file
-// invocations must be blocked symmetrically — there is no case where
-// $(<…) performs an actual read.
+// --- Cat shortcut edge cases ---
 
-func TestCmdSubstPentestCatShortcutDirectoryRejected(t *testing.T) {
+func TestCmdSubstPentestCatShortcutDirectory(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.MkdirAll(filepath.Join(dir, "subdir"), 0755))
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<subdir); echo "[$x]"`, dir)
-	assert.Equal(t, 2, code)
-	assert.Equal(t, "", stdout)
-	assert.Contains(t, stderr, "file-reading command")
+	// Bash silently produces empty output with exit 0 for $(<dir).
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "[]\n", stdout)
+	assert.Equal(t, "", stderr)
 }
 
-func TestCmdSubstPentestCatShortcutEmptyFileRejected(t *testing.T) {
+func TestCmdSubstPentestCatShortcutEmptyFile(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "empty.txt"), []byte{}, 0644))
-	stdout, stderr, code := cmdSubstRun(t, `x=$(<empty.txt); echo "[$x]"`, dir)
-	assert.Equal(t, 2, code)
-	assert.Equal(t, "", stdout)
-	assert.Contains(t, stderr, "file-reading command")
+	stdout, _, code := cmdSubstRun(t, `x=$(<empty.txt); echo "[$x]"`, dir)
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "[]\n", stdout)
 }
 
 // --- Subshell with redirect ---
diff --git a/interp/tests/cmdsubst_test.go b/interp/tests/cmdsubst_test.go
index 57d25339..bb098a0d 100644
--- a/interp/tests/cmdsubst_test.go
+++ b/interp/tests/cmdsubst_test.go
@@ -163,49 +163,58 @@ func TestCmdSubstWordSplitting(t *testing.T) {
 	assert.Equal(t, "[a]\n[b]\n[c]\n", stdout)
 }
 
-// --- $(<file) shortcut rejection ---
-//
-// The POSIX $(<file) shortcut is intentionally NOT supported because it
-// reads file contents without invoking any command, bypassing the
-// AllowedCommands allowlist. Scripts must use $(cat file) or an
-// equivalent allowed builtin instead. Both of the tests below verify
-// that the shortcut is rejected at validation (exit code 2) rather
-// than silently performing the read.
-
-func TestCmdSubstCatShortcutRejected(t *testing.T) {
+// --- $(<file) shortcut ---
+
+func TestCmdSubstCatShortcut(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("file content"), 0644))
-	stdout, stderr, code := cmdSubstRun(t, `x=$(<data.txt); echo "$x"`, dir)
-	assert.Equal(t, 2, code, "$(<file) must be rejected at validation")
-	assert.Equal(t, "", stdout, "must not emit any file content")
-	assert.Contains(t, stderr, "file-reading command")
+	stdout, _, code := cmdSubstRun(t, `x=$(<data.txt); echo "$x"`, dir)
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "file content\n", stdout)
 }
 
-func TestCmdSubstCatShortcutMissingFileRejected(t *testing.T) {
+func TestCmdSubstCatShortcutMissingFile(t *testing.T) {
 	dir := t.TempDir()
-	// Even with a nonexistent file, the shortcut must be rejected at
-	// validation before any file access is attempted.
+	// Missing file in $(<file) sets $?=1 but does not abort the script.
 	stdout, stderr, code := cmdSubstRun(t, `x=$(<nonexistent.txt); echo "$?"`, dir)
-	assert.Equal(t, 2, code)
-	assert.Equal(t, "", stdout)
-	assert.Contains(t, stderr, "file-reading command")
+	assert.Equal(t, 0, code, "overall script should succeed")
+	assert.Contains(t, stderr, "no such file")
+	assert.Equal(t, "1\n", stdout, "$? should be 1 from the failed substitution")
 }
 
+// TestCmdSubstCatShortcutCommandAllowlistBypass is the regression test
+// for the original vulnerability: $(<file) must be gated on `cat` being
+// in AllowedCommands. With the file in AllowedPaths but cat absent from
+// the allowlist, the shortcut must refuse to read.
 func TestCmdSubstCatShortcutCommandAllowlistBypass(t *testing.T) {
-	// Regression test for the original vulnerability: with the file in
-	// AllowedPaths but no file-reading commands in the allowlist, the
-	// shortcut must not leak file contents.
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "secret.txt"), []byte("top secret"), 0644))
 	stdout, stderr, code := cmdSubstRunWithOpts(t,
-		`x=$(<secret.txt); echo "$x"`,
+		`x=$(<secret.txt); echo "[$x]"`,
 		dir,
 		interp.AllowedPaths([]string{dir}),
 		interp.AllowedCommands([]string{"rshell:echo"}),
 	)
-	assert.Equal(t, 2, code, "must reject at validation before any read occurs")
-	assert.Equal(t, "", stdout, "must not leak the file contents")
-	assert.Contains(t, stderr, "file-reading command")
+	assert.Equal(t, 0, code, "script completes; only the substitution fails")
+	assert.Equal(t, "[]\n", stdout, "must not leak the file contents")
+	assert.Contains(t, stderr, "file read not permitted")
+	assert.Contains(t, stderr, "cat not in allowed commands")
+}
+
+// TestCmdSubstCatShortcutAllowedWhenCatAllowed verifies the shortcut
+// works when cat is explicitly in AllowedCommands (not just
+// AllowAllCommands).
+func TestCmdSubstCatShortcutAllowedWhenCatAllowed(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("ok"), 0644))
+	stdout, _, code := cmdSubstRunWithOpts(t,
+		`x=$(<data.txt); echo "$x"`,
+		dir,
+		interp.AllowedPaths([]string{dir}),
+		interp.AllowedCommands([]string{"rshell:cat", "rshell:echo"}),
+	)
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "ok\n", stdout)
 }
 
 // --- For loop integration ---
diff --git a/interp/tests/redir_input_bypass_pentest_test.go b/interp/tests/redir_input_bypass_pentest_test.go
index 5651288f..e34db570 100644
--- a/interp/tests/redir_input_bypass_pentest_test.go
+++ b/interp/tests/redir_input_bypass_pentest_test.go
@@ -31,10 +31,11 @@ import (
 // whitelisted but not `rshell:cat` could still read any file inside
 // AllowedPaths via `x=$(<file); echo "$x"`.
 //
-// The mitigation rejects any `<` input redirect that is not attached to a
-// command. These tests verify every reachable shape of that construct is
-// now blocked at validation (exit 2) before any file I/O occurs, while
-// the legitimate `cmd < file` form keeps working.
+// The mitigation keeps the shortcut functional but gates it on `cat`
+// being in the allowlist — $(<file) is treated as an implicit
+// $(cat file) for allowlist purposes. These tests verify both the gate
+// (reads refused when cat is missing) and the happy path (reads work
+// when cat is allowed).
 
 // runBypass runs script with AllowedPaths=[dir] and the given allowed
 // commands. It returns stdout, stderr, and exit code.
@@ -72,232 +73,107 @@ func runBypass(t *testing.T, script, dir string, allowedCmds []string) (string,
 	return outBuf.String(), errBuf.String(), exitCode
 }
 
-// TestPentestInputRedirBypass_OriginalExploit is the exact exploit
-// reported: cat is NOT in the allowlist, but a caller uses $(<file) to
-// read the file anyway.
-func TestPentestInputRedirBypass_OriginalExploit(t *testing.T) {
+// TestPentestCatShortcut_BlockedWhenCatNotAllowed is the exact exploit
+// reported: cat is NOT in the allowlist, but a caller tries to read a
+// file via $(<file). The gate must refuse without leaking content.
+func TestPentestCatShortcut_BlockedWhenCatNotAllowed(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "secret.txt"), []byte("TOP SECRET"), 0644))
 
 	stdout, stderr, code := runBypass(t,
-		`x=$(<secret.txt); echo "$x"`,
+		`x=$(<secret.txt); echo "[$x]"`,
 		dir,
 		[]string{"rshell:echo"},
 	)
-	assert.Equal(t, 2, code, "must reject at validation")
-	assert.NotContains(t, stdout, "TOP SECRET", "must not leak file contents")
-	assert.Contains(t, stderr, "file-reading command")
+	// Script completes (echo runs); only the substitution fails with
+	// $?=1 and a diagnostic message. stdout shows the empty
+	// substitution, not the file contents.
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "[]\n", stdout, "must not leak file contents")
+	assert.Contains(t, stderr, "file read not permitted")
+	assert.Contains(t, stderr, "cat not in allowed commands")
+	assert.NotContains(t, stdout, "TOP SECRET")
 }
 
-// TestPentestInputRedirBypass_EvenWithCatAllowed verifies the fix does
-// not depend on which commands are allowed — $(<file) is structurally
-// rejected even when cat is available (users must write $(cat file)).
-func TestPentestInputRedirBypass_EvenWithCatAllowed(t *testing.T) {
+// TestPentestCatShortcut_AllowedWhenCatAllowed verifies the happy path:
+// with cat in the allowlist the shortcut reads the file as expected.
+func TestPentestCatShortcut_AllowedWhenCatAllowed(t *testing.T) {
 	dir := t.TempDir()
 	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("content"), 0644))
 
-	_, stderr, code := runBypass(t,
-		`x=$(<data.txt); echo "$x"`,
+	stdout, stderr, code := runBypass(t,
+		`x=$(<data.txt); echo "[$x]"`,
 		dir,
-		[]string{"rshell:echo", "rshell:cat"},
+		[]string{"rshell:cat", "rshell:echo"},
 	)
-	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "file-reading command")
+	assert.Equal(t, 0, code, "should succeed when cat is allowed; stderr: %s", stderr)
+	assert.Equal(t, "[content]\n", stdout)
 }
 
-// TestPentestInputRedirBypass_VariousShapes exercises every syntactic
-// shape where `<` could appear without an attached command. All must be
-// rejected — if any shape slipped through, it would be a new bypass
-// vector equivalent to the original vulnerability.
-func TestPentestInputRedirBypass_VariousShapes(t *testing.T) {
+// TestPentestCatShortcut_ExitStatusPropagates verifies that the
+// blocked-shortcut sets $?=1 so scripts can detect the refusal with
+// standard control flow.
+func TestPentestCatShortcut_ExitStatusPropagates(t *testing.T) {
 	dir := t.TempDir()
-	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("leak"), 0644))
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "secret.txt"), []byte("nope"), 0644))
 
-	cases := []struct {
-		name   string
-		script string
-	}{
-		{"dollar-paren shortcut", `x=$(<data.txt); echo "$x"`},
-		{"backtick shortcut", "x=`<data.txt`; echo \"$x\""},
-		{"bare redirect", `<data.txt`},
-		{"bare redirect with semicolon", `<data.txt; echo done`},
-		{"brace group bare redirect", `{ <data.txt; }`},
-		{"subshell bare redirect", `( <data.txt )`},
-		{"explicit fd 0 shortcut", `x=$(0<data.txt); echo "$x"`},
-		{"nested in echo", `echo "prefix $(<data.txt) suffix"`},
-		{"in if condition", `if $(<data.txt); then echo yes; fi`},
-		{"in for items", `for x in $(<data.txt); do echo "$x"; done`},
-		{"multiple redirects, one bare <", `<data.txt >/dev/null`},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			stdout, stderr, code := runBypass(t, tc.script, dir, []string{"rshell:echo"})
-			assert.Equal(t, 2, code, "script must be rejected at validation")
-			assert.NotContains(t, stdout, "leak", "file contents must not leak")
-			assert.Contains(t, stderr, "file-reading command",
-				"rejection message should mention the input redirect rule")
-		})
-	}
-}
-
-// TestPentestInputRedirBypass_NegativeCases verifies we did NOT break
-// the legitimate `cmd < file` form. These must continue to work when
-// the command is in the allowlist.
-func TestPentestInputRedirBypass_NegativeCases(t *testing.T) {
-	dir := t.TempDir()
-	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("hello\n"), 0644))
-
-	cases := []struct {
-		name   string
-		script string
-		want   string
-	}{
-		{"cat with <", `cat < data.txt`, "hello\n"},
-		{"head with <", `head < data.txt`, "hello\n"},
-		{"tail with <", `tail < data.txt`, "hello\n"},
-		{"explicit fd 0", `cat 0< data.txt`, "hello\n"},
-		{"in cmdsubst via cat", `x=$(cat < data.txt); echo "$x"`, "hello\n"},
-		{"pipe then <", `cat < data.txt | cat`, "hello\n"},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			stdout, stderr, code := runBypass(t, tc.script, dir,
-				[]string{"rshell:cat", "rshell:head", "rshell:tail", "rshell:echo"})
-			assert.Equal(t, 0, code, "legitimate cmd<file must still work; stderr: %s", stderr)
-			assert.Equal(t, tc.want, stdout)
-		})
-	}
+	stdout, _, code := runBypass(t,
+		`x=$(<secret.txt); echo "$?"`,
+		dir,
+		[]string{"rshell:echo"},
+	)
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "1\n", stdout, "$? must be 1 after the blocked shortcut")
 }
 
-// TestPentestInputRedirBypass_FilesystemUntouched verifies that when
-// $(<file) is rejected at validation, no filesystem read is attempted —
-// even if the target file does not exist, the interpreter emits no
-// "no such file" diagnostic.
-func TestPentestInputRedirBypass_FilesystemUntouched(t *testing.T) {
+// TestPentestCatShortcut_NoFileAccessWhenBlocked verifies that when the
+// gate refuses, no file is opened — a missing file yields the
+// allowlist-denial message, not a "no such file" error.
+func TestPentestCatShortcut_NoFileAccessWhenBlocked(t *testing.T) {
 	dir := t.TempDir()
 	_, stderr, code := runBypass(t,
 		`x=$(<nonexistent-path.txt); echo "$x"`,
 		dir,
 		[]string{"rshell:echo"},
 	)
-	assert.Equal(t, 2, code)
-	assert.Contains(t, stderr, "file-reading command")
-	// Validation must short-circuit before any open() — no filesystem
-	// errors should leak in the stderr output.
-	assert.NotContains(t, strings.ToLower(stderr), "no such file")
+	assert.Equal(t, 0, code)
+	assert.Contains(t, stderr, "cat not in allowed commands")
+	assert.NotContains(t, strings.ToLower(stderr), "no such file",
+		"gate should short-circuit before any filesystem access")
 }
 
-// TestPentestInputRedir_NonFileReadersRejected verifies that `<` is
-// rejected when paired with a command that does not consume stdin as
-// file content. These commands either ignore stdin (echo/printf/true),
-// operate on path arguments (ls/find), or read kernel pseudo-files
-// (ps/uname) — pairing them with `<` would not be a legitimate file
-// read, only a way to probe AllowedPaths without a stdin consumer.
-func TestPentestInputRedir_NonFileReadersRejected(t *testing.T) {
+// TestPentestCatShortcut_VariousContexts exercises the shortcut in
+// several expansion contexts (nested echo arg, if condition, for
+// iterator). In every context it must succeed when cat is allowed and
+// refuse when cat is not.
+func TestPentestCatShortcut_VariousContexts(t *testing.T) {
 	dir := t.TempDir()
-	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("leak"), 0644))
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("alpha"), 0644))
 
-	cases := []struct {
+	contexts := []struct {
 		name   string
 		script string
 	}{
-		{"echo", `echo hi < data.txt`},
-		{"printf", `printf 'x\n' < data.txt`},
-		{"true", `true < data.txt`},
-		{"false", `false < data.txt`},
-		{"ls", `ls < data.txt`},
-		{"ps", `ps < data.txt`},
-		{"uname", `uname < data.txt`},
-		{"find", `find . < data.txt`},
-		{"help", `help < data.txt`},
-		{"test", `test -e data.txt < data.txt`},
-	}
-	allAllowed := []string{
-		"rshell:echo", "rshell:printf", "rshell:true", "rshell:false",
-		"rshell:ls", "rshell:ps", "rshell:uname", "rshell:find",
-		"rshell:help", "rshell:test",
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
-			stdout, stderr, code := runBypass(t, tc.script, dir, allAllowed)
-			assert.Equal(t, 2, code,
-				"< must be rejected on non-file-reader %q", tc.name)
-			assert.NotContains(t, stdout, "leak",
-				"must not emit file contents when rejecting")
-			assert.Contains(t, stderr, "file-reading command",
-				"rejection should cite the file-reading-command rule")
-		})
+		{"assignment", `x=$(<data.txt); echo "$x"`},
+		{"echo arg", `echo "[$(<data.txt)]"`},
+		{"backtick", "echo \"[`<data.txt`]\""},
+		{"for iterator", `for x in $(<data.txt); do echo "$x"; done`},
 	}
-}
 
-// TestPentestInputRedir_AllFileReadersAccepted verifies that every
-// builtin in the fileReadingCommands allowlist accepts `<`. If a new
-// builtin is added to that set, it belongs here too.
-func TestPentestInputRedir_AllFileReadersAccepted(t *testing.T) {
-	dir := t.TempDir()
-	// Text-only content so every command — including `strings` —
-	// produces a deterministic, non-empty result.
-	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"),
-		[]byte("alpha\nbeta\n"), 0644))
-
-	cases := []struct {
-		cmd    string
-		script string
-	}{
-		{"cat", `cat < data.txt`},
-		{"cut", `cut -c1-2 < data.txt`},
-		{"grep", `grep alpha < data.txt`},
-		{"head", `head -n 1 < data.txt`},
-		{"sed", `sed -n 1p < data.txt`},
-		{"sort", `sort < data.txt`},
-		{"strings", `strings < data.txt`},
-		{"tail", `tail -n 1 < data.txt`},
-		{"tr", `tr a A < data.txt`},
-		{"uniq", `uniq < data.txt`},
-		{"wc", `wc -l < data.txt`},
-	}
-	allAllowed := []string{
-		"rshell:cat", "rshell:cut", "rshell:grep", "rshell:head",
-		"rshell:sed", "rshell:sort", "rshell:strings", "rshell:tail",
-		"rshell:tr", "rshell:uniq", "rshell:wc",
-	}
-	for _, tc := range cases {
-		t.Run(tc.cmd, func(t *testing.T) {
-			stdout, stderr, code := runBypass(t, tc.script, dir, allAllowed)
-			assert.Equal(t, 0, code,
-				"file-reader %q must be allowed to pair with <; stderr: %s",
-				tc.cmd, stderr)
-			assert.NotEmpty(t, stdout,
-				"file-reader %q should produce output when reading data.txt",
-				tc.cmd)
+	for _, tc := range contexts {
+		t.Run(tc.name+"/allowed", func(t *testing.T) {
+			stdout, stderr, code := runBypass(t, tc.script, dir,
+				[]string{"rshell:cat", "rshell:echo"})
+			assert.Equal(t, 0, code, "should succeed; stderr: %s", stderr)
+			assert.Contains(t, stdout, "alpha")
 		})
-	}
-}
-
-// TestPentestInputRedir_DynamicCommandNameRejected guards against
-// indirect invocations (`$CMD < file`, `"cat" < file`) slipping past
-// the static allowlist check. A dynamic command name cannot be
-// validated at parse time, so we reject it outright rather than permit
-// a smuggling vector.
-func TestPentestInputRedir_DynamicCommandNameRejected(t *testing.T) {
-	dir := t.TempDir()
-	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("leak"), 0644))
-
-	cases := []struct {
-		name   string
-		script string
-	}{
-		{"variable command", `CMD=cat; $CMD < data.txt`},
-		{"quoted command", `"cat" < data.txt`},
-		{"command with concat", `ca"t" < data.txt`},
-	}
-	for _, tc := range cases {
-		t.Run(tc.name, func(t *testing.T) {
+		t.Run(tc.name+"/blocked", func(t *testing.T) {
 			stdout, stderr, code := runBypass(t, tc.script, dir,
-				[]string{"rshell:cat"})
-			assert.Equal(t, 2, code)
-			assert.NotContains(t, stdout, "leak")
-			assert.Contains(t, stderr, "file-reading command")
+				[]string{"rshell:echo"})
+			assert.Equal(t, 0, code)
+			assert.NotContains(t, stdout, "alpha",
+				"blocked shortcut must not leak file contents")
+			assert.Contains(t, stderr, "cat not in allowed commands")
 		})
 	}
 }
diff --git a/interp/validate.go b/interp/validate.go
index eb937ff4..e04cfcb3 100644
--- a/interp/validate.go
+++ b/interp/validate.go
@@ -93,10 +93,6 @@ func validateNode(node syntax.Node) error {
 				err = fmt.Errorf("background execution (&) is not supported")
 				return false
 			}
-			if rerr := validateInputRedirection(n); rerr != nil {
-				err = rerr
-				return false
-			}
 
 		// Blocked pipe operators.
 		case *syntax.BinaryCmd:
@@ -205,103 +201,6 @@ func validateAssign(as *syntax.Assign) error {
 	return nil
 }
 
-// fileReadingCommands enumerates the builtins whose semantics is "read
-// stdin (or a file arg) and process its contents". These are the only
-// commands the `<` input redirection may be applied to — commands that
-// ignore stdin (echo, printf, true, ps, …) cannot be used to smuggle
-// file reads past the AllowedCommands allowlist via constructs like
-// `echo < file` being rewritten into `$(<file)` by the cmdsubst layer.
-//
-// Keep this list in sync with builtins/ — a command belongs here iff
-// its implementation actually consumes stdin as file-like content.
-var fileReadingCommands = map[string]bool{
-	"cat":     true,
-	"cut":     true,
-	"grep":    true,
-	"head":    true,
-	"sed":     true,
-	"sort":    true,
-	"strings": true,
-	"tail":    true,
-	"tr":      true,
-	"uniq":    true,
-	"wc":      true,
-}
-
-// fileReadingCommandList is the human-readable form of the set above,
-// used in validation error messages so callers know which commands are
-// acceptable on the LHS of `<`.
-const fileReadingCommandList = "cat, cut, grep, head, sed, sort, strings, tail, tr, uniq, wc"
-
-// validateInputRedirection enforces the rule that `<` input redirection
-// may only be applied to a simple call to one of the fileReadingCommands
-// builtins. This closes the `$(<file)` bypass and the equivalent
-// bare/compound forms — bash implements that shortcut by reading the
-// file directly, which skips the AllowedCommands check entirely.
-//
-// The rule deliberately requires a static (literal) command name: a
-// dynamic name like `$CMD < file` cannot be validated without running
-// the expansion, so we reject it rather than permit a bypass surface.
-func validateInputRedirection(stmt *syntax.Stmt) error {
-	var in *syntax.Redirect
-	for _, rd := range stmt.Redirs {
-		if rd.Op != syntax.RdrIn {
-			continue
-		}
-		// Non-default fds (e.g. `3< file`) are rejected by
-		// validateRedirect with a more precise error message. Skip them
-		// here so the fd-level diagnostic surfaces instead of this rule.
-		if rd.N != nil && rd.N.Value != "0" {
-			continue
-		}
-		in = rd
-		break
-	}
-	if in == nil {
-		return nil
-	}
-
-	// Bare `< file` with no command — this is the shape used by
-	// `$(<file)`, `( <file )`, `{ <file; }`, etc. and is exactly the
-	// allowlist-bypass path.
-	if stmt.Cmd == nil {
-		return fmt.Errorf("< input redirection requires a file-reading command (%s); bare <file and $(<file) are not supported because they bypass the command allowlist", fileReadingCommandList)
-	}
-
-	// `< file` must attach directly to a simple command, never to a
-	// compound construct like `{ … } < file` or `if … < file`. Those
-	// would apply the redirect transitively to whatever inner command
-	// reads stdin first, which makes it hard to reason about which
-	// command is actually consuming the file.
-	call, ok := stmt.Cmd.(*syntax.CallExpr)
-	if !ok {
-		return fmt.Errorf("< input redirection must be attached directly to a file-reading command (%s), not to a compound statement", fileReadingCommandList)
-	}
-
-	// A CallExpr with only assignments (e.g. `FOO=bar < file`) runs no
-	// command — the redirect has no consumer, so the file read is
-	// unbound. Treat it the same as the bare-< case.
-	if len(call.Args) == 0 {
-		return fmt.Errorf("< input redirection requires a file-reading command (%s); assignment-only statements do not qualify", fileReadingCommandList)
-	}
-
-	// The command name must be a single literal part. Dynamic forms
-	// (variable expansion, command substitution in the name, quoted
-	// words) cannot be validated statically, so we reject them.
-	first := call.Args[0]
-	if len(first.Parts) != 1 {
-		return fmt.Errorf("< input redirection requires a statically-known file-reading command (%s); dynamic command names are not permitted", fileReadingCommandList)
-	}
-	lit, ok := first.Parts[0].(*syntax.Lit)
-	if !ok {
-		return fmt.Errorf("< input redirection requires a statically-known file-reading command (%s); dynamic command names are not permitted", fileReadingCommandList)
-	}
-	if !fileReadingCommands[lit.Value] {
-		return fmt.Errorf("< input redirection is only allowed with file-reading commands (%s); %q is not one of them", fileReadingCommandList, lit.Value)
-	}
-	return nil
-}
-
 func validateRedirect(rd *syntax.Redirect) error {
 	switch rd.Op {
 	case syntax.WordHdoc:
diff --git a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
index bf9167bd..dcbf82b2 100644
--- a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
+++ b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
@@ -1,4 +1,4 @@
-description: $(<file) must not bypass the command allowlist — even with the file in allowed_paths and no file-reading commands allowed, the read is rejected at validation.
+description: $(<file) must not bypass the command allowlist — with the file in allowed_paths but cat NOT in allowed_commands, the shortcut is blocked at runtime.
 skip_assert_against_bash: true
 setup:
   files:
@@ -11,7 +11,9 @@ input:
     x=$(<secret.txt)
     echo "$x"
 expect:
-  stdout: ""
+  stdout: |+
+
   stderr_contains:
-    - "file-reading command"
-  exit_code: 2
+    - "file read not permitted"
+    - "cat not in allowed commands"
+  exit_code: 0
diff --git a/tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml b/tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml
deleted file mode 100644
index 2738e6a7..00000000
--- a/tests/scenarios/shell/blocked_redirects/input_non_file_reader.yaml
+++ /dev/null
@@ -1,16 +0,0 @@
-description: < input redirection is rejected when paired with a command that does not read file contents (echo just writes its args).
-skip_assert_against_bash: true
-setup:
-  files:
-    - path: secret.txt
-      content: "do not leak"
-input:
-  allowed_paths: ["$DIR"]
-  allowed_commands: ["rshell:echo"]
-  script: |+
-    echo hi < secret.txt
-expect:
-  stdout: ""
-  stderr_contains:
-    - "file-reading command"
-  exit_code: 2
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
index 7c82f721..fbb98573 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut.yaml
@@ -1,5 +1,4 @@
-description: $(<file) is rejected because it bypasses the command allowlist; use $(cat file) instead.
-skip_assert_against_bash: true
+description: $(<file) shortcut reads file contents directly when cat is allowed.
 setup:
   files:
     - path: data.txt
@@ -10,7 +9,7 @@ input:
     x=$(<data.txt)
     echo "$x"
 expect:
-  stdout: ""
-  stderr_contains:
-    - "file-reading command"
-  exit_code: 2
+  stdout: |+
+    file content here
+  stderr: ""
+  exit_code: 0
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
index 318b374e..c9eff434 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_directory.yaml
@@ -1,5 +1,4 @@
-description: $(<dir) is also rejected at validation because it uses the blocked $(<file) shortcut.
-skip_assert_against_bash: true
+description: $(<dir) silently produces empty output (matches bash).
 setup:
   files:
     - path: subdir/placeholder.txt
@@ -10,7 +9,7 @@ input:
     x=$(<subdir)
     echo "[$x]"
 expect:
-  stdout: ""
-  stderr_contains:
-    - "file-reading command"
-  exit_code: 2
+  stdout: |+
+    []
+  stderr: ""
+  exit_code: 0
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
index 9cd2e60f..8854eb7a 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_exit_status.yaml
@@ -1,5 +1,4 @@
-description: $(<file) shortcut is rejected at validation even when combined with other assignments.
-skip_assert_against_bash: true
+description: $(<file) shortcut resets exit status after prior failed substitution.
 setup:
   files:
     - path: ok.txt
@@ -10,7 +9,7 @@ input:
     a=$(false) b=$(<ok.txt)
     echo "$?"
 expect:
-  stdout: ""
-  stderr_contains:
-    - "file-reading command"
-  exit_code: 2
+  stdout: |+
+    0
+  stderr: ""
+  exit_code: 0
diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml
index 2943e956..1d64e228 100644
--- a/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_trailing_newlines.yaml
@@ -1,4 +1,4 @@
-description: The $(<file) shortcut is rejected; $(cat file) is the allowed equivalent and still strips trailing newlines.
+description: $(<file) strips trailing newlines from file content.
 setup:
   files:
     - path: trailing.txt
@@ -6,7 +6,7 @@ setup:
 input:
   allowed_paths: ["$DIR"]
   script: |+
-    x=$(cat trailing.txt)
+    x=$(<trailing.txt)
     echo "[$x]"
 expect:
   stdout: |+

From 4f45c641f3036634460eff177c40d251714a71c6 Mon Sep 17 00:00:00 2001
From: Matthew DeGuzman <matthew.deguzman@datadoghq.com>
Date: Wed, 22 Apr 2026 13:24:36 -0400
Subject: [PATCH 4/6] test(interp): extend $(<file) pentest coverage

Add three regression tests to the existing pentest suite:

- SandboxEnforcedWhenCatAllowed: the gate and AllowedPaths are
  independent defences. Allowing cat does not let a caller read files
  outside the sandbox.
- SymlinkEscapeBlocked: a symlink inside AllowedPaths pointing outside
  must be refused by os.Root, not followed.
- VariableExpandedPath: the shortcut runs word expansion on its path,
  both for legitimate use (F=data.txt; $(<$F)) and to guarantee the
  gate cannot be dodged by hiding the path behind a variable.
---
 .../tests/redir_input_bypass_pentest_test.go  | 92 +++++++++++++++++++
 1 file changed, 92 insertions(+)

diff --git a/interp/tests/redir_input_bypass_pentest_test.go b/interp/tests/redir_input_bypass_pentest_test.go
index e34db570..85f3946b 100644
--- a/interp/tests/redir_input_bypass_pentest_test.go
+++ b/interp/tests/redir_input_bypass_pentest_test.go
@@ -11,6 +11,7 @@ import (
 	"errors"
 	"os"
 	"path/filepath"
+	"runtime"
 	"strings"
 	"testing"
 	"time"
@@ -142,6 +143,97 @@ func TestPentestCatShortcut_NoFileAccessWhenBlocked(t *testing.T) {
 		"gate should short-circuit before any filesystem access")
 }
 
+// TestPentestCatShortcut_SandboxEnforcedWhenCatAllowed verifies that
+// permitting `cat` in AllowedCommands does not weaken AllowedPaths.
+// Even with the gate satisfied, a path outside the sandbox must be
+// refused by the path layer — the two defences are independent.
+func TestPentestCatShortcut_SandboxEnforcedWhenCatAllowed(t *testing.T) {
+	dir := t.TempDir()
+	// Put a file somewhere outside `dir` so we have a concrete target
+	// to attempt reading.
+	outside := t.TempDir()
+	outsidePath := filepath.Join(outside, "secret.txt")
+	require.NoError(t, os.WriteFile(outsidePath, []byte("CROSS-BOUNDARY"), 0644))
+
+	// `echo "$?[$x]"` is evaluated before echo runs, so $? still
+	// carries the substitution's exit code (1 on failure) and $x is
+	// empty if the read was refused. The trailing echo prevents the
+	// script's top-level exit code from being overwritten.
+	script := `x=$(<` + outsidePath + `); echo "$?[$x]"`
+	stdout, stderr, code := runBypass(t, script, dir,
+		[]string{"rshell:cat", "rshell:echo"})
+
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "1[]\n", stdout,
+		"substitution should fail ($?=1) and bind empty content")
+	assert.NotContains(t, stdout, "CROSS-BOUNDARY", "file contents must not leak")
+	assert.NotContains(t, stderr, "cat not in allowed commands",
+		"failure should be path-level, not gate-level")
+	assert.NotEmpty(t, stderr, "sandbox layer should have logged an error")
+}
+
+// TestPentestCatShortcut_SymlinkEscapeBlocked verifies that a symlink
+// planted inside AllowedPaths pointing outside is refused by the
+// sandbox. The $(<file) shortcut uses the same r.open path as builtins,
+// so this is really a sanity check that symlinks do not bypass os.Root.
+func TestPentestCatShortcut_SymlinkEscapeBlocked(t *testing.T) {
+	if runtime.GOOS == "windows" {
+		t.Skip("symlink creation requires elevation on Windows")
+	}
+	dir := t.TempDir()
+	outside := t.TempDir()
+	outsidePath := filepath.Join(outside, "secret.txt")
+	require.NoError(t, os.WriteFile(outsidePath, []byte("SYMLINK TARGET"), 0644))
+
+	// Plant a symlink inside the sandbox that points outside it.
+	linkPath := filepath.Join(dir, "escape.lnk")
+	require.NoError(t, os.Symlink(outsidePath, linkPath))
+
+	stdout, stderr, code := runBypass(t,
+		`x=$(<escape.lnk); echo "$?[$x]"`,
+		dir,
+		[]string{"rshell:cat", "rshell:echo"})
+
+	assert.Equal(t, 0, code)
+	assert.Equal(t, "1[]\n", stdout,
+		"symlink escape should fail ($?=1) and bind empty content")
+	assert.NotContains(t, stdout, "SYMLINK TARGET", "contents behind symlink must not leak")
+	assert.NotContains(t, stderr, "cat not in allowed commands",
+		"refusal should be sandbox-level, not gate-level")
+	assert.NotEmpty(t, stderr, "sandbox layer should have logged an error")
+}
+
+// TestPentestCatShortcut_VariableExpandedPath verifies that the
+// shortcut path goes through normal word expansion — an attacker
+// cannot dodge the allowlist check by hiding the path behind a
+// variable, and a legitimate user can use variables to build paths.
+func TestPentestCatShortcut_VariableExpandedPath(t *testing.T) {
+	dir := t.TempDir()
+	require.NoError(t, os.WriteFile(filepath.Join(dir, "data.txt"), []byte("expanded"), 0644))
+
+	// Happy path: expanded path works when cat is allowed.
+	t.Run("allowed", func(t *testing.T) {
+		stdout, stderr, code := runBypass(t,
+			`F=data.txt; x=$(<$F); echo "[$x]"`,
+			dir,
+			[]string{"rshell:cat", "rshell:echo"})
+		assert.Equal(t, 0, code, "should succeed; stderr: %s", stderr)
+		assert.Equal(t, "[expanded]\n", stdout)
+	})
+
+	// The gate fires regardless of whether the path is literal or
+	// variable-expanded — variables cannot be used as an evasion.
+	t.Run("blocked", func(t *testing.T) {
+		stdout, stderr, code := runBypass(t,
+			`F=data.txt; x=$(<$F); echo "[$x]"`,
+			dir,
+			[]string{"rshell:echo"})
+		assert.Equal(t, 0, code)
+		assert.Equal(t, "[]\n", stdout, "must not leak content via variable-expanded path")
+		assert.Contains(t, stderr, "cat not in allowed commands")
+	})
+}
+
 // TestPentestCatShortcut_VariousContexts exercises the shortcut in
 // several expansion contexts (nested echo arg, if condition, for
 // iterator). In every context it must succeed when cat is allowed and

From a695350186a1c46a8b43b0fc560fa1a92b3c9d9e Mon Sep 17 00:00:00 2001
From: Matthew DeGuzman <matthew.deguzman@datadoghq.com>
Date: Wed, 22 Apr 2026 13:34:15 -0400
Subject: [PATCH 5/6] test(scenarios): assert exact stderr in
 cat_shortcut_bypass

Per AGENTS.md, scenarios should prefer expect.stderr over
stderr_contains when the output is deterministic. The blocked
$(<file) gate emits a single fixed diagnostic and no variable
sandbox warnings, so the contains-only form would miss extra
stderr noise from a future regression.
---
 .../shell/blocked_redirects/cat_shortcut_bypass.yaml         | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
index dcbf82b2..ba0de062 100644
--- a/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
+++ b/tests/scenarios/shell/blocked_redirects/cat_shortcut_bypass.yaml
@@ -13,7 +13,6 @@ input:
 expect:
   stdout: |+
 
-  stderr_contains:
-    - "file read not permitted"
-    - "cat not in allowed commands"
+  stderr: |+
+    $(<file): file read not permitted (cat not in allowed commands)
   exit_code: 0

From 084e0cc0f313bbe4545abbb490c10f2e5b527609 Mon Sep 17 00:00:00 2001
From: Matthew DeGuzman <matthew.deguzman@datadoghq.com>
Date: Wed, 22 Apr 2026 13:54:27 -0400
Subject: [PATCH 6/6] =?UTF-8?q?test(scenarios):=20inverse=20of=20cat=5Fsho?=
 =?UTF-8?q?rtcut=5Fbypass=20=E2=80=94=20succeed=20when=20rshell:cat=20is?=
 =?UTF-8?q?=20allowed?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pairs with blocked_redirects/cat_shortcut_bypass.yaml to prove the gate
decision hinges purely on cat's membership in allowed_commands and has
no other side effects on stdout/stderr.
---
 .../cat_shortcut_allowed_explicit.yaml          | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 tests/scenarios/shell/command_substitution/cat_shortcut_allowed_explicit.yaml

diff --git a/tests/scenarios/shell/command_substitution/cat_shortcut_allowed_explicit.yaml b/tests/scenarios/shell/command_substitution/cat_shortcut_allowed_explicit.yaml
new file mode 100644
index 00000000..59fabf87
--- /dev/null
+++ b/tests/scenarios/shell/command_substitution/cat_shortcut_allowed_explicit.yaml
@@ -0,0 +1,17 @@
+description: $(<file) shortcut works when rshell:cat is explicitly in allowed_commands (inverse of blocked_redirects/cat_shortcut_bypass).
+skip_assert_against_bash: true
+setup:
+  files:
+    - path: data.txt
+      content: "hello from file"
+input:
+  allowed_paths: ["$DIR"]
+  allowed_commands: ["rshell:cat", "rshell:echo"]
+  script: |+
+    x=$(<data.txt)
+    echo "[$x]"
+expect:
+  stdout: |+
+    [hello from file]
+  stderr: |+
+  exit_code: 0