feat: add node budget and memory limits by thevilledev · Pull Request #762 · expr-lang/expr
Implement compile-time and runtime safeguards against deeply nested expressions: - Add MaxNodes limit to track and limit AST node count during parsing - Move MemoryBudget from VM to Config for better configurability - Add node creation tracking in parser to enforce node budget - Refactor node creation to check limits before allocation - Add RunWithConfig to VM for passing memory budget settings - Set reasonable defaults in Config (10000 nodes, 1M memory) - Add comprehensive tests for both node and memory limits This prevents stack overflows from malicious or poorly written expressions by failing fast with clear error messages during compilation or runtime. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
Signed-off-by: Anton Medvedev <anton@medv.io>
This was referenced
Mar 24, 2025SimFG pushed a commit to SimFG/expr that referenced this pull request
Apr 15, 2025* feat: add node budget and memory limits Implement compile-time and runtime safeguards against deeply nested expressions: - Add MaxNodes limit to track and limit AST node count during parsing - Move MemoryBudget from VM to Config for better configurability - Add node creation tracking in parser to enforce node budget - Refactor node creation to check limits before allocation - Add RunWithConfig to VM for passing memory budget settings - Set reasonable defaults in Config (10000 nodes, 1M memory) - Add comprehensive tests for both node and memory limits This prevents stack overflows from malicious or poorly written expressions by failing fast with clear error messages during compilation or runtime. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi> * Update parser.go Signed-off-by: Anton Medvedev <anton@medv.io> --------- Signed-off-by: Ville Vesilehto <ville@vesilehto.fi> Signed-off-by: Anton Medvedev <anton@medv.io> Co-authored-by: Anton Medvedev <anton@medv.io>
SimFG pushed a commit to SimFG/expr that referenced this pull request
May 13, 2025* feat: add node budget and memory limits Implement compile-time and runtime safeguards against deeply nested expressions: - Add MaxNodes limit to track and limit AST node count during parsing - Move MemoryBudget from VM to Config for better configurability - Add node creation tracking in parser to enforce node budget - Refactor node creation to check limits before allocation - Add RunWithConfig to VM for passing memory budget settings - Set reasonable defaults in Config (10000 nodes, 1M memory) - Add comprehensive tests for both node and memory limits This prevents stack overflows from malicious or poorly written expressions by failing fast with clear error messages during compilation or runtime. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi> * Update parser.go Signed-off-by: Anton Medvedev <anton@medv.io> --------- Signed-off-by: Ville Vesilehto <ville@vesilehto.fi> Signed-off-by: Anton Medvedev <anton@medv.io> Co-authored-by: Anton Medvedev <anton@medv.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters