Motivation

The builtin functions flatten, min, max, mean, and median recursively traverse nested arrays. If the environment provides a deeply nested structure or one containing a cycle (e.g., a slice containing itself), these functions would recurse indefinitely until the Go runtime panics due to stack overflow. This panic is unrecoverable and crashes the host application, presenting a DoS risk.

Changes

The builtin package now has a MaxDepth integer (defaults to 10k).

These recursive helper functions now accept a depth argument. This is incremented on recursive calls, and errors propagate up the stack if limit is exceeded. Initial function definitions call the helpers with an initial depth of 0 and handle returned errors.

Tests

Added various tests for the affected builtin functions using self-referencing slices. Also a test about customising the MaxDepth for users who rely on expr-lang as a library, and need more or less depth.