text/template: limit expression parenthesis nesting

Deeply nested parenthesized expressions could cause a stack
overflow during parsing. This change introduces a depth limit
(maxExpressionParenDepth) tracked in Tree.parenDepth to
prevent this.

Additionally, this commit clarifies the security model in
the package documentation, noting that template authors
are trusted as text/template does not auto-escape.

Fixes golang#71201

Signed-off-by: Ville Vesilehto <[email protected]>

Author: thevilledev

src/text/template/doc.go

@@ -15,6 +15,11 @@ Execution of the template walks the structure and sets the cursor, represented
 by a period '.' and called "dot", to the value at the current location in the
 structure as execution proceeds.
 
+The security model used by this package assumes that template authors are
+trusted. text/template does not auto-escape output, so injecting code into
+a template can lead to arbitrary code execution if the template is executed
+by an untrusted source.
+
 The input text for a template is UTF-8-encoded text in any format.
 "Actions"--data evaluations or control structures--are delimited by
 "{{" and "}}"; all text outside actions is copied to the output unchanged.

src/text/template/parse/parse.go

@@ -32,6 +32,7 @@ type Tree struct {
 	treeSet    map[string]*Tree
 	actionLine int // line of left delim starting action
 	rangeDepth int
+	parenDepth int // current depth of nested parenthesized expressions
 }
 
 // A mode value is a set of flags (or 0). Modes control parser behavior.
@@ -42,6 +43,10 @@ const (
 	SkipFuncCheck                  // do not check that functions are defined
 )
 
+// maxExpressionParenDepth is the maximum depth of nested parenthesized expressions.
+// It is used to prevent stack overflows from deep finite recursion in the parser.
+const maxExpressionParenDepth = 10000
+
 // Copy returns a copy of the [Tree]. Any parsing state is discarded.
 func (t *Tree) Copy() *Tree {
 	if t == nil {
@@ -223,6 +228,7 @@ func (t *Tree) startParse(funcs []map[string]any, lex *lexer, treeSet map[string
 	t.vars = []string{"$"}
 	t.funcs = funcs
 	t.treeSet = treeSet
+	t.parenDepth = 0
 	lex.options = lexOptions{
 		emitComment: t.Mode&ParseComments != 0,
 		breakOK:     !t.hasFunction("break"),
@@ -787,6 +793,11 @@ func (t *Tree) term() Node {
 		}
 		return number
 	case itemLeftParen:
+		if t.parenDepth >= maxExpressionParenDepth {
+			t.errorf("max expression depth exceeded")
+		}
+		t.parenDepth++
+		defer func() { t.parenDepth-- }()
 		return t.pipeline("parenthesized pipeline", itemRightParen)
 	case itemString, itemRawString:
 		s, err := strconv.Unquote(token.val)

src/text/template/parse/parse_test.go

@@ -327,6 +327,15 @@ var parseTests = []parseTest{
 	{"empty pipeline", `{{printf "%d" ( ) }}`, hasError, ""},
 	// Missing pipeline in block
 	{"block definition", `{{block "foo"}}hello{{end}}`, hasError, ""},
+
+	// Parenthesis nesting depth tests
+	{"paren nesting normal", "{{( ( ( ( (1) ) ) ) )}}", noError, "{{(((((1)))))}}"},
+	{"paren nesting at limit", "{{" + buildNestedParenExpression(10000, "1") + "}}", noError, "{{" + buildNestedParenExpression(10000, "1") + "}}"},
+	{"paren nesting exceeds limit", "{{" + buildNestedParenExpression(10001, "1") + "}}", hasError, "template: test:1: max expression depth exceeded"},
+	{"paren nesting in pipeline", "{{ ( ( ( ( (1) ) ) ) ) | printf }}", noError, "{{(((((1))))) | printf}}"},
+	{"paren nesting in pipeline exceeds limit", "{{ " + buildNestedParenExpression(10001, "1") + " | printf }}", hasError, "template: test:1: max expression depth exceeded"},
+	{"paren nesting with other constructs", "{{if " + buildNestedParenExpression(5, "true") + "}}YES{{end}}", noError, "{{if " + buildNestedParenExpression(5, "true") + "}}\"YES\"{{end}}"},
+	{"paren nesting with other constructs exceeds limit", "{{if " + buildNestedParenExpression(10001, "true") + "}}YES{{end}}", hasError, "template: test:1: max expression depth exceeded"},
 }
 
 var builtins = map[string]any{
@@ -716,3 +725,8 @@ func BenchmarkListString(b *testing.B) {
 		b.Fatal("Benchmark was not run")
 	}
 }
+
+// buildNestedParenExpression is a helper for testing parenthesis depth.
+func buildNestedParenExpression(depth int, content string) string {
+	return strings.Repeat("(", depth) + content + strings.Repeat(")", depth)
+}