Enforce cumulative output size limits

xoofx · Copilot · xoofx · commit 985632164881 · 2026-03-21T07:23:34.000+01:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/Scriban.Tests/TestRuntime.cs b/src/Scriban.Tests/TestRuntime.cs
@@ -90,6 +90,37 @@ public void String_And_Null_Concatenated_Should_Not_Null()
             Assert.AreEqual("my name is ", result);
         }
 
+        [Test]
+        public void LimitToStringShouldApplyToCumulativeRenderOutput()
+        {
+            var context = new TemplateContext
+            {
+                LimitToString = 5
+            };
+            var template = Template.Parse("{{ 'abc' }}{{ 'def' }}");
+
+            var result = template.Render(context);
+
+            Assert.AreEqual("abcde...", result);
+        }
+
+        [Test]
+        public void ResetShouldClearCumulativeRenderOutputTracking()
+        {
+            var context = new TemplateContext
+            {
+                LimitToString = 5
+            };
+            var largeTemplate = Template.Parse("{{ 'abc' }}{{ 'def' }}");
+            var smallTemplate = Template.Parse("{{ 'xy' }}");
+
+            Assert.AreEqual("abcde...", largeTemplate.Render(context));
+
+            context.Reset();
+
+            Assert.AreEqual("xy", smallTemplate.Render(context));
+        }
+
         [Test]
         public void TestAssignValToDictionary()
         {
diff --git a/src/Scriban/Functions/ObjectFunctions.cs b/src/Scriban/Functions/ObjectFunctions.cs
@@ -511,7 +511,7 @@ static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object va
                 }
 
                 var type = value?.GetType() ?? typeof(object);
-                var shouldTrackPath = value != null && !type.IsValueType && value is not string;
+                var shouldTrackPath = value != null && !type.IsValueType && !(value is string);
                 var addedToPath = false;
 
                 if (shouldTrackPath)
diff --git a/src/Scriban/ScribanAsync.generated.cs b/src/Scriban/ScribanAsync.generated.cs
@@ -485,23 +485,35 @@ public async ValueTask<TemplateContext> WriteAsync(string text, int startIndex,
                             // Write indents if necessary
                             if (_previousTextWasNewLine)
                             {
-                                await Output.WriteAsync(CurrentIndent, 0, CurrentIndent.Length, CancellationToken).ConfigureAwait(false);
+                                if (!await WriteOutputChunkAsync(CurrentIndent, 0, CurrentIndent.Length).ConfigureAwait(false))
+                                {
+                                    return this;
+                                }
                                 _previousTextWasNewLine = false;
                             }
-                            await Output.WriteAsync(text, index, indexEnd - index, CancellationToken).ConfigureAwait(false);
+                            if (!await WriteOutputChunkAsync(text, index, indexEnd - index).ConfigureAwait(false))
+                            {
+                                return this;
+                            }
                             break;
                         }
 
                         var length = newLineIndex - index;
                         // Write indents if necessary
                         if (_previousTextWasNewLine && (IndentOnEmptyLines || length != 0 && (length != 1 || text[index] != '\r')))
                         {
-                            await Output.WriteAsync(CurrentIndent, 0, CurrentIndent.Length, CancellationToken).ConfigureAwait(false);
+                            if (!await WriteOutputChunkAsync(CurrentIndent, 0, CurrentIndent.Length).ConfigureAwait(false))
+                            {
+                                return this;
+                            }
                             _previousTextWasNewLine = false;
                         }
 
                         // We output the new line
-                        await Output.WriteAsync(text, index, length + 1, CancellationToken).ConfigureAwait(false);
+                        if (!await WriteOutputChunkAsync(text, index, length + 1).ConfigureAwait(false))
+                        {
+                            return this;
+                        }
                         index = newLineIndex + 1;
                         _previousTextWasNewLine = true;
                     }
@@ -512,7 +524,7 @@ public async ValueTask<TemplateContext> WriteAsync(string text, int startIndex,
                     {
                         _previousTextWasNewLine = text[startIndex + count - 1] == '\n';
                     }
-                    await Output.WriteAsync(text, startIndex, count, CancellationToken).ConfigureAwait(false);
+                    await WriteOutputChunkAsync(text, startIndex, count).ConfigureAwait(false);
                 }
             }
 
@@ -565,6 +577,40 @@ public async ValueTask<TemplateContext> WriteLineAsync()
             await WriteAsync(NewLine).ConfigureAwait(false);
             return this;
         }
+
+        private async ValueTask<bool> WriteOutputChunkAsync(string text, int startIndex, int count)
+        {
+            if (count <= 0)
+            {
+                return true;
+            }
+
+            var allowedCount = GetAllowedOutputCount(count);
+            if (allowedCount > 0)
+            {
+                await Output.WriteAsync(text, startIndex, allowedCount, CancellationToken).ConfigureAwait(false);
+                _currentOutputLength += allowedCount;
+            }
+
+            if (allowedCount < count)
+            {
+                await WriteOutputLimitEllipsisAsync().ConfigureAwait(false);
+                return false;
+            }
+
+            return true;
+        }
+
+        private async ValueTask WriteOutputLimitEllipsisAsync()
+        {
+            if (_hasOutputLimitEllipsis)
+            {
+                return;
+            }
+
+            await Output.WriteAsync("...", 0, 3, CancellationToken).ConfigureAwait(false);
+            _hasOutputLimitEllipsis = true;
+        }
     }
 }
 
diff --git a/src/Scriban/TemplateContext.Helpers.cs b/src/Scriban/TemplateContext.Helpers.cs
@@ -79,6 +79,8 @@ public virtual IList ToList(SourceSpan span, object value)
 
         private int _objectToStringLevel;
         private int _currentToStringLength;
+        private int _currentOutputLength;
+        private bool _hasOutputLimitEllipsis;
 
         /// <summary>
         /// Called whenever an objects is converted to a string. This method can be overriden.
@@ -512,4 +514,4 @@ public virtual object ToObject(SourceSpan span, object value, Type destinationTy
         }
 
     }
-}
+}
diff --git a/src/Scriban/TemplateContext.cs b/src/Scriban/TemplateContext.cs
@@ -700,6 +700,62 @@ public virtual TemplateContext Write(SourceSpan span, object textAsObject)
             return this;
         }
 
+        private void ResetOutputLimitTracking()
+        {
+            _currentOutputLength = 0;
+            _hasOutputLimitEllipsis = false;
+        }
+
+        private bool WriteOutputChunk(string text, int startIndex, int count)
+        {
+            if (count <= 0)
+            {
+                return true;
+            }
+
+            var allowedCount = GetAllowedOutputCount(count);
+            if (allowedCount > 0)
+            {
+                Output.Write(text, startIndex, allowedCount);
+                _currentOutputLength += allowedCount;
+            }
+
+            if (allowedCount < count)
+            {
+                WriteOutputLimitEllipsis();
+                return false;
+            }
+
+            return true;
+        }
+
+        private int GetAllowedOutputCount(int requestedCount)
+        {
+            if (LimitToString <= 0)
+            {
+                return requestedCount;
+            }
+
+            var remaining = LimitToString - _currentOutputLength;
+            if (remaining <= 0)
+            {
+                return 0;
+            }
+
+            return Math.Min(requestedCount, remaining);
+        }
+
+        private void WriteOutputLimitEllipsis()
+        {
+            if (_hasOutputLimitEllipsis)
+            {
+                return;
+            }
+
+            Output.Write("...", 0, 3);
+            _hasOutputLimitEllipsis = true;
+        }
+
         /// <summary>
         /// Writes the text to the current <see cref="Output"/>
         /// </summary>
@@ -756,23 +812,35 @@ public TemplateContext Write(string text, int startIndex, int count)
                             // Write indents if necessary
                             if (_previousTextWasNewLine)
                             {
-                                Output.Write(CurrentIndent, 0, CurrentIndent.Length);
+                                if (!WriteOutputChunk(CurrentIndent, 0, CurrentIndent.Length))
+                                {
+                                    return this;
+                                }
                                 _previousTextWasNewLine = false;
                             }
-                            Output.Write(text, index, indexEnd - index);
+                            if (!WriteOutputChunk(text, index, indexEnd - index))
+                            {
+                                return this;
+                            }
                             break;
                         }
 
                         var length = newLineIndex - index;
                         // Write indents if necessary
                         if (_previousTextWasNewLine && (IndentOnEmptyLines || length != 0 && (length != 1 || text[index] != '\r')))
                         {
-                            Output.Write(CurrentIndent, 0, CurrentIndent.Length);
+                            if (!WriteOutputChunk(CurrentIndent, 0, CurrentIndent.Length))
+                            {
+                                return this;
+                            }
                             _previousTextWasNewLine = false;
                         }
 
                         // We output the new line
-                        Output.Write(text, index, length + 1);
+                        if (!WriteOutputChunk(text, index, length + 1))
+                        {
+                            return this;
+                        }
                         index = newLineIndex + 1;
                         _previousTextWasNewLine = true;
                     }
@@ -782,7 +850,7 @@ public TemplateContext Write(string text, int startIndex, int count)
                     if(count > 0){
                         _previousTextWasNewLine = text[startIndex + count - 1] == '\n';
                     }
-                    Output.Write(text, startIndex, count);
+                    WriteOutputChunk(text, startIndex, count);
                 }
             }
 
@@ -902,6 +970,7 @@ public virtual void Reset()
 
             CachedTemplates.Clear();
             _memberAccessors.Clear();
+            ResetOutputLimitTracking();
         }
 
         /// <summary>

Original file line number	Diff line number	Diff line change
`@@ -511,7 +511,7 @@ static void WriteValue(TemplateContext context, Utf8JsonWriter writer, object va`
`511`	`511`	`}`
`512`	`512`
`513`	`513`	`var type = value?.GetType() ?? typeof(object);`
`514`		`- var shouldTrackPath = value != null && !type.IsValueType && value is not string;`
	`514`	`+ var shouldTrackPath = value != null && !type.IsValueType && !(value is string);`
`515`	`515`	`var addedToPath = false;`
`516`	`516`
`517`	`517`	`if (shouldTrackPath)`
Original file line number	Diff line number	Diff line change
`@@ -79,6 +79,8 @@ public virtual IList ToList(SourceSpan span, object value)`
`79`	`79`
`80`	`80`	`private int _objectToStringLevel;`
`81`	`81`	`private int _currentToStringLength;`
	`82`	`+ private int _currentOutputLength;`
	`83`	`+ private bool _hasOutputLimitEllipsis;`
`82`	`84`
`83`	`85`	`/// <summary>`
`84`	`86`	`/// Called whenever an objects is converted to a string. This method can be overriden.`
`@@ -512,4 +514,4 @@ public virtual object ToObject(SourceSpan span, object value, Type destinationTy`
`512`	`514`	`}`
`513`	`515`
`514`	`516`	`}`
`515`		`-}`
	`517`	`+}`