Enforce parser depth for array initializers

xoofx · Copilot · xoofx · commit f55280a09575 · 2026-03-21T07:17:18.000+01:00
Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/Scriban.Tests/TestParser.cs b/src/Scriban.Tests/TestParser.cs
@@ -826,6 +826,31 @@ public void EnsureStackOverflowCanBeAvoidedForSelfReferentialObjectGraphs()
             Assert.Throws<ScriptRuntimeException>(() => template.Render(context));
         }
 
+        [Test]
+        public void EnsureExpressionDepthLimitAppliesToNestedArrayInitializers()
+        {
+            var builder = new StringBuilder();
+            for (var i = 0; i < 20; i++)
+            {
+                builder.Append('[');
+            }
+
+            builder.Append('0');
+
+            for (var i = 0; i < 20; i++)
+            {
+                builder.Append(']');
+            }
+
+            var template = Template.Parse($"{{{{ {builder} }}}}", parserOptions: new ParserOptions
+            {
+                ExpressionDepthLimit = 10
+            });
+
+            Assert.True(template.HasErrors);
+            StringAssert.Contains("The statement depth limit `10` was reached when parsing this statement", template.Messages[0].ToString());
+        }
+
         [TestCase(@"ab{{end}}c")]  // no blocks
         [TestCase(@"a{{if true}}b{{end}}{{end}}c")]  // one-level block
         [TestCase(@"a{{if true}}{{for i in 0..1}}b{{end}}{{end}}{{end}}c")]  // two-level block (nested)
@@ -1227,4 +1252,4 @@ protected override void DefaultVisit(ScriptNode node)
             }
         }
     }
-}
+}
diff --git a/src/Scriban/Parsing/Parser.Expressions.cs b/src/Scriban/Parsing/Parser.Expressions.cs
@@ -771,67 +771,75 @@ private bool IsCurrentPipeOrExpressionContinuation()
 
         private ScriptExpression ParseArrayInitializer()
         {
-            var scriptArray = Open<ScriptArrayInitializerExpression>();
+            EnterExpression();
+            try
+            {
+                var scriptArray = Open<ScriptArrayInitializerExpression>();
 
-            // Should happen before the NextToken to consume any EOL after
-            _allowNewLineLevel++;
+                // Should happen before the NextToken to consume any EOL after
+                _allowNewLineLevel++;
 
-            // Parse [
-            ExpectAndParseTokenTo(scriptArray.OpenBracketToken, TokenType.OpenBracket);
+                // Parse [
+                ExpectAndParseTokenTo(scriptArray.OpenBracketToken, TokenType.OpenBracket);
 
-            bool expectingEndOfInitializer = false;
-
-            // unit test: 120-array-initializer-accessor.txt
-            while (true)
-            {
-                if (Current.Type == TokenType.CloseBracket)
-                {
-                    break;
-                }
+                bool expectingEndOfInitializer = false;
 
-                if (!expectingEndOfInitializer)
+                // unit test: 120-array-initializer-accessor.txt
+                while (true)
                 {
-                    // unit test: 120-array-initializer-error2.txt
-                    var expression = ExpectAndParseExpression(scriptArray);
-                    if (expression == null)
+                    if (Current.Type == TokenType.CloseBracket)
                     {
                         break;
                     }
-                    scriptArray.Values.Add(expression);
 
-                    if (Current.Type == TokenType.Comma)
+                    if (!expectingEndOfInitializer)
                     {
-                        // Record trailing Commas
-                        if (_isKeepTrivia)
+                        // unit test: 120-array-initializer-error2.txt
+                        var expression = ExpectAndParseExpression(scriptArray);
+                        if (expression == null)
                         {
-                            PushTokenToTrivia();
+                            break;
                         }
+                        scriptArray.Values.Add(expression);
 
-                        NextToken();
+                        if (Current.Type == TokenType.Comma)
+                        {
+                            // Record trailing Commas
+                            if (_isKeepTrivia)
+                            {
+                                PushTokenToTrivia();
+                            }
 
-                        if (_isKeepTrivia)
+                            NextToken();
+
+                            if (_isKeepTrivia)
+                            {
+                                FlushTriviasToLastTerminal();
+                            }
+                        }
+                        else
                         {
-                            FlushTriviasToLastTerminal();
+                            expectingEndOfInitializer = true;
                         }
                     }
                     else
                     {
-                        expectingEndOfInitializer = true;
+                        break;
                     }
                 }
-                else
-                {
-                    break;
-                }
-            }
 
-            // Should happen before NextToken() to stop on the next EOF
-            _allowNewLineLevel--;
+                // Should happen before NextToken() to stop on the next EOF
+                _allowNewLineLevel--;
 
-            // Parse ]
-            // unit test: 120-array-initializer-error1.txt
-            ExpectAndParseTokenTo(scriptArray.CloseBracketToken, TokenType.CloseBracket);
-            return Close(scriptArray);
+                // Parse ]
+                // unit test: 120-array-initializer-error1.txt
+                ExpectAndParseTokenTo(scriptArray.CloseBracketToken, TokenType.CloseBracket);
+                return Close(scriptArray);
+            }
+            finally
+            {
+                LeaveExpression();
+            }
         }
 
         private ScriptExpression ParseObjectInitializer()
