From 38f81dc125872da7e7530d4b3d9230e4300fc75b Mon Sep 17 00:00:00 2001
From: slozenko <slozenko@hubspot.com>
Date: Tue, 19 Mar 2024 10:14:01 -0700
Subject: [PATCH] add hard limit for max slices

---
 .../jinjava/lib/filter/SliceFilter.java        | 11 ++++++++++-
 .../jinjava/lib/filter/SliceFilterTest.java    | 18 ++++++++++++++++++
 .../resources/filter/slice-filter-big.jinja    |  6 ++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 src/test/resources/filter/slice-filter-big.jinja

diff --git a/src/main/java/com/hubspot/jinjava/lib/filter/SliceFilter.java b/src/main/java/com/hubspot/jinjava/lib/filter/SliceFilter.java
index 34bbcb5f1..64b9e2a2a 100644
--- a/src/main/java/com/hubspot/jinjava/lib/filter/SliceFilter.java
+++ b/src/main/java/com/hubspot/jinjava/lib/filter/SliceFilter.java
@@ -1,5 +1,7 @@
 package com.hubspot.jinjava.lib.filter;
 
+import static com.hubspot.jinjava.util.Logging.ENGINE_LOG;
+
 import com.hubspot.jinjava.doc.annotations.JinjavaDoc;
 import com.hubspot.jinjava.doc.annotations.JinjavaParam;
 import com.hubspot.jinjava.doc.annotations.JinjavaSnippet;
@@ -53,6 +55,8 @@
 )
 public class SliceFilter implements Filter {
 
+  public static final int MAX_SLICES = 1000;
+
   @Override
   public String getName() {
     return "slice";
@@ -79,10 +83,15 @@ public Object filter(Object var, JinjavaInterpreter interpreter, String... args)
         0,
         args[0]
       );
+    } else if (slices > MAX_SLICES) {
+      ENGINE_LOG.warn(
+        "The limit input value is too large, it's been reduced to " + MAX_SLICES
+      );
+      slices = MAX_SLICES;
     }
 
     List<List<Object>> result = new ArrayList<>();
-    List<Object> currentList = null; // lazy evaluation
+    List<Object> currentList = null;
 
     int i = 0;
     while (loop.hasNext()) {
diff --git a/src/test/java/com/hubspot/jinjava/lib/filter/SliceFilterTest.java b/src/test/java/com/hubspot/jinjava/lib/filter/SliceFilterTest.java
index 0f59385f9..571a7b0bd 100644
--- a/src/test/java/com/hubspot/jinjava/lib/filter/SliceFilterTest.java
+++ b/src/test/java/com/hubspot/jinjava/lib/filter/SliceFilterTest.java
@@ -1,5 +1,6 @@
 package com.hubspot.jinjava.lib.filter;
 
+import static com.hubspot.jinjava.lib.filter.SliceFilter.MAX_SLICES;
 import static org.assertj.core.api.Assertions.assertThat;
 
 import com.google.common.collect.ImmutableMap;
@@ -8,6 +9,9 @@
 import com.hubspot.jinjava.BaseJinjavaTest;
 import com.hubspot.jinjava.interpret.RenderResult;
 import java.nio.charset.StandardCharsets;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Random;
 import org.jsoup.Jsoup;
 import org.jsoup.nodes.Document;
 import org.junit.Test;
@@ -35,6 +39,20 @@ public void itSlicesLists() throws Exception {
     assertThat(dom.select(".columwrapper .column-3 li")).hasSize(1);
   }
 
+  @Test
+  public void itSlicesToTheMaxLimit() throws Exception {
+    String result = jinjava.render(
+      Resources.toString(
+        Resources.getResource("filter/slice-filter-big.jinja"),
+        StandardCharsets.UTF_8
+      ),
+      ImmutableMap.of("items", Lists.newArrayList("a", "b", "c", "d", "e"))
+    );
+
+    assertThat(result).isNotEmpty();
+    assertThat(result.split("\n")).hasSize(MAX_SLICES + 2); // 1 for each slice, 1 for the newline
+  }
+
   @Test
   public void itSlicesListWithReplacement() throws Exception {
     String result = jinjava.render(
diff --git a/src/test/resources/filter/slice-filter-big.jinja b/src/test/resources/filter/slice-filter-big.jinja
new file mode 100644
index 000000000..6710c8fd7
--- /dev/null
+++ b/src/test/resources/filter/slice-filter-big.jinja
@@ -0,0 +1,6 @@
+{%- for column in items|slice(999999999, 'hello') %}
+  {{ loop.index }}
+ {%- for item in column %}
+    {{ item }}
+  {%- endfor %}
+{%- endfor %}