Skip to content

fix: enforce renderLimit for empty renderTemplates calls#894

Merged
harttle merged 1 commit into
masterfrom
fix/renderlimit-empty-for-loop
May 7, 2026
Merged

fix: enforce renderLimit for empty renderTemplates calls#894
harttle merged 1 commit into
masterfrom
fix/renderlimit-empty-for-loop

Conversation

@harttle
Copy link
Copy Markdown
Owner

@harttle harttle commented May 7, 2026

renderLimit was only checked inside the per-template loop, so renderTemplates([], ...) skipped it entirely. Empty {% for %} / {% tablerow %} bodies invoke that path once per iteration, bypassing the documented time budget. Check the limiter at renderTemplates entry before the loop.

Add regression test for empty for-body with a strict renderLimit.

@coveralls
Copy link
Copy Markdown

coveralls commented May 7, 2026
edited
Loading

Coverage Report for CI Build 25502770727

Coverage remained the same at 99.564%

Details

  • Coverage remained the same as the base build.
  • Patch coverage: 1 of 1 lines across 1 file are fully covered (100%).
  • No coverage regressions found.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

No coverage regressions found.

Coverage Stats

Coverage Status
Relevant Lines: 2991
Covered Lines: 2984
Line Coverage: 99.77%
Relevant Branches: 1135
Covered Branches: 1124
Branch Coverage: 99.03%
Branches in Coverage %: Yes
Coverage Strength: 22233.63 hits per line
💛 - Coveralls

@harttle @cursoragent
fix: enforce renderLimit for empty renderTemplates calls
7910e49 
renderLimit was only checked inside the per-template loop, so
renderTemplates([], ...) skipped it. Empty {% for %} and {% tablerow %}
bodies call that path once per iteration (tablerow still does emitter
work for <tr>/<td>), bypassing the documented time budget. Check the
limiter at renderTemplates entry before the loop.

Add regression tests for empty for-body and empty tablerow-body.

Co-authored-by: Cursor <cursoragent@cursor.com>
@harttle harttle force-pushed the fix/renderlimit-empty-for-loop branch from f00cfca to 7910e49 Compare May 7, 2026 14:40
@harttle harttle merged commit 5b9c346 into master May 7, 2026
13 checks passed
github-actions Bot pushed a commit that referenced this pull request May 14, 2026
@semantic-release-bot
chore(release): 10.26.0 [skip ci]
c20c0af 
# [10.26.0](v10.25.7...v10.26.0) (2026-05-14)

### Bug Fixes

* **date:** cap strftime widths and account padding in memoryLimit ([#895](#895)) ([3129d46](3129d46))
* enforce renderLimit for empty renderTemplates calls ([#894](#894)) ([5b9c346](5b9c346))
* propagate ownPropertyOnly into Context.spawn() for {% render %} ([#893](#893)) ([dbbf628](dbbf628))
* **security:** block Object.prototype filter/tag lookups (RCE) ([#897](#897)) ([457fae0](457fae0))
* strip html newline tags ([#892](#892)) ([26ea285](26ea285))
* **strip_html:** rewrite as linear single-pass scan to avoid ReDoS ([#896](#896)) ([3616a74](3616a74))

### Features

* add sha256 and hmac_sha256 filters for cryptographic operations ([#889](#889)) ([1c816d4](1c816d4))
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 14, 2026

🎉 This PR is included in version 10.26.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@harttle @coveralls