text/template: limit pipeline command count

[austinderek]

Introduce a hard limit on the number of commands in a single
pipeline. Return a parse error when exceeded. This bounds
worst-case time and memory amplification for pathologically
long pipelines, mitigating issues when when templates are not
fully trusted.

Fixes golang#75231

---

🔄 This is a mirror of upstream PR golang#75233

[staging]

HackerOne Code Security Review

🟢 Scan Complete: 2 Issue(s)
🟠 Validation Complete: One or more Issues looked potentially actionable, so this was escalated to our network of engineers for manual review. Once this is complete you'll see an update posted.

Here's how the code changes were interpreted and info about the tools used for scanning.

📖 Summary of Changes

The changes in the parse.go file introduce a new variable maxPipelineCmds to control the maximum number of commands allowed in a pipeline. A validation check has been added to the pipeline method to enforce this limit, potentially preventing the creation of overly complex or resource-intensive pipeline structures.

File	Summary
src/text/template/parse/parse.go	Added a new variable maxPipelineCmds to limit the number of commands in a pipeline, with a check added in the pipeline method to prevent excessively long pipelines.

ℹ️ Issues Detected

NOTE: These may not require action!

Below are unvalidated results from the Analysis Tools that ran during the latest scan for transparency. We investigate each of these for accuracy and relevance before surfacing them as a potential problem.

How will I know if something is a problem?
When validation completes, any concerns that warrant attention prior to merge will be posted as inline comments. These will show up in 2 ways:

• Expert review (most cases): Issues will be posted by experts who manually reviewed and validated them. These are real HackerOne engineers (not bots) reviewing through an integrated IDE-like tool. You can communicate with them like any other reviewer. They'll stay assigned and get notified with commit & comment updates.
• Automatically: In cases where our validation checks have highest confidence the problem is legitimate and urgent. These will include a description of contextual reasoning why & actionable next steps.

File & Line	Issue
src/text/template/parse/parse.go Line 52	The maxPipelineCmds limit of 100,000 commands per pipeline may be insufficient to prevent resource exhaustion attacks. An attacker could craft templates with pipelines approaching this limit to consume excessive CPU and memory during parsing and execution. Consider reducing this limit to a more conservative value (e.g., 1,000-10,000) based on legitimate use cases, or implement additional resource controls such as parsing timeouts.
src/text/template/parse/parse.go Line 520	The pipeline length check occurs after each command is added to the pipeline, allowing an attacker to create exactly maxPipelineCmds commands before the limit is enforced. This could still result in significant resource consumption. The check should be performed before adding the command to prevent reaching the exact limit: 'if len(pipe.Cmds) >= maxPipelineCmds { t.errorf("pipeline too long") }'.

🧰 Analysis tools

• [ ✅ ] HackerOne AI Code Analysis
• [ ✅ ] HackerOne AI Code Validation
• [ ✅ ] semgrep
• [ ✅ ] gosec
• [ ✅ ] bandit

⏱️ Latest scan covered changes up to commit 97e6001 (latest)