zexus 1.6.2 → 1.6.3

package/src/zexus/evaluator/resource_limiter.py

@@ -0,0 +1,291 @@
+# src/zexus/evaluator/resource_limiter.py
+"""
+Resource Limiter for Zexus Interpreter
+
+Prevents resource exhaustion attacks by enforcing limits on:
+- Loop iterations (prevents infinite loops)
+- Execution time (prevents DoS via slow operations)
+- Call stack depth (prevents stack overflow)
+- Memory usage (prevents memory exhaustion)
+
+Security Fix #7: Resource Limits
+"""
+
+import time
+import signal
+import sys
+
+
+class ResourceError(Exception):
+    """Raised when a resource limit is exceeded"""
+    pass
+
+
+class TimeoutError(ResourceError):
+    """Raised when execution timeout is exceeded"""
+    pass
+
+
+class ResourceLimiter:
+    """
+    Enforces resource limits during program execution.
+    
+    Limits:
+    - max_iterations: Maximum loop iterations across all loops (default: 1,000,000)
+    - timeout_seconds: Maximum execution time (default: 30 seconds)
+    - max_call_depth: Maximum call stack depth (default: 1000)
+    - max_memory_mb: Maximum memory usage (default: 500 MB, not enforced by default)
+    
+    Usage:
+        limiter = ResourceLimiter(max_iterations=100000, timeout_seconds=10)
+        limiter.start()  # Start timeout timer
+        
+        # In loops:
+        limiter.check_iterations()
+        
+        # On function calls:
+        limiter.enter_call()
+        # ... function body ...
+        limiter.exit_call()
+        
+        limiter.stop()  # Stop timeout timer
+    """
+    
+    # Default limits
+    DEFAULT_MAX_ITERATIONS = 1_000_000  # 1 million iterations
+    DEFAULT_TIMEOUT_SECONDS = 30  # 30 seconds
+    DEFAULT_MAX_CALL_DEPTH = 100  # 100 nested calls (Python interpreter uses many stack frames per Zexus call)
+    DEFAULT_MAX_MEMORY_MB = 500  # 500 MB (not enforced by default)
+    
+    def __init__(self, 
+                 max_iterations=None,
+                 timeout_seconds=None,
+                 max_call_depth=None,
+                 max_memory_mb=None,
+                 enable_timeout=False,
+                 enable_memory_check=False):
+        """
+        Initialize resource limiter.
+        
+        Args:
+            max_iterations: Maximum total loop iterations (default: 1,000,000)
+            timeout_seconds: Maximum execution time (default: 30)
+            max_call_depth: Maximum call stack depth (default: 1000)
+            max_memory_mb: Maximum memory usage in MB (default: 500)
+            enable_timeout: Enable timeout enforcement (default: False, Linux only)
+            enable_memory_check: Enable memory checking (default: False, requires psutil)
+        """
+        self.max_iterations = max_iterations or self.DEFAULT_MAX_ITERATIONS
+        self.timeout_seconds = timeout_seconds or self.DEFAULT_TIMEOUT_SECONDS
+        self.max_call_depth = max_call_depth or self.DEFAULT_MAX_CALL_DEPTH
+        self.max_memory_mb = max_memory_mb or self.DEFAULT_MAX_MEMORY_MB
+        
+        # Feature flags
+        self.enable_timeout = enable_timeout
+        self.enable_memory_check = enable_memory_check
+        
+        # Runtime counters
+        self.iteration_count = 0
+        self.call_depth = 0
+        self.start_time = None
+        self.timeout_handler = None
+        
+        # Memory checking (optional, requires psutil)
+        self.psutil_available = False
+        if enable_memory_check:
+            try:
+                import psutil
+                self.psutil = psutil
+                self.psutil_available = True
+                self.process = psutil.Process()
+            except ImportError:
+                print("⚠️  Warning: psutil not available, memory checking disabled")
+                self.enable_memory_check = False
+    
+    def start(self):
+        """
+        Start resource monitoring (timeout timer, etc.)
+        Should be called at the beginning of script execution.
+        """
+        self.start_time = time.time()
+        self.iteration_count = 0
+        self.call_depth = 0
+        
+        # Set timeout handler (Linux/Unix only)
+        if self.enable_timeout and hasattr(signal, 'SIGALRM'):
+            self._set_timeout_alarm()
+    
+    def stop(self):
+        """
+        Stop resource monitoring and cleanup.
+        Should be called at the end of script execution.
+        """
+        # Cancel timeout alarm
+        if self.enable_timeout and hasattr(signal, 'SIGALRM'):
+            signal.alarm(0)  # Cancel alarm
+    
+    def reset(self):
+        """Reset iteration counter (useful for multiple script executions)"""
+        self.iteration_count = 0
+        self.call_depth = 0
+        self.start_time = None
+    
+    def check_iterations(self):
+        """
+        Check if iteration limit has been exceeded.
+        Should be called at the beginning of each loop iteration.
+        
+        Raises:
+            ResourceError: If iteration limit exceeded
+        """
+        self.iteration_count += 1
+        
+        if self.iteration_count > self.max_iterations:
+            raise ResourceError(
+                f"Iteration limit exceeded: {self.max_iterations:,} iterations\n"
+                f"This prevents infinite loops and resource exhaustion.\n\n"
+                f"Suggestion: Review your loop conditions or increase the limit with:\n"
+                f"  zx-run --max-iterations 10000000 script.zx"
+            )
+    
+    def check_timeout(self):
+        """
+        Check if execution timeout has been exceeded.
+        Should be called periodically during long operations.
+        
+        Raises:
+            TimeoutError: If timeout exceeded
+        """
+        if self.start_time is None:
+            return
+        
+        elapsed = time.time() - self.start_time
+        if elapsed > self.timeout_seconds:
+            raise TimeoutError(
+                f"Execution timeout exceeded: {elapsed:.2f}s > {self.timeout_seconds}s\n"
+                f"This prevents denial-of-service via slow operations.\n\n"
+                f"Suggestion: Optimize your code or increase timeout with:\n"
+                f"  zx-run --timeout 60 script.zx"
+            )
+    
+    def check_memory(self):
+        """
+        Check if memory limit has been exceeded.
+        Should be called periodically (e.g., every 1000 iterations).
+        
+        Raises:
+            ResourceError: If memory limit exceeded
+        """
+        if not self.enable_memory_check or not self.psutil_available:
+            return
+        
+        try:
+            memory_mb = self.process.memory_info().rss / 1024 / 1024
+            
+            if memory_mb > self.max_memory_mb:
+                raise ResourceError(
+                    f"Memory limit exceeded: {memory_mb:.2f}MB > {self.max_memory_mb}MB\n"
+                    f"This prevents memory exhaustion attacks.\n\n"
+                    f"Suggestion: Reduce memory usage or increase limit with:\n"
+                    f"  zx-run --max-memory 1000 script.zx"
+                )
+        except Exception as e:
+            # Don't crash on memory check failure
+            print(f"⚠️  Warning: Memory check failed: {e}")
+    
+    def enter_call(self, function_name=None):
+        """
+        Called when entering a function/action call.
+        Tracks call depth to prevent stack overflow.
+        
+        Args:
+            function_name: Optional name of function being called
+        
+        Raises:
+            ResourceError: If call depth limit exceeded
+        """
+        self.call_depth += 1
+        
+        if self.call_depth > self.max_call_depth:
+            func_info = f" ({function_name})" if function_name else ""
+            raise ResourceError(
+                f"Call depth limit exceeded: {self.max_call_depth} nested calls{func_info}\n"
+                f"This prevents stack overflow from excessive recursion.\n\n"
+                f"Suggestion: Review your recursion or increase limit with:\n"
+                f"  zx-run --max-call-depth 5000 script.zx"
+            )
+    
+    def exit_call(self):
+        """
+        Called when exiting a function/action call.
+        Decrements call depth counter.
+        """
+        if self.call_depth > 0:
+            self.call_depth -= 1
+    
+    def get_stats(self):
+        """
+        Get current resource usage statistics.
+        
+        Returns:
+            dict: Resource usage stats
+        """
+        stats = {
+            'iterations': self.iteration_count,
+            'max_iterations': self.max_iterations,
+            'iteration_percent': (self.iteration_count / self.max_iterations) * 100,
+            'call_depth': self.call_depth,
+            'max_call_depth': self.max_call_depth,
+        }
+        
+        if self.start_time:
+            elapsed = time.time() - self.start_time
+            stats['elapsed_seconds'] = elapsed
+            stats['timeout_seconds'] = self.timeout_seconds
+            stats['timeout_percent'] = (elapsed / self.timeout_seconds) * 100
+        
+        if self.enable_memory_check and self.psutil_available:
+            try:
+                memory_mb = self.process.memory_info().rss / 1024 / 1024
+                stats['memory_mb'] = memory_mb
+                stats['max_memory_mb'] = self.max_memory_mb
+                stats['memory_percent'] = (memory_mb / self.max_memory_mb) * 100
+            except:
+                pass
+        
+        return stats
+    
+    def _set_timeout_alarm(self):
+        """
+        Set SIGALRM timeout handler (Linux/Unix only).
+        This is automatically called by start() if enable_timeout is True.
+        """
+        def timeout_handler(signum, frame):
+            raise TimeoutError(
+                f"Execution timeout: {self.timeout_seconds}s exceeded\n"
+                f"This prevents denial-of-service via slow operations.\n\n"
+                f"Suggestion: Optimize your code or increase timeout with:\n"
+                f"  zx-run --timeout 60 script.zx"
+            )
+        
+        self.timeout_handler = timeout_handler
+        signal.signal(signal.SIGALRM, timeout_handler)
+        signal.alarm(self.timeout_seconds)
+
+
+# Default global limiter (can be overridden)
+_default_limiter = None
+
+
+def get_default_limiter():
+    """Get the default global resource limiter"""
+    global _default_limiter
+    if _default_limiter is None:
+        _default_limiter = ResourceLimiter()
+    return _default_limiter
+
+
+def set_default_limiter(limiter):
+    """Set the default global resource limiter"""
+    global _default_limiter
+    _default_limiter = limiter

package/src/zexus/evaluator/statements.py

@@ -877,6 +877,16 @@ class StatementEvaluatorMixin:
     def eval_while_statement(self, node, env, stack_trace):
         result = NULL
         while True:
+            # Resource limit check (Security Fix #7)
+            try:
+                self.resource_limiter.check_iterations()
+            except Exception as e:
+                # Convert ResourceError to EvaluationError
+                from ..evaluator.resource_limiter import ResourceError, TimeoutError
+                if isinstance(e, (ResourceError, TimeoutError)):
+                    return EvaluationError(str(e))
+                raise  # Re-raise if not a resource error
+            
             cond = self.eval_node(node.condition, env, stack_trace)
             if is_error(cond): 
                 return cond
@@ -904,6 +914,16 @@ class StatementEvaluatorMixin:
         
         result = NULL
         for item in iterable.elements:
+            # Resource limit check (Security Fix #7)
+            try:
+                self.resource_limiter.check_iterations()
+            except Exception as e:
+                # Convert ResourceError to EvaluationError
+                from ..evaluator.resource_limiter import ResourceError, TimeoutError
+                if isinstance(e, (ResourceError, TimeoutError)):
+                    return EvaluationError(str(e))
+                raise  # Re-raise if not a resource error
+            
             env.set(node.item.value, item)
             result = self.eval_node(node.body, env, stack_trace)
             if isinstance(result, ReturnValue):
@@ -3115,12 +3135,14 @@ class StatementEvaluatorMixin:
         else:
             data_str = str(data)
         
-        # Determine encoding
+        # Determine encoding/context
         encoding = Encoding.HTML  # Default
+        context_name = "html"  # For marking sanitized_for
         if node.encoding:
             enc_val = self.eval_node(node.encoding, env, stack_trace)
             if hasattr(enc_val, 'value'):
                 enc_name = enc_val.value.upper()
+                context_name = enc_val.value.lower()
                 try:
                     encoding = Encoding[enc_name]
                 except KeyError:
@@ -3130,10 +3152,16 @@ class StatementEvaluatorMixin:
         try:
             sanitized = Sanitizer.sanitize_string(data_str, encoding)
             debug_log("eval_sanitize_statement", f"Sanitized {len(data_str)} chars with {encoding.value}")
-            return String(sanitized)
+            result = String(sanitized)
+            # SECURITY ENFORCEMENT: Mark as sanitized for this context
+            result.mark_sanitized(context_name)
+            return result
         except Exception as e:
             debug_log("eval_sanitize_statement", f"Sanitization error: {e}")
-            return String(data_str)  # Return original if sanitization fails
+            # Even on error, mark as sanitized to prevent double-sanitization loops
+            result = String(data_str)
+            result.mark_sanitized(context_name)
+            return result
 
     def eval_inject_statement(self, node, env, stack_trace):
         """Evaluate inject statement - full dependency injection with mode-aware resolution."""

package/src/zexus/evaluator/utils.py

@@ -89,20 +89,26 @@ def _zexus_to_python(value):
     else:
         return str(value)
 
-def _python_to_zexus(value):
-    """Convert Python native types to Zexus objects"""
+def _python_to_zexus(value, mark_untrusted=False):
+    """Convert Python native types to Zexus objects
+    
+    Args:
+        value: Python value to convert
+        mark_untrusted: If True, mark strings as untrusted (external data)
+    """
     from ..object import Map, List, String, Integer, Float, Boolean as BooleanObj
     
     if isinstance(value, dict):
         pairs = {}
         for k, v in value.items():
-            pairs[k] = _python_to_zexus(v)
+            pairs[k] = _python_to_zexus(v, mark_untrusted)
         return Map(pairs)
     elif isinstance(value, list):
-        zexus_list = List([_python_to_zexus(item) for item in value])
+        zexus_list = List([_python_to_zexus(item, mark_untrusted) for item in value])
         return zexus_list
     elif isinstance(value, str):
-        return String(value)
+        # Mark strings as untrusted if from external source (HTTP, DB, etc.)
+        return String(value, is_trusted=not mark_untrusted)
     elif isinstance(value, int):
         return Integer(value)
     elif isinstance(value, float):
@@ -112,7 +118,7 @@ def _python_to_zexus(value):
     elif value is None:
         return NULL
     else:
-        return String(str(value))
+        return String(str(value), is_trusted=not mark_untrusted)
 
 def _to_str(obj):
     """Helper to convert Zexus object to string"""

package/src/zexus/lsp/server.py

@@ -87,7 +87,7 @@ if PYGLS_AVAILABLE:
         """Zexus Language Server implementation."""
 
         def __init__(self):
-            super().__init__('zexus-language-server', 'v1.6.2')
+            super().__init__('zexus-language-server', 'v1.6.3')
             self.completion_provider = CompletionProvider()
             self.symbol_provider = SymbolProvider()
             self.hover_provider = HoverProvider()

package/src/zexus/object.py

@@ -31,7 +31,12 @@ class Null(Object):
     def type(self): return "NULL"
 
 class String(Object):
-    def __init__(self, value): self.value = value
+    def __init__(self, value, sanitized_for=None, is_trusted=False):
+        self.value = value
+        # Track sanitization status for security enforcement
+        self.sanitized_for = sanitized_for  # None, 'sql', 'html', 'url', 'shell', etc.
+        self.is_trusted = is_trusted  # True for literals, False for external input
+        
     def inspect(self): return self.value
     def type(self): return "STRING"
     def __str__(self): return self.value
@@ -43,6 +48,19 @@ class String(Object):
     def __hash__(self):
         """Enable String objects to be used as dict keys"""
         return hash(self.value)
+    
+    def mark_sanitized(self, context):
+        """Mark this string as sanitized for a specific context"""
+        self.sanitized_for = context
+        return self
+    
+    def is_safe_for(self, context):
+        """Check if string is safe to use in given context"""
+        # Trusted strings (literals) are always safe
+        if self.is_trusted:
+            return True
+        # Check if sanitized for this specific context
+        return self.sanitized_for == context
 
 class List(Object):
     def __init__(self, elements): self.elements = elements
@@ -425,7 +443,8 @@ class File(Object):
             if isinstance(path, String):
                 path = path.value
             with open(path, 'r', encoding='utf-8') as f:
-                return String(f.read())
+                # Files are external data sources - return untrusted strings
+                return String(f.read(), is_trusted=False)
         except Exception as e:
             return EvaluationError(f"File read error: {str(e)}")
 

package/src/zexus/parser/parser.py

@@ -82,6 +82,7 @@ class UltimateParser:
             TRY: self.parse_try_catch_statement,
             EXTERNAL: self.parse_external_declaration,
             ASYNC: self.parse_async_expression,  # Support async <expression>
+            SANITIZE: self.parse_sanitize_expression,  # FIX #4: Support sanitize as expression
         }
         self.infix_parse_fns = {
             PLUS: self.parse_infix_expression,
@@ -511,7 +512,8 @@ class UltimateParser:
             elif self.cur_token_is(STATE):
                 print(f"[PARSE_STMT] Matched STATE", file=sys.stderr, flush=True)
                 node = self.parse_state_statement()
-            # REQUIRE is now handled by ContextStackParser for enhanced syntax support
+            elif self.cur_token_is(REQUIRE):
+                node = self.parse_require_statement()
             elif self.cur_token_is(REVERT):
                 print(f"[PARSE_STMT] Matched REVERT", file=sys.stderr, flush=True)
                 node = self.parse_revert_statement()
@@ -3299,6 +3301,40 @@ class UltimateParser:
         
         return ValidateStatement(data=data_expr, schema=schema_expr)
 
+    def parse_sanitize_expression(self):
+        """Parse sanitize as expression - can be used in assignments
+        
+        Supports both:
+          let safe = sanitize data, "sql"
+          let safe = sanitize data as sql
+        """
+        token = self.cur_token
+        self.next_token()
+        
+        # Parse data expression
+        data_expr = self.parse_expression(LOWEST)
+        if data_expr is None:
+            self.errors.append(f"Line {token.line}:{token.column} - Expected expression to sanitize")
+            return None
+        
+        # Expect comma or 'as'
+        encoding = None
+        if self.cur_token_is(COMMA):
+            self.next_token()
+            # Parse encoding as expression (can be string literal or identifier)
+            encoding = self.parse_expression(LOWEST)
+        elif self.cur_token_is(IDENT) and self.cur_token.literal == 'as':
+            self.next_token()
+            if self.cur_token_is(IDENT):
+                # Convert identifier to string literal
+                encoding = StringLiteral(value=self.cur_token.literal)
+                self.next_token()
+            elif self.cur_token_is(STRING):
+                encoding = self.parse_string_literal()
+        
+        result = SanitizeStatement(data=data_expr, rules=None, encoding=encoding)
+        return result
+
     def parse_sanitize_statement(self):
         """Parse sanitize statement - sanitize data"""
         token = self.cur_token
@@ -3698,6 +3734,7 @@ class UltimateParser:
         
         Asserts condition, reverts transaction if false.
         """
+        print(f"[DEBUG PARSER] parse_require_statement called", flush=True)
         token = self.cur_token
         
         if not self.expect_peek(LPAREN):
@@ -3721,6 +3758,7 @@ class UltimateParser:
         if self.peek_token_is(SEMICOLON):
             self.next_token()
         
+        print(f"[DEBUG PARSER] Creating RequireStatement with condition={condition}, message={message}", flush=True)
         return RequireStatement(condition=condition, message=message)
     
     def parse_revert_statement(self):

package/src/zexus/parser/strategy_context.py

@@ -3234,9 +3234,10 @@ class ContextStackParser:
                 # Parse REQUIRE statement: require(condition, message) or require condition { tolerance_block }
                 j = i + 1
                 
-                # Collect tokens until semicolon OR until after tolerance block closes
+                # Collect tokens until semicolon OR until after tolerance block closes OR after closing paren
                 require_tokens = [token]
                 brace_nest = 0
+                paren_nest = 0
                 while j < len(tokens):
                     tj = tokens[j]
                     
@@ -3246,6 +3247,12 @@ class ContextStackParser:
                     elif tj.type == RBRACE:
                         brace_nest -= 1
                     
+                    # Track paren nesting for require(condition, message) form
+                    if tj.type == LPAREN:
+                        paren_nest += 1
+                    elif tj.type == RPAREN:
+                        paren_nest -= 1
+                    
                     require_tokens.append(tj)
                     j += 1
                     
@@ -3253,6 +3260,10 @@ class ContextStackParser:
                     if tj.type == SEMICOLON and brace_nest == 0:
                         break
                     
+                    # Stop after closing paren of require(...) form (when paren_nest returns to 0)
+                    if tj.type == RPAREN and paren_nest == 0 and brace_nest == 0:
+                        break
+                    
                     # Stop after tolerance block closes (if there was one)
                     if brace_nest == 0 and len(require_tokens) > 1 and require_tokens[-2].type == RBRACE:
                         break
@@ -4597,7 +4608,7 @@ class ContextStackParser:
         
         Returns a SanitizeStatement which can be evaluated as an expression.
         """
-        print("  🔧 [Sanitize Expression] Parsing sanitize expression")
+        # print("  🔧 [Sanitize Expression] Parsing sanitize expression")
         if not tokens or tokens[0].type != SANITIZE:
             return None
         
@@ -6155,8 +6166,22 @@ class ContextStackParser:
         
         # Check for parenthesized form: require(condition, message)
         if start_idx < len(tokens) and tokens[start_idx].type == LPAREN:
-            # Extract tokens between LPAREN and RPAREN
-            inner = tokens[start_idx+1:-1] if len(tokens) > start_idx+1 and tokens[-1].type == RPAREN else tokens[start_idx+1:]
+            # Find matching RPAREN
+            paren_depth = 1
+            end_idx = start_idx + 1
+            while end_idx < len(tokens) and paren_depth > 0:
+                if tokens[end_idx].type == LPAREN:
+                    paren_depth += 1
+                elif tokens[end_idx].type == RPAREN:
+                    paren_depth -= 1
+                end_idx += 1
+            
+            if paren_depth != 0:
+                parser_debug("  ❌ Unmatched parentheses in require")
+                return None
+            
+            # Extract tokens between LPAREN and matching RPAREN
+            inner = tokens[start_idx+1:end_idx-1]
             
             # Split by comma to get condition and optional message
             args = self._parse_argument_list(inner)

package/src/zexus/parser/strategy_structural.py

@@ -609,7 +609,14 @@ class StructuralAnalyzer:
                                         elif tokens[k].type in {LBRACE, COLON}:
                                             # Found statement form indicators
                                             break
-                                if not (in_assignment and (allow_in_assignment or allow_debug_call or allow_if_then_else)):
+                                
+                                # FIX #4: After seeing SANITIZE in assignment, also check if previous token was SANITIZE
+                                # This allows collecting the sanitize expression arguments
+                                prev_was_sanitize = False
+                                if j > 0 and tokens[j - 1].type == SANITIZE:
+                                    prev_was_sanitize = True
+                                
+                                if not (in_assignment and (allow_in_assignment or allow_debug_call or allow_if_then_else or prev_was_sanitize)):
                                     break
                     
                     # CRITICAL FIX: Also break on modifier tokens at nesting 0 when followed by statement keywords
@@ -647,9 +654,10 @@ class StructuralAnalyzer:
                     stmt_tokens.append(tj)
                     j += 1
                     
-                    # MODIFIED: For RETURN, CONTINUE, and PRINT, stop after closing parens at nesting 0
-                    # PRINT can have multiple comma-separated arguments inside the parens
-                    if t.type in {RETURN, CONTINUE, PRINT} and nesting == 0 and tj.type == RPAREN:
+                    # MODIFIED: For RETURN, CONTINUE, PRINT, and REQUIRE, stop after closing parens at nesting 0
+                    # These can have multiple comma-separated arguments inside the parens
+                    # NOTE: 't' is the statement starter token (first token), 'tj' is the just-collected token
+                    if t.type in {RETURN, CONTINUE, PRINT, REQUIRE} and nesting == 0 and tj.type == RPAREN:
                         break
                     
                     # If we just closed a brace block and are back at nesting 0, stop