zexus 1.6.2 → 1.6.4

package/src/zexus/evaluator/resource_limiter.py

@@ -0,0 +1,291 @@
+# src/zexus/evaluator/resource_limiter.py
+"""
+Resource Limiter for Zexus Interpreter
+
+Prevents resource exhaustion attacks by enforcing limits on:
+- Loop iterations (prevents infinite loops)
+- Execution time (prevents DoS via slow operations)
+- Call stack depth (prevents stack overflow)
+- Memory usage (prevents memory exhaustion)
+
+Security Fix #7: Resource Limits
+"""
+
+import time
+import signal
+import sys
+
+
+class ResourceError(Exception):
+    """Raised when a resource limit is exceeded"""
+    pass
+
+
+class TimeoutError(ResourceError):
+    """Raised when execution timeout is exceeded"""
+    pass
+
+
+class ResourceLimiter:
+    """
+    Enforces resource limits during program execution.
+    
+    Limits:
+    - max_iterations: Maximum loop iterations across all loops (default: 1,000,000)
+    - timeout_seconds: Maximum execution time (default: 30 seconds)
+    - max_call_depth: Maximum call stack depth (default: 1000)
+    - max_memory_mb: Maximum memory usage (default: 500 MB, not enforced by default)
+    
+    Usage:
+        limiter = ResourceLimiter(max_iterations=100000, timeout_seconds=10)
+        limiter.start()  # Start timeout timer
+        
+        # In loops:
+        limiter.check_iterations()
+        
+        # On function calls:
+        limiter.enter_call()
+        # ... function body ...
+        limiter.exit_call()
+        
+        limiter.stop()  # Stop timeout timer
+    """
+    
+    # Default limits
+    DEFAULT_MAX_ITERATIONS = 1_000_000  # 1 million iterations
+    DEFAULT_TIMEOUT_SECONDS = 30  # 30 seconds
+    DEFAULT_MAX_CALL_DEPTH = 100  # 100 nested calls (Python interpreter uses many stack frames per Zexus call)
+    DEFAULT_MAX_MEMORY_MB = 500  # 500 MB (not enforced by default)
+    
+    def __init__(self, 
+                 max_iterations=None,
+                 timeout_seconds=None,
+                 max_call_depth=None,
+                 max_memory_mb=None,
+                 enable_timeout=False,
+                 enable_memory_check=False):
+        """
+        Initialize resource limiter.
+        
+        Args:
+            max_iterations: Maximum total loop iterations (default: 1,000,000)
+            timeout_seconds: Maximum execution time (default: 30)
+            max_call_depth: Maximum call stack depth (default: 1000)
+            max_memory_mb: Maximum memory usage in MB (default: 500)
+            enable_timeout: Enable timeout enforcement (default: False, Linux only)
+            enable_memory_check: Enable memory checking (default: False, requires psutil)
+        """
+        self.max_iterations = max_iterations or self.DEFAULT_MAX_ITERATIONS
+        self.timeout_seconds = timeout_seconds or self.DEFAULT_TIMEOUT_SECONDS
+        self.max_call_depth = max_call_depth or self.DEFAULT_MAX_CALL_DEPTH
+        self.max_memory_mb = max_memory_mb or self.DEFAULT_MAX_MEMORY_MB
+        
+        # Feature flags
+        self.enable_timeout = enable_timeout
+        self.enable_memory_check = enable_memory_check
+        
+        # Runtime counters
+        self.iteration_count = 0
+        self.call_depth = 0
+        self.start_time = None
+        self.timeout_handler = None
+        
+        # Memory checking (optional, requires psutil)
+        self.psutil_available = False
+        if enable_memory_check:
+            try:
+                import psutil
+                self.psutil = psutil
+                self.psutil_available = True
+                self.process = psutil.Process()
+            except ImportError:
+                print("⚠️  Warning: psutil not available, memory checking disabled")
+                self.enable_memory_check = False
+    
+    def start(self):
+        """
+        Start resource monitoring (timeout timer, etc.)
+        Should be called at the beginning of script execution.
+        """
+        self.start_time = time.time()
+        self.iteration_count = 0
+        self.call_depth = 0
+        
+        # Set timeout handler (Linux/Unix only)
+        if self.enable_timeout and hasattr(signal, 'SIGALRM'):
+            self._set_timeout_alarm()
+    
+    def stop(self):
+        """
+        Stop resource monitoring and cleanup.
+        Should be called at the end of script execution.
+        """
+        # Cancel timeout alarm
+        if self.enable_timeout and hasattr(signal, 'SIGALRM'):
+            signal.alarm(0)  # Cancel alarm
+    
+    def reset(self):
+        """Reset iteration counter (useful for multiple script executions)"""
+        self.iteration_count = 0
+        self.call_depth = 0
+        self.start_time = None
+    
+    def check_iterations(self):
+        """
+        Check if iteration limit has been exceeded.
+        Should be called at the beginning of each loop iteration.
+        
+        Raises:
+            ResourceError: If iteration limit exceeded
+        """
+        self.iteration_count += 1
+        
+        if self.iteration_count > self.max_iterations:
+            raise ResourceError(
+                f"Iteration limit exceeded: {self.max_iterations:,} iterations\n"
+                f"This prevents infinite loops and resource exhaustion.\n\n"
+                f"Suggestion: Review your loop conditions or increase the limit with:\n"
+                f"  zx-run --max-iterations 10000000 script.zx"
+            )
+    
+    def check_timeout(self):
+        """
+        Check if execution timeout has been exceeded.
+        Should be called periodically during long operations.
+        
+        Raises:
+            TimeoutError: If timeout exceeded
+        """
+        if self.start_time is None:
+            return
+        
+        elapsed = time.time() - self.start_time
+        if elapsed > self.timeout_seconds:
+            raise TimeoutError(
+                f"Execution timeout exceeded: {elapsed:.2f}s > {self.timeout_seconds}s\n"
+                f"This prevents denial-of-service via slow operations.\n\n"
+                f"Suggestion: Optimize your code or increase timeout with:\n"
+                f"  zx-run --timeout 60 script.zx"
+            )
+    
+    def check_memory(self):
+        """
+        Check if memory limit has been exceeded.
+        Should be called periodically (e.g., every 1000 iterations).
+        
+        Raises:
+            ResourceError: If memory limit exceeded
+        """
+        if not self.enable_memory_check or not self.psutil_available:
+            return
+        
+        try:
+            memory_mb = self.process.memory_info().rss / 1024 / 1024
+            
+            if memory_mb > self.max_memory_mb:
+                raise ResourceError(
+                    f"Memory limit exceeded: {memory_mb:.2f}MB > {self.max_memory_mb}MB\n"
+                    f"This prevents memory exhaustion attacks.\n\n"
+                    f"Suggestion: Reduce memory usage or increase limit with:\n"
+                    f"  zx-run --max-memory 1000 script.zx"
+                )
+        except Exception as e:
+            # Don't crash on memory check failure
+            print(f"⚠️  Warning: Memory check failed: {e}")
+    
+    def enter_call(self, function_name=None):
+        """
+        Called when entering a function/action call.
+        Tracks call depth to prevent stack overflow.
+        
+        Args:
+            function_name: Optional name of function being called
+        
+        Raises:
+            ResourceError: If call depth limit exceeded
+        """
+        self.call_depth += 1
+        
+        if self.call_depth > self.max_call_depth:
+            func_info = f" ({function_name})" if function_name else ""
+            raise ResourceError(
+                f"Call depth limit exceeded: {self.max_call_depth} nested calls{func_info}\n"
+                f"This prevents stack overflow from excessive recursion.\n\n"
+                f"Suggestion: Review your recursion or increase limit with:\n"
+                f"  zx-run --max-call-depth 5000 script.zx"
+            )
+    
+    def exit_call(self):
+        """
+        Called when exiting a function/action call.
+        Decrements call depth counter.
+        """
+        if self.call_depth > 0:
+            self.call_depth -= 1
+    
+    def get_stats(self):
+        """
+        Get current resource usage statistics.
+        
+        Returns:
+            dict: Resource usage stats
+        """
+        stats = {
+            'iterations': self.iteration_count,
+            'max_iterations': self.max_iterations,
+            'iteration_percent': (self.iteration_count / self.max_iterations) * 100,
+            'call_depth': self.call_depth,
+            'max_call_depth': self.max_call_depth,
+        }
+        
+        if self.start_time:
+            elapsed = time.time() - self.start_time
+            stats['elapsed_seconds'] = elapsed
+            stats['timeout_seconds'] = self.timeout_seconds
+            stats['timeout_percent'] = (elapsed / self.timeout_seconds) * 100
+        
+        if self.enable_memory_check and self.psutil_available:
+            try:
+                memory_mb = self.process.memory_info().rss / 1024 / 1024
+                stats['memory_mb'] = memory_mb
+                stats['max_memory_mb'] = self.max_memory_mb
+                stats['memory_percent'] = (memory_mb / self.max_memory_mb) * 100
+            except:
+                pass
+        
+        return stats
+    
+    def _set_timeout_alarm(self):
+        """
+        Set SIGALRM timeout handler (Linux/Unix only).
+        This is automatically called by start() if enable_timeout is True.
+        """
+        def timeout_handler(signum, frame):
+            raise TimeoutError(
+                f"Execution timeout: {self.timeout_seconds}s exceeded\n"
+                f"This prevents denial-of-service via slow operations.\n\n"
+                f"Suggestion: Optimize your code or increase timeout with:\n"
+                f"  zx-run --timeout 60 script.zx"
+            )
+        
+        self.timeout_handler = timeout_handler
+        signal.signal(signal.SIGALRM, timeout_handler)
+        signal.alarm(self.timeout_seconds)
+
+
+# Default global limiter (can be overridden)
+_default_limiter = None
+
+
+def get_default_limiter():
+    """Get the default global resource limiter"""
+    global _default_limiter
+    if _default_limiter is None:
+        _default_limiter = ResourceLimiter()
+    return _default_limiter
+
+
+def set_default_limiter(limiter):
+    """Set the default global resource limiter"""
+    global _default_limiter
+    _default_limiter = limiter

package/src/zexus/evaluator/statements.py

@@ -757,15 +757,23 @@ class StatementEvaluatorMixin:
             if is_error(obj):
                 return obj
 
-            # Safely extract property key
-            if hasattr(node.name.property, 'value'):
-                prop_key = node.name.property.value
-            else:
-                # Evaluate property expression
+            # Determine property key based on whether it's computed (obj[expr]) or literal (obj.prop)
+            if hasattr(node.name, 'computed') and node.name.computed:
+                # Computed property (obj[expr]) - evaluate the expression
                 prop_result = self.eval_node(node.name.property, env, stack_trace)
                 if is_error(prop_result):
                     return prop_result
                 prop_key = prop_result.value if hasattr(prop_result, 'value') else str(prop_result)
+            else:
+                # Literal property (obj.prop) - use the identifier name directly
+                if hasattr(node.name.property, 'value'):
+                    prop_key = node.name.property.value
+                else:
+                    # Fallback: evaluate it
+                    prop_result = self.eval_node(node.name.property, env, stack_trace)
+                    if is_error(prop_result):
+                        return prop_result
+                    prop_key = prop_result.value if hasattr(prop_result, 'value') else str(prop_result)
 
             # Evaluate value first
             value = self.eval_node(node.value, env, stack_trace)
@@ -877,6 +885,16 @@ class StatementEvaluatorMixin:
     def eval_while_statement(self, node, env, stack_trace):
         result = NULL
         while True:
+            # Resource limit check (Security Fix #7)
+            try:
+                self.resource_limiter.check_iterations()
+            except Exception as e:
+                # Convert ResourceError to EvaluationError
+                from ..evaluator.resource_limiter import ResourceError, TimeoutError
+                if isinstance(e, (ResourceError, TimeoutError)):
+                    return EvaluationError(str(e))
+                raise  # Re-raise if not a resource error
+            
             cond = self.eval_node(node.condition, env, stack_trace)
             if is_error(cond): 
                 return cond
@@ -904,6 +922,16 @@ class StatementEvaluatorMixin:
         
         result = NULL
         for item in iterable.elements:
+            # Resource limit check (Security Fix #7)
+            try:
+                self.resource_limiter.check_iterations()
+            except Exception as e:
+                # Convert ResourceError to EvaluationError
+                from ..evaluator.resource_limiter import ResourceError, TimeoutError
+                if isinstance(e, (ResourceError, TimeoutError)):
+                    return EvaluationError(str(e))
+                raise  # Re-raise if not a resource error
+            
             env.set(node.item.value, item)
             result = self.eval_node(node.body, env, stack_trace)
             if isinstance(result, ReturnValue):
@@ -1688,11 +1716,10 @@ class StatementEvaluatorMixin:
         
         # Pass the AST nodes as storage_vars, not the storage dict
         contract = SmartContract(node.name.value, node.storage_vars, actions)
-        contract.deploy()
+        # Deploy with evaluated storage values to avoid storing AST nodes
+        contract.deploy(evaluated_storage_values=storage)
         
-        # Initialize storage with evaluated initial values
-        for var_name, init_val in storage.items():
-            contract.storage.set(var_name, init_val)
+        # Storage values are now set during deploy(), no need to set again
         
         # Check if contract has a constructor and execute it
         if 'constructor' in actions:
@@ -3115,12 +3142,14 @@ class StatementEvaluatorMixin:
         else:
             data_str = str(data)
         
-        # Determine encoding
+        # Determine encoding/context
         encoding = Encoding.HTML  # Default
+        context_name = "html"  # For marking sanitized_for
         if node.encoding:
             enc_val = self.eval_node(node.encoding, env, stack_trace)
             if hasattr(enc_val, 'value'):
                 enc_name = enc_val.value.upper()
+                context_name = enc_val.value.lower()
                 try:
                     encoding = Encoding[enc_name]
                 except KeyError:
@@ -3130,10 +3159,16 @@ class StatementEvaluatorMixin:
         try:
             sanitized = Sanitizer.sanitize_string(data_str, encoding)
             debug_log("eval_sanitize_statement", f"Sanitized {len(data_str)} chars with {encoding.value}")
-            return String(sanitized)
+            result = String(sanitized)
+            # SECURITY ENFORCEMENT: Mark as sanitized for this context
+            result.mark_sanitized(context_name)
+            return result
         except Exception as e:
             debug_log("eval_sanitize_statement", f"Sanitization error: {e}")
-            return String(data_str)  # Return original if sanitization fails
+            # Even on error, mark as sanitized to prevent double-sanitization loops
+            result = String(data_str)
+            result.mark_sanitized(context_name)
+            return result
 
     def eval_inject_statement(self, node, env, stack_trace):
         """Evaluate inject statement - full dependency injection with mode-aware resolution."""

package/src/zexus/evaluator/utils.py

@@ -89,20 +89,26 @@ def _zexus_to_python(value):
     else:
         return str(value)
 
-def _python_to_zexus(value):
-    """Convert Python native types to Zexus objects"""
+def _python_to_zexus(value, mark_untrusted=False):
+    """Convert Python native types to Zexus objects
+    
+    Args:
+        value: Python value to convert
+        mark_untrusted: If True, mark strings as untrusted (external data)
+    """
     from ..object import Map, List, String, Integer, Float, Boolean as BooleanObj
     
     if isinstance(value, dict):
         pairs = {}
         for k, v in value.items():
-            pairs[k] = _python_to_zexus(v)
+            pairs[k] = _python_to_zexus(v, mark_untrusted)
         return Map(pairs)
     elif isinstance(value, list):
-        zexus_list = List([_python_to_zexus(item) for item in value])
+        zexus_list = List([_python_to_zexus(item, mark_untrusted) for item in value])
         return zexus_list
     elif isinstance(value, str):
-        return String(value)
+        # Mark strings as untrusted if from external source (HTTP, DB, etc.)
+        return String(value, is_trusted=not mark_untrusted)
     elif isinstance(value, int):
         return Integer(value)
     elif isinstance(value, float):
@@ -112,7 +118,7 @@ def _python_to_zexus(value):
     elif value is None:
         return NULL
     else:
-        return String(str(value))
+        return String(str(value), is_trusted=not mark_untrusted)
 
 def _to_str(obj):
     """Helper to convert Zexus object to string"""

package/src/zexus/lsp/server.py

@@ -87,7 +87,7 @@ if PYGLS_AVAILABLE:
         """Zexus Language Server implementation."""
 
         def __init__(self):
-            super().__init__('zexus-language-server', 'v1.6.2')
+            super().__init__('zexus-language-server', 'v1.6.3')
             self.completion_provider = CompletionProvider()
             self.symbol_provider = SymbolProvider()
             self.hover_provider = HoverProvider()

package/src/zexus/object.py

@@ -31,7 +31,12 @@ class Null(Object):
     def type(self): return "NULL"
 
 class String(Object):
-    def __init__(self, value): self.value = value
+    def __init__(self, value, sanitized_for=None, is_trusted=False):
+        self.value = value
+        # Track sanitization status for security enforcement
+        self.sanitized_for = sanitized_for  # None, 'sql', 'html', 'url', 'shell', etc.
+        self.is_trusted = is_trusted  # True for literals, False for external input
+        
     def inspect(self): return self.value
     def type(self): return "STRING"
     def __str__(self): return self.value
@@ -43,6 +48,19 @@ class String(Object):
     def __hash__(self):
         """Enable String objects to be used as dict keys"""
         return hash(self.value)
+    
+    def mark_sanitized(self, context):
+        """Mark this string as sanitized for a specific context"""
+        self.sanitized_for = context
+        return self
+    
+    def is_safe_for(self, context):
+        """Check if string is safe to use in given context"""
+        # Trusted strings (literals) are always safe
+        if self.is_trusted:
+            return True
+        # Check if sanitized for this specific context
+        return self.sanitized_for == context
 
 class List(Object):
     def __init__(self, elements): self.elements = elements
@@ -425,7 +443,8 @@ class File(Object):
             if isinstance(path, String):
                 path = path.value
             with open(path, 'r', encoding='utf-8') as f:
-                return String(f.read())
+                # Files are external data sources - return untrusted strings
+                return String(f.read(), is_trusted=False)
         except Exception as e:
             return EvaluationError(f"File read error: {str(e)}")
 

package/src/zexus/parser/parser.py

@@ -27,6 +27,7 @@ precedences = {
     SLASH: PRODUCT, STAR: PRODUCT, MOD: PRODUCT,
     LPAREN: CALL,
     LBRACKET: CALL,
+    LBRACE: CALL,  # Entity{...} constructor syntax
     DOT: CALL,
 }
 
@@ -82,6 +83,7 @@ class UltimateParser:
             TRY: self.parse_try_catch_statement,
             EXTERNAL: self.parse_external_declaration,
             ASYNC: self.parse_async_expression,  # Support async <expression>
+            SANITIZE: self.parse_sanitize_expression,  # FIX #4: Support sanitize as expression
         }
         self.infix_parse_fns = {
             PLUS: self.parse_infix_expression,
@@ -102,6 +104,7 @@ class UltimateParser:
             ASSIGN: self.parse_assignment_expression,
             LAMBDA: self.parse_lambda_infix,  # support arrow-style lambdas: params => body
             LPAREN: self.parse_call_expression,
+            LBRACE: self.parse_constructor_call_expression,  # Entity{field: value} syntax
             LBRACKET: self.parse_index_expression,
             DOT: self.parse_method_call_expression,
         }
@@ -511,7 +514,8 @@ class UltimateParser:
             elif self.cur_token_is(STATE):
                 print(f"[PARSE_STMT] Matched STATE", file=sys.stderr, flush=True)
                 node = self.parse_state_statement()
-            # REQUIRE is now handled by ContextStackParser for enhanced syntax support
+            elif self.cur_token_is(REQUIRE):
+                node = self.parse_require_statement()
             elif self.cur_token_is(REVERT):
                 print(f"[PARSE_STMT] Matched REVERT", file=sys.stderr, flush=True)
                 node = self.parse_revert_statement()
@@ -1504,7 +1508,7 @@ class UltimateParser:
             arguments = self.parse_expression_list(RPAREN)
             return MethodCallExpression(object=left, method=method, arguments=arguments)
         else:
-            return PropertyAccessExpression(object=left, property=method)
+            return PropertyAccessExpression(object=left, property=method, computed=False)
 
     def parse_export_statement(self):
         token = self.cur_token
@@ -1707,7 +1711,7 @@ class UltimateParser:
             return None
 
         field_name = Identifier(self.cur_token.literal)
-        target = PropertyAccessExpression(obj_name, field_name)
+        target = PropertyAccessExpression(obj_name, field_name, computed=False)
 
         # Expect assignment
         if not self.expect_peek(ASSIGN):
@@ -2726,6 +2730,18 @@ class UltimateParser:
         exp.arguments = self.parse_expression_list(RPAREN)
         return exp
 
+    def parse_constructor_call_expression(self, function):
+        """Parse constructor call with map literal syntax: Entity{field: value, ...}
+        
+        This converts Entity{a: 1, b: 2} into Entity({a: 1, b: 2})
+        """
+        # Current token is LBRACE, parse it as a map literal
+        map_literal = self.parse_map_literal()
+        
+        # Create a call expression with the map as the single argument
+        exp = CallExpression(function=function, arguments=[map_literal])
+        return exp
+
     def parse_prefix_expression(self):
         expression = PrefixExpression(operator=self.cur_token.literal, right=None)
         self.next_token()
@@ -2798,7 +2814,7 @@ class UltimateParser:
         # Expect closing bracket
         if not self.expect_peek(RBRACKET):
             return None
-        return PropertyAccessExpression(object=left, property=index_expr)
+        return PropertyAccessExpression(object=left, property=index_expr, computed=True)
 
     def _lookahead_token_after_matching_paren(self):
         """Character-level lookahead: detect if the matching ')' is followed by '=>' (arrow).
@@ -3299,6 +3315,40 @@ class UltimateParser:
         
         return ValidateStatement(data=data_expr, schema=schema_expr)
 
+    def parse_sanitize_expression(self):
+        """Parse sanitize as expression - can be used in assignments
+        
+        Supports both:
+          let safe = sanitize data, "sql"
+          let safe = sanitize data as sql
+        """
+        token = self.cur_token
+        self.next_token()
+        
+        # Parse data expression
+        data_expr = self.parse_expression(LOWEST)
+        if data_expr is None:
+            self.errors.append(f"Line {token.line}:{token.column} - Expected expression to sanitize")
+            return None
+        
+        # Expect comma or 'as'
+        encoding = None
+        if self.cur_token_is(COMMA):
+            self.next_token()
+            # Parse encoding as expression (can be string literal or identifier)
+            encoding = self.parse_expression(LOWEST)
+        elif self.cur_token_is(IDENT) and self.cur_token.literal == 'as':
+            self.next_token()
+            if self.cur_token_is(IDENT):
+                # Convert identifier to string literal
+                encoding = StringLiteral(value=self.cur_token.literal)
+                self.next_token()
+            elif self.cur_token_is(STRING):
+                encoding = self.parse_string_literal()
+        
+        result = SanitizeStatement(data=data_expr, rules=None, encoding=encoding)
+        return result
+
     def parse_sanitize_statement(self):
         """Parse sanitize statement - sanitize data"""
         token = self.cur_token
@@ -3698,6 +3748,7 @@ class UltimateParser:
         
         Asserts condition, reverts transaction if false.
         """
+        print(f"[DEBUG PARSER] parse_require_statement called", flush=True)
         token = self.cur_token
         
         if not self.expect_peek(LPAREN):
@@ -3721,6 +3772,7 @@ class UltimateParser:
         if self.peek_token_is(SEMICOLON):
             self.next_token()
         
+        print(f"[DEBUG PARSER] Creating RequireStatement with condition={condition}, message={message}", flush=True)
         return RequireStatement(condition=condition, message=message)
     
     def parse_revert_statement(self):