feat: add node budget and memory limits

Implement compile-time and runtime safeguards against deeply nested expressions:

- Add MaxNodes limit to track and limit AST node count during parsing
- Move MemoryBudget from VM to Config for better configurability
- Add node creation tracking in parser to enforce node budget
- Refactor node creation to check limits before allocation
- Add RunWithConfig to VM for passing memory budget settings
- Set reasonable defaults in Config (10000 nodes, 1M memory)
- Add comprehensive tests for both node and memory limits

This prevents stack overflows from malicious or poorly written expressions
by failing fast with clear error messages during compilation or runtime.

Signed-off-by: Ville Vesilehto <[email protected]>

Author: thevilledev

conf/config.go

@@ -10,31 +10,43 @@ import (
 	"github.com/expr-lang/expr/vm/runtime"
 )
 
+const (
+	// DefaultMemoryBudget represents an upper limit of memory usage
+	DefaultMemoryBudget uint = 1e6
+
+	// DefaultMaxNodes represents an upper limit of AST nodes
+	DefaultMaxNodes uint = 10000
+)
+
 type FunctionsTable map[string]*builtin.Function
 
 type Config struct {
-	EnvObject any
-	Env       nature.Nature
-	Expect    reflect.Kind
-	ExpectAny bool
-	Optimize  bool
-	Strict    bool
-	Profile   bool
-	ConstFns  map[string]reflect.Value
-	Visitors  []ast.Visitor
-	Functions FunctionsTable
-	Builtins  FunctionsTable
-	Disabled  map[string]bool // disabled builtins
+	EnvObject    any
+	Env          nature.Nature
+	Expect       reflect.Kind
+	ExpectAny    bool
+	Optimize     bool
+	Strict       bool
+	Profile      bool
+	MaxNodes     uint
+	MemoryBudget uint
+	ConstFns     map[string]reflect.Value
+	Visitors     []ast.Visitor
+	Functions    FunctionsTable
+	Builtins     FunctionsTable
+	Disabled     map[string]bool // disabled builtins
 }
 
 // CreateNew creates new config with default values.
 func CreateNew() *Config {
 	c := &Config{
-		Optimize:  true,
-		ConstFns:  make(map[string]reflect.Value),
-		Functions: make(map[string]*builtin.Function),
-		Builtins:  make(map[string]*builtin.Function),
-		Disabled:  make(map[string]bool),
+		Optimize:     true,
+		MaxNodes:     DefaultMaxNodes,
+		MemoryBudget: DefaultMemoryBudget,
+		ConstFns:     make(map[string]reflect.Value),
+		Functions:    make(map[string]*builtin.Function),
+		Builtins:     make(map[string]*builtin.Function),
+		Disabled:     make(map[string]bool),
 	}
 	for _, f := range builtin.Builtins {
 		c.Builtins[f.Name] = f