max / balanced_breakfast
1 file changed,
+8 insertions,
-1 deletion
| @@ -239,10 +239,17 @@ Each field in the `fields` array supports these properties: | |||
| 239 | 239 | ||
| 240 | 240 | The Rhai engine enforces these limits per plugin execution: | |
| 241 | 241 | ||
| 242 | + | **Script limits:** | |
| 242 | 243 | - **Max operations:** 100,000 -- Caps total operations per script call. A typical RSS fetch uses 1,000-5,000 operations. This limit catches infinite loops while allowing complex plugins. | |
| 243 | 244 | - **Max expression depth:** 128 -- Limits AST nesting depth for both expressions and function calls, preventing stack overflows from deeply recursive scripts. | |
| 244 | 245 | ||
| 245 | - | If a plugin exceeds either limit, the engine terminates execution and returns an error. | |
| 246 | + | **HTTP limits (per `fetch()` call):** | |
| 247 | + | - **Request count:** 100 -- Maximum HTTP requests per fetch invocation. Counter resets before each `fetch()` call. A typical RSS plugin makes 1-3 requests; 100 allows pagination while catching runaways. | |
| 248 | + | - **Response size:** 2 MB -- Each HTTP response body is capped at 2 MB. Prevents a plugin from consuming unbounded memory on a large or malicious response. | |
| 249 | + | - **Request timeout:** 15 seconds -- Per-request timeout for `http_get` and `http_get_json`. | |
| 250 | + | - **URL restrictions:** Only `http://` and `https://` schemes are allowed. Requests to localhost, private networks (10.x, 172.16-31.x, 192.168.x, 169.254.x), and IPv6 loopback (::1) are blocked. | |
| 251 | + | ||
| 252 | + | If a plugin exceeds any limit, the engine terminates execution and returns an error. | |
| 246 | 253 | ||
| 247 | 254 | ## Complete Minimal Example | |
| 248 | 255 |