Merge pull request #27 from gofiber/codex/2025-06-05-05-02-46

 🧹 chore: Add upper index limit for parsers

Author: ReneWerner87

cache.go

@@ -12,7 +12,12 @@ import (
 	"sync"
 )
 
-var errInvalidPath = errors.New("schema: invalid path")
+const maxParserIndex = 1000
+
+var (
+	errInvalidPath   = errors.New("schema: invalid path")
+	errIndexTooLarge = errors.New("schema: index exceeds parser limit")
+)
 
 // newCache returns a new cache.
 func newCache() *cache {
@@ -78,6 +83,9 @@ func (c *cache) parsePath(p string, t reflect.Type) ([]pathPart, error) {
 			if index64, err = strconv.ParseInt(keys[i], 10, 0); err != nil {
 				return nil, errInvalidPath
 			}
+			if index64 > maxParserIndex {
+				return nil, errIndexTooLarge
+			}
 			parts = append(parts, pathPart{
 				path:  path,
 				field: field,

decoder_test.go

@@ -3150,6 +3150,29 @@ func TestDecodePanicIsCaughtAndReturnedAsError(t *testing.T) {
 	}
 }
 
+func TestDecodeIndexExceedsParserLimit(t *testing.T) {
+	type R struct {
+		N1 []*struct {
+			Value string
+		}
+	}
+	data := map[string][]string{
+		"n1.1001.value": {"Foo"},
+	}
+
+	s := new(R)
+	decoder := NewDecoder()
+	err := decoder.Decode(s, data)
+	if err == nil {
+		t.Fatal("Expected an error when index exceeds parser limit")
+	}
+
+	expected := MultiError{"n1.1001.value": UnknownKeyError{Key: "n1.1001.value"}}
+	if !reflect.DeepEqual(err, expected) {
+		t.Fatalf("Expected %v, got: %v", expected, err)
+	}
+}
+
 func BenchmarkHandleMultipartField(b *testing.B) {
 	// Create dummy file headers for testing
 	dummyFile := &multipart.FileHeader{