Limit maximum template render output to 256KiB (#124946)

* Limit maximum template render output to 256KiB fixes #124931 256KiB is likely to still block the event loop for an unreasonable amont of time but its likely someone is using the template engine for large blocks of data so we want a limit which still allows that but has a reasonable safety to prevent the system from crashing down * Update homeassistant/helpers/template.py
2025-07-24 05:37:44 +00:00 · 2024-08-30 10:33:57 -10:00 · 2024-08-30 10:33:57 -10:00 · 0a9e20615e
commit 0a9e20615e
parent 8cafa1bcdf
2 changed files with 13 additions and 0 deletions
--- a/homeassistant/helpers/template.py
+++ b/homeassistant/helpers/template.py
@ -149,6 +149,7 @@ CACHED_TEMPLATE_STATES = 512
 EVAL_CACHE_SIZE = 512

 MAX_CUSTOM_TEMPLATE_SIZE = 5 * 1024 * 1024
+MAX_TEMPLATE_OUTPUT = 256 * 1024  # 256KiB

 CACHED_TEMPLATE_LRU: LRU[State, TemplateState] = LRU(CACHED_TEMPLATE_STATES)
 CACHED_TEMPLATE_NO_COLLECT_LRU: LRU[State, TemplateState] = LRU(CACHED_TEMPLATE_STATES)
@ -604,6 +605,11 @@ class Template:
        except Exception as err:
            raise TemplateError(err) from err

+        if len(render_result) > MAX_TEMPLATE_OUTPUT:
+            raise TemplateError(
+                f"Template output exceeded maximum size of {MAX_TEMPLATE_OUTPUT} characters"
+            )
+
        render_result = render_result.strip()

        if not parse_result or self.hass and self.hass.config.legacy_templates:
--- a/tests/helpers/test_template.py
+++ b/tests/helpers/test_template.py
@ -6281,3 +6281,10 @@ def test_unzip(hass: HomeAssistant, col, expected) -> None:
        ).async_render({"col": col})
        == expected
    )
+
+
+def test_template_output_exceeds_maximum_size(hass: HomeAssistant) -> None:
+    """Test template output exceeds maximum size."""
+    tpl = template.Template("{{ 'a' * 1024 * 257 }}", hass)
+    with pytest.raises(TemplateError):
+        tpl.async_render()