Add configurable structural nesting depth limit to SpEL expressions

[itsmehotpants]

What this PR does

Closes #36723

SpelParserConfiguration already enforces a maximum expression length and a maximum number of evaluation operations, but had no corresponding guard on structural nesting depth — e.g. deeply-nested inline lists {{{{…}}}} and maps {'a': {'b': {'c': …}}}. Without a bound, a crafted expression can drive the recursive-descent parser into an arbitrarily deep Java call stack, eventually causing StackOverflowError.

This PR adds a configurable maximumNestingDepth limit that fires a descriptive SpelParseException the moment the parser descends past the threshold.

---

Changes

SpelMessage

• New entry MAX_NESTING_DEPTH_EXCEEDED (code 1086) used when the configured limit is exceeded during parsing.

SpelParserConfiguration

• DEFAULT_MAX_NESTING_DEPTH = 1_000 — conservative default that is safe for any legitimate expression.
• SPRING_EXPRESSION_MAX_NESTING_DEPTH_PROPERTY_NAME (spring.expression.maxNestingDepth) — system property / SpringProperties key for global override, consistent with the existing maxOperations pattern.
• maximumNestingDepth field + getMaximumNestingDepth() accessor.
• New 8-arg canonical constructor that adds maximumNestingDepth; the previous 7-arg constructor delegates to it and is marked @Deprecated(since = "7.0").
• retrieveMaxNestingDepth() static helper follows exactly the same validation pattern as retrieveMaxOperations().

InternalSpelExpressionParser

• nestingDepth counter field, reset to 0 at the start of every doParseExpression call (ensuring parser instances are safely reusable).
• enterNesting(startPos) — increments the counter and throws via internalException if the limit is exceeded.
• exitNesting() — decrements the counter.
• maybeEatInlineListOrMap() — calls enterNesting() on LCURLY and exitNesting() just before the finished node is pushed, so every inline list and map contributes exactly one depth level.

SpelNestingDepthTests (new)

15 JUnit 5 tests covering:

• Configuration defaults and validation
• Inline lists: flat, at-limit, over-limit, deeply nested past default
• Inline maps: flat, at-limit, over-limit
• Mixed list + map nesting
• Limit boundary conditions
• Parser reusability after an exception
• Error message containing the configured limit value

---

Usage

// Global override via system property:
System.setProperty("spring.expression.maxNestingDepth", "50");

// Per-parser override via constructor:
SpelParserConfiguration config = new SpelParserConfiguration(
        SpelCompilerMode.OFF, null,
        false, false, Integer.MAX_VALUE,
        SpelParserConfiguration.DEFAULT_MAX_EXPRESSION_LENGTH,
        SpelParserConfiguration.DEFAULT_MAX_OPERATIONS,
        50 // maximumNestingDepth
);
SpelExpressionParser parser = new SpelExpressionParser(config);

// Throws SpelParseException (EL1086E) for {{{{…}}}}}:
parser.parseExpression("{".repeat(51) + "}".repeat(51));

---

Checklist

• Implements the feature requested in Add a configurable limit for structural nesting depth in SpEL expressions #36723
• Follows existing limit patterns (maximumExpressionLength, maximumOperations)
• System property support (spring.expression.maxNestingDepth)
• @Deprecated(since = "7.0") on the superseded 7-arg constructor
• 15 unit tests with boundary, reuse, and error-message assertions
• No new runtime dependencies

[sbrannen]

Hi @itsmehotpants,

Congratulations on submitting your first PR for the Spring Framework! 👍

Unfortunately, #36723 is assigned to me and not open to contributions.

I stated this already in #36723 (comment).

In the future, please make sure you read all comments in an issue before spending time crafting and submitting a PR.

Regards,

Sam