api: prevent excessice CPU load on job parse

Add new namespace ACL requirement for the /v1/jobs/parse endpoint and
return early if HCLv2 parsing fails.

The endpoint now requires the new `parse-job` ACL capability or
`submit-job`.

jobspec2/parse.go

@@ -96,6 +96,12 @@ func decode(c *jobConfig) error {
 		diags = append(diags, ds...)
 	}
 
+	// Return early if the input job or variable files are not valid.
+	// Decoding and evaluating invalid files may result in unexpected results.
+	if diags.HasErrors() {
+		return diags
+	}
+
 	diags = append(diags, c.decodeBody(file.Body)...)
 
 	if diags.HasErrors() {

jobspec2/parse_test.go

@@ -374,6 +374,49 @@ job "example" {
 	require.Equal(t, "3", out.TaskGroups[2].Tasks[0].Meta["VERSION"])
 }
 
+func TestParse_InvalidHCL(t *testing.T) {
+	t.Run("invalid body", func(t *testing.T) {
+		hcl := `invalid{hcl`
+
+		_, err := ParseWithConfig(&ParseConfig{
+			Path:    "input.hcl",
+			Body:    []byte(hcl),
+			ArgVars: []string{},
+			AllowFS: true,
+		})
+		require.Error(t, err)
+	})
+
+	t.Run("invalid vars file", func(t *testing.T) {
+		tmp, err := ioutil.TempFile("", "nomad-jobspec2-")
+		require.NoError(t, err)
+		defer os.Remove(tmp.Name())
+
+		vars := `invalid{hcl`
+		_, err = tmp.Write([]byte(vars))
+		require.NoError(t, err)
+
+		hcl := `
+variables {
+  region_var = "default"
+}
+job "example" {
+  datacenters = [for s in ["dc1", "dc2"] : upper(s)]
+  region      = var.region_var
+}
+`
+
+		_, err = ParseWithConfig(&ParseConfig{
+			Path:     "input.hcl",
+			Body:     []byte(hcl),
+			VarFiles: []string{tmp.Name()},
+			ArgVars:  []string{},
+			AllowFS:  true,
+		})
+		require.Error(t, err)
+	})
+}
+
 func TestParse_InvalidScalingSyntax(t *testing.T) {
 	cases := []struct {
 		name        string