Add protections for loop-bound injections

christopherholland-workday · christopherholland-workday · commit ac8a98873375 · 2026-02-25T14:29:11.000-08:00
diff --git a/packages/components/evaluation/EvaluationRunner.ts b/packages/components/evaluation/EvaluationRunner.ts
@@ -88,6 +88,17 @@ export class EvaluationRunner {
 
     public async runEvaluations(data: ICommonObject) {
         const chatflowIds = JSON.parse(data.chatflowId)
+
+        // Validate chatflowIds is an actual array to prevent DoS attacks
+        if (!Array.isArray(chatflowIds)) {
+            throw new Error('chatflowId must be a valid array')
+        }
+
+        // Validate dataset.rows is an actual array to prevent DoS attacks
+        if (!data.dataset || !Array.isArray(data.dataset.rows)) {
+            throw new Error('dataset.rows must be a valid array')
+        }
+
         const returnData: ICommonObject = {}
         returnData.evaluationId = data.evaluationId
         returnData.runDate = new Date()
diff --git a/packages/server/src/services/evaluations/EvaluatorRunner.ts b/packages/server/src/services/evaluations/EvaluatorRunner.ts
@@ -17,6 +17,11 @@ export const runAdditionalEvaluators = async (
     selectedEvaluators: string[],
     workspaceId: string
 ) => {
+    // Validate inputs are arrays and enforce size limits
+    if (!Array.isArray(actualOutputArray) || !Array.isArray(selectedEvaluators)) {
+        throw new Error('Invalid input: expected arrays')
+    }
+
     const evaluationResults: any[] = []
     const evaluatorDict: any = {}
 
diff --git a/packages/server/src/services/evaluations/index.ts b/packages/server/src/services/evaluations/index.ts
@@ -72,14 +72,31 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
         const row = appServer.AppDataSource.getRepository(Evaluation).create(newEval)
         row.average_metrics = JSON.stringify({})
 
+        // Parse and validate evaluator arrays to prevent DoS attacks
+        const chatflowTypes = body.chatflowType ? JSON.parse(body.chatflowType) : []
+        if (!Array.isArray(chatflowTypes)) {
+            throw new Error('chatflowType must be a valid array')
+        }
+
+        const simpleEvaluators = body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : []
+        if (!Array.isArray(simpleEvaluators)) {
+            throw new Error('selectedSimpleEvaluators must be a valid array')
+        }
+
         const additionalConfig: ICommonObject = {
-            chatflowTypes: body.chatflowType ? JSON.parse(body.chatflowType) : [],
+            chatflowTypes: chatflowTypes,
             datasetAsOneConversation: body.datasetAsOneConversation,
-            simpleEvaluators: body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : []
+            simpleEvaluators: simpleEvaluators
         }
 
         if (body.evaluationType === 'llm') {
-            additionalConfig.lLMEvaluators = body.selectedLLMEvaluators.length > 0 ? JSON.parse(body.selectedLLMEvaluators) : []
+            const lLMEvaluators = body.selectedLLMEvaluators.length > 0 ? JSON.parse(body.selectedLLMEvaluators) : []
+
+            if (!Array.isArray(lLMEvaluators)) {
+                throw new Error('selectedLLMEvaluators must be a valid array')
+            }
+
+            additionalConfig.lLMEvaluators = lLMEvaluators
             additionalConfig.llmConfig = {
                 credentialId: body.credentialId,
                 llm: body.llm,
@@ -123,6 +140,12 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
         // When chatflow has an APIKey
         const apiKeys: { chatflowId: string; apiKey: string }[] = []
         const chatflowIds = JSON.parse(body.chatflowId)
+
+        // Validate chatflowIds is an actual array to prevent DoS attacks
+        if (!Array.isArray(chatflowIds)) {
+            throw new Error('chatflowId must be a valid array')
+        }
+
         for (let i = 0; i < chatflowIds.length; i++) {
             const chatflowId = chatflowIds[i]
             const cFlow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
@@ -246,7 +269,7 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
                             metricsArray,
                             actualOutputArray,
                             errorArray,
-                            body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : [],
+                            additionalConfig.simpleEvaluators,
                             workspaceId
                         )
 
@@ -257,7 +280,7 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
 
                         if (body.evaluationType === 'llm') {
                             resultRow.llmConfig = additionalConfig.llmConfig
-                            resultRow.LLMEvaluators = body.selectedLLMEvaluators.length > 0 ? JSON.parse(body.selectedLLMEvaluators) : []
+                            resultRow.LLMEvaluators = additionalConfig.lLMEvaluators
                             const llmEvaluatorMap: { evaluatorId: string; evaluator: any }[] = []
                             for (let i = 0; i < resultRow.LLMEvaluators.length; i++) {
                                 const evaluatorId = resultRow.LLMEvaluators[i]
