address gemini review feedbacks

jocelynlin-wd · jocelynlin-wd · commit c3e9b0f1fb2c · 2026-03-03T17:27:04.000-08:00
diff --git a/packages/agentflow/src/core/utils/fieldVisibility.test.ts b/packages/agentflow/src/core/utils/fieldVisibility.test.ts
@@ -79,6 +79,12 @@ describe('conditionMatches', () => {
         expect(conditionMatches('test', '[invalid')).toBe(false)
     })
 
+    it('rejects oversized regex patterns to mitigate ReDoS', () => {
+        const longPattern = '(a+)'.repeat(60) // exceeds 200 char limit
+        expect(conditionMatches('aaa', longPattern)).toBe(false)
+        expect(conditionMatches(['aaa'], longPattern)).toBe(false)
+    })
+
     it('scalar boolean strict equality', () => {
         expect(conditionMatches(true, true)).toBe(true)
         expect(conditionMatches(true, false)).toBe(false)
diff --git a/packages/agentflow/src/core/utils/fieldVisibility.ts b/packages/agentflow/src/core/utils/fieldVisibility.ts
@@ -6,6 +6,19 @@ import type { InputParam } from '../types'
 /** Detects characters that signal intentional regex usage (excludes `.` and `\` which appear in normal names). */
 const REGEX_INTENT = /[|()^$*+?[\]]/
 
+/** Maximum length for regex patterns to mitigate ReDoS from untrusted input. */
+const MAX_REGEX_LENGTH = 200
+
+/** Timeout-safe regex test: compiles and tests the pattern, returning false for invalid or oversized patterns. */
+function safeRegexTest(pattern: string, value: string): boolean {
+    if (pattern.length > MAX_REGEX_LENGTH) return false
+    try {
+        return new RegExp(pattern).test(value)
+    } catch {
+        return false
+    }
+}
+
 /**
  * Check if a ground value matches a comparison value using the same matrix
  * as the UI's _showHideOperation in genericHelper.js.
@@ -19,11 +32,7 @@ export function conditionMatches(groundValue: unknown, comparisonValue: unknown)
             return (groundValue as unknown[]).some((val) => {
                 if (comparisonValue === val) return true
                 if (REGEX_INTENT.test(comparisonValue)) {
-                    try {
-                        return new RegExp(comparisonValue).test(String(val))
-                    } catch {
-                        return false
-                    }
+                    return safeRegexTest(comparisonValue, String(val))
                 }
                 return false
             })
@@ -41,11 +50,7 @@ export function conditionMatches(groundValue: unknown, comparisonValue: unknown)
         if (typeof comparisonValue === 'string') {
             if (comparisonValue === groundValue) return true
             if (REGEX_INTENT.test(comparisonValue)) {
-                try {
-                    return new RegExp(comparisonValue).test(String(groundValue))
-                } catch {
-                    return false
-                }
+                return safeRegexTest(comparisonValue, String(groundValue))
             }
             return false
         }
@@ -59,47 +64,43 @@ export function conditionMatches(groundValue: unknown, comparisonValue: unknown)
     return false
 }
 
+/** Resolve a ground value from inputValues, parsing JSON-encoded arrays when found. */
+function resolveGroundValue(inputValues: Record<string, unknown>, rawPath: string, arrayIndex?: number): unknown {
+    const path = arrayIndex !== undefined ? rawPath.replace('$index', String(arrayIndex)) : rawPath
+    let value: unknown = get(inputValues, path, '')
+    if (typeof value === 'string' && value.startsWith('[') && value.endsWith(']')) {
+        try {
+            value = JSON.parse(value)
+        } catch {
+            // keep as string
+        }
+    }
+    return value
+}
+
 /**
  * Evaluate whether a single param should be visible given current input values.
  */
 export function evaluateParamVisibility(param: InputParam, inputValues: Record<string, unknown>, arrayIndex?: number): boolean {
-    let display = true
-
     if (param.show) {
         for (const [rawPath, comparisonValue] of Object.entries(param.show)) {
-            const path = arrayIndex !== undefined ? rawPath.replace('$index', String(arrayIndex)) : rawPath
-            let groundValue: unknown = get(inputValues, path, '')
-            if (typeof groundValue === 'string' && groundValue.startsWith('[') && groundValue.endsWith(']')) {
-                try {
-                    groundValue = JSON.parse(groundValue)
-                } catch {
-                    // keep as string
-                }
-            }
+            const groundValue = resolveGroundValue(inputValues, rawPath, arrayIndex)
             if (!conditionMatches(groundValue, comparisonValue)) {
-                display = false
+                return false
             }
         }
     }
 
     if (param.hide) {
         for (const [rawPath, comparisonValue] of Object.entries(param.hide)) {
-            const path = arrayIndex !== undefined ? rawPath.replace('$index', String(arrayIndex)) : rawPath
-            let groundValue: unknown = get(inputValues, path, '')
-            if (typeof groundValue === 'string' && groundValue.startsWith('[') && groundValue.endsWith(']')) {
-                try {
-                    groundValue = JSON.parse(groundValue)
-                } catch {
-                    // keep as string
-                }
-            }
+            const groundValue = resolveGroundValue(inputValues, rawPath, arrayIndex)
             if (conditionMatches(groundValue, comparisonValue)) {
-                display = false
+                return false
             }
         }
     }
 
-    return display
+    return true
 }
 
 /**
