Revert "Add protections for loop-bound injections"

christopherholland-workday · christopherholland-workday · commit d51d18a6e78f · 2026-02-25T14:01:49.000-08:00
This reverts commit c75f4fc.
diff --git a/packages/components/evaluation/EvaluationRunner.ts b/packages/components/evaluation/EvaluationRunner.ts
@@ -94,11 +94,21 @@ export class EvaluationRunner {
             throw new Error('chatflowId must be a valid array')
         }
 
+        const MAX_CHATFLOWS = 1000
+        if (chatflowIds.length > MAX_CHATFLOWS) {
+            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOWS} chatflows at once`)
+        }
+
         // Validate dataset.rows is an actual array to prevent DoS attacks
         if (!data.dataset || !Array.isArray(data.dataset.rows)) {
             throw new Error('dataset.rows must be a valid array')
         }
 
+        const MAX_ROWS = 1000
+        if (data.dataset.rows.length > MAX_ROWS) {
+            throw new Error(`Dataset cannot exceed ${MAX_ROWS} rows`)
+        }
+
         const returnData: ICommonObject = {}
         returnData.evaluationId = data.evaluationId
         returnData.runDate = new Date()
diff --git a/packages/server/src/services/evaluations/EvaluatorRunner.ts b/packages/server/src/services/evaluations/EvaluatorRunner.ts
@@ -10,6 +10,11 @@ interface EvaluatorReturnType {
     result: 'Pass' | 'Fail' | 'Error'
 }
 
+// Limit maximum array sizes to prevent DoS attacks
+const MAX_OUTPUTS = 10000
+const MAX_EVALUATORS = 1000
+const MAX_SPLIT_VALUES = 1000
+
 export const runAdditionalEvaluators = async (
     metricsArray: ICommonObject[],
     actualOutputArray: string[],
@@ -22,6 +27,14 @@ export const runAdditionalEvaluators = async (
         throw new Error('Invalid input: expected arrays')
     }
 
+    if (actualOutputArray.length > MAX_OUTPUTS) {
+        throw new Error(`Too many outputs: maximum allowed is ${MAX_OUTPUTS}`)
+    }
+
+    if (selectedEvaluators.length > MAX_EVALUATORS) {
+        throw new Error(`Too many evaluators: maximum allowed is ${MAX_EVALUATORS}`)
+    }
+
     const evaluationResults: any[] = []
     const evaluatorDict: any = {}
 
@@ -108,6 +121,10 @@ export const runAdditionalEvaluators = async (
                         case 'ContainsAny':
                             passed = false
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
@@ -123,6 +140,10 @@ export const runAdditionalEvaluators = async (
                         case 'ContainsAll':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (!actualOutput.includes(splitValues[i])) {
@@ -138,6 +159,10 @@ export const runAdditionalEvaluators = async (
                         case 'DoesNotContainAny':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
@@ -153,6 +178,10 @@ export const runAdditionalEvaluators = async (
                         case 'DoesNotContainAll':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
diff --git a/packages/server/src/services/evaluations/index.ts b/packages/server/src/services/evaluations/index.ts
@@ -78,11 +78,21 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
             throw new Error('chatflowType must be a valid array')
         }
 
+        const MAX_CHATFLOW_TYPES = 1000
+        if (chatflowTypes.length > MAX_CHATFLOW_TYPES) {
+            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOW_TYPES} chatflow types at once`)
+        }
+
         const simpleEvaluators = body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : []
         if (!Array.isArray(simpleEvaluators)) {
             throw new Error('selectedSimpleEvaluators must be a valid array')
         }
 
+        const MAX_EVALUATORS = 1000
+        if (simpleEvaluators.length > MAX_EVALUATORS) {
+            throw new Error(`Cannot use more than ${MAX_EVALUATORS} simple evaluators at once`)
+        }
+
         const additionalConfig: ICommonObject = {
             chatflowTypes: chatflowTypes,
             datasetAsOneConversation: body.datasetAsOneConversation,
@@ -95,6 +105,10 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
                 throw new Error('selectedLLMEvaluators must be a valid array')
             }
 
+            if (lLMEvaluators.length > MAX_EVALUATORS) {
+                throw new Error(`Cannot use more than ${MAX_EVALUATORS} LLM evaluators at once`)
+            }
+
             additionalConfig.lLMEvaluators = lLMEvaluators
             additionalConfig.llmConfig = {
                 credentialId: body.credentialId,
@@ -145,6 +159,11 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
             throw new Error('chatflowId must be a valid array')
         }
 
+        const MAX_CHATFLOWS_EVAL = 100
+        if (chatflowIds.length > MAX_CHATFLOWS_EVAL) {
+            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOWS_EVAL} chatflows at once`)
+        }
+
         for (let i = 0; i < chatflowIds.length; i++) {
             const chatflowId = chatflowIds[i]
             const cFlow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
