Revert loop bound changes

[christopherholland-workday]

Revert commits accidentally added in c75f4fc

[gemini-code-assist]

Summary of Changes

Hello @christopherholland-workday, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request aims to revert a set of changes that were inadvertently merged, specifically focusing on input validation and defensive programming checks within the evaluation runner and related services. The primary impact is the removal of array type and size validations for various parameters, streamlining the code by undoing the accidental additions.

Highlights

• Reverted Input Validation: Removed several array validation checks that were previously added to prevent potential DoS attacks or ensure correct input types. These checks were identified as accidentally introduced.
• Simplified Configuration Assignments: Adjusted the assignment of evaluation parameters within additionalConfig to directly parse values from the request body, eliminating intermediate variables and redundant validation.
• Code Clean-up: Removed unnecessary blank lines in EvaluatorRunner.ts that were part of the reverted changes.

Changelog

• packages/components/evaluation/EvaluationRunner.ts
  • Removed validation for chatflowId and dataset.rows to ensure they are arrays.
• packages/server/src/services/evaluations/EvaluatorRunner.ts
  • Removed validation for actualOutputArray and selectedEvaluators.
  • Removed empty lines within the runAdditionalEvaluators function.
• packages/server/src/services/evaluations/index.ts
  • Removed validation for chatflowType, selectedSimpleEvaluators, selectedLLMEvaluators, and chatflowId.
  • Modified additionalConfig assignments to directly parse JSON from the request body for evaluation parameters.

Activity

• No specific activity (comments, reviews, progress updates) has been recorded for this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request reverts several important validation checks that were likely added to prevent Denial of Service (DoS) attacks and improve application stability. By removing these checks, the application becomes vulnerable to crashes and unexpected behavior when processing malformed input data. This is a critical issue.

The following validations are being removed:

• In packages/components/evaluation/EvaluationRunner.ts: Validation for chatflowIds and data.dataset.rows to be arrays.
• In packages/server/src/services/evaluations/EvaluatorRunner.ts: Validation for actualOutputArray and selectedEvaluators to be arrays.
• In packages/server/src/services/evaluations/index.ts: Validation for chatflowTypes, simpleEvaluators, lLMEvaluators, and chatflowIds to be arrays after being parsed from JSON.

I strongly advise against merging this pull request as it re-introduces security vulnerabilities. If these changes were accidentally included in a previous commit, they should be re-applied correctly in a new commit/PR rather than being reverted.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/components/evaluation/EvaluationRunner.ts (92-100)

Removing these validation checks for chatflowIds and data.dataset.rows re-introduces a critical vulnerability. The values are used in loops later in the code. Without ensuring they are arrays, malformed input could cause the application to crash, leading to a Denial of Service (DoS) vulnerability. These checks are essential for security and stability and should not be removed.

packages/server/src/services/evaluations/EvaluatorRunner.ts (20-23)

Removing the array validation for actualOutputArray and selectedEvaluators is a critical issue. The selectedEvaluators parameter comes from a JSON.parse operation on a request body parameter, and the validation for that is also being removed in packages/server/src/services/evaluations/index.ts. Without this check, a non-array value could be passed, causing the loop over selectedEvaluators to fail and crash the application. This check is crucial for robustness and security.

packages/server/src/services/evaluations/index.ts (75-98)

Removing the validation for chatflowTypes, simpleEvaluators, and lLMEvaluators is a critical security risk. These values are parsed from JSON in the request body and are expected to be arrays by downstream code. Without these checks, malformed input can lead to application crashes when the code attempts to iterate over what it assumes is an array. This re-introduces a potential Denial of Service (DoS) vulnerability.

packages/server/src/services/evaluations/index.ts (143-146)

The removal of the validation check for chatflowIds is a critical issue. Since chatflowIds is derived from JSON.parse(body.chatflowId), it is not guaranteed to be an array. The subsequent loop for (let i = 0; i < chatflowIds.length; i++) relies on it being an array. Without this validation, malformed input could cause a server crash, creating a Denial of Service (DoS) vulnerability.

[harshit-flowise]

Approving this PR to revert changes that were accidentally merged.