fix: address critical bugs from comprehensive audit

- Fix array mutation in sortedImports: copy array before sorting to
  prevent side effects when getter is called multiple times
- Fix race condition in batch save: explicitly open documents before
  saving to ensure files not already open are properly saved
- Add ReDoS protection: detect potentially dangerous regex patterns
  with nested quantifiers and warn users
- Add invalid regex handling: try-catch around RegExp compilation
  with graceful fallback to never-matching pattern

Fixes found during comprehensive audit of import grouping,
batch operations, and configuration handling.

Author: JohannesHoppe

src/commands/batch-organizer.ts

@@ -348,23 +348,28 @@ export class BatchOrganizer {
 
         // CRITICAL: Save all modified documents to disk!
         // workspace.applyEdit() only modifies in-memory documents, doesn't save!
+        // NOTE: We must explicitly open each document because files that weren't already
+        // open may not appear in workspace.textDocuments (race condition fix).
         const saveFailed: string[] = [];
-        for (const [fileUriStr] of workspaceEdit.entries()) {
-          const doc = workspace.textDocuments.find(d => d.uri.fsPath === fileUriStr.fsPath);
-          if (doc && !doc.isUntitled && doc.isDirty) {
-            try {
+        let savedCount = 0;
+        for (const [fileUri] of workspaceEdit.entries()) {
+          try {
+            // Explicitly open the document to ensure it's in memory
+            const doc = await workspace.openTextDocument(fileUri);
+            if (!doc.isUntitled && doc.isDirty) {
               await doc.save();
-            } catch (saveError) {
-              saveFailed.push(doc.fileName);
-              errors++;
-              this.logger.appendLine(`[BatchOrganizer] Failed to save ${doc.fileName}: ${saveError}`);
+              savedCount++;
             }
+          } catch (saveError) {
+            saveFailed.push(fileUri.fsPath);
+            errors++;
+            this.logger.appendLine(`[BatchOrganizer] Failed to save ${fileUri.fsPath}: ${saveError}`);
           }
         }
         if (saveFailed.length > 0) {
           window.showWarningMessage(`Mini TypeScript Hero: Failed to save ${saveFailed.length} file(s). Check output for details.`);
         }
-        this.logger.appendLine(`[BatchOrganizer] Saved ${processed - saveFailed.length} files to disk`);
+        this.logger.appendLine(`[BatchOrganizer] Saved ${savedCount} files to disk`);
       } else {
         window.showErrorMessage('Mini TypeScript Hero: Failed to apply some edits');
         this.logger.appendLine('[BatchOrganizer] Failed to apply edits');

src/imports/import-grouping/keyword-import-group.ts

@@ -11,7 +11,8 @@ export class KeywordImportGroup implements ImportGroup {
   public readonly imports: Import[] = [];
 
   public get sortedImports(): Import[] {
-    return this.imports.sort((i1, i2) => importSort(i1, i2, this.order));
+    // IMPORTANT: Copy array before sorting to avoid mutating the original
+    return [...this.imports].sort((i1, i2) => importSort(i1, i2, this.order));
   }
 
   constructor(

src/imports/import-grouping/regex-import-group.ts

@@ -3,6 +3,17 @@ import { importSort } from '../import-utilities';
 import { ImportGroup } from './import-group';
 import { ImportGroupOrder } from './import-group-order';
 
+/**
+ * Detects potentially dangerous regex patterns that could cause catastrophic backtracking (ReDoS).
+ * Checks for nested quantifiers like (a+)+, (a*)+, etc.
+ */
+function isPotentiallyDangerousRegex(pattern: string): boolean {
+  // Detect nested quantifiers: (pattern)+ or (pattern)* where pattern contains + or *
+  // This is a simple heuristic, not comprehensive
+  const nestedQuantifierPattern = /\([^)]*[+*][^)]*\)[+*]/;
+  return nestedQuantifierPattern.test(pattern);
+}
+
 /**
  * Import group that processes all imports that match a certain regex (the lib name).
  */
@@ -11,7 +22,8 @@ export class RegexImportGroup implements ImportGroup {
   private readonly compiledRegex: RegExp;
 
   public get sortedImports(): Import[] {
-    const sorted = this.imports.sort((i1, i2) =>
+    // IMPORTANT: Copy array before sorting to avoid mutating the original
+    const sorted = [...this.imports].sort((i1, i2) =>
       importSort(i1, i2, this.order),
     );
     return [
@@ -39,7 +51,23 @@ export class RegexImportGroup implements ImportGroup {
     regexString = regexString.endsWith('/')
       ? regexString.substring(0, regexString.length - 1)
       : regexString;
-    this.compiledRegex = new RegExp(regexString);
+
+    // Check for potentially dangerous regex patterns (ReDoS protection)
+    // Note: We just log to debug console, which is visible in Extension Development Host
+    if (isPotentiallyDangerousRegex(regexString)) {
+      // eslint-disable-next-line no-console
+      console.warn(`[RegexImportGroup] Warning: Potentially dangerous regex pattern detected: ${this.regex}`);
+    }
+
+    // Try to compile regex, use fallback if invalid
+    try {
+      this.compiledRegex = new RegExp(regexString);
+    } catch {
+      // Invalid regex - use a pattern that never matches
+      // eslint-disable-next-line no-console
+      console.error(`[RegexImportGroup] Invalid regex pattern: ${this.regex}`);
+      this.compiledRegex = /(?!)/; // Never matches
+    }
   }
 
   public reset(): void {

src/imports/import-grouping/remain-import-group.ts

@@ -10,7 +10,8 @@ export class RemainImportGroup implements ImportGroup {
   public readonly imports: Import[] = [];
 
   public get sortedImports(): Import[] {
-    const sorted = this.imports.sort((i1, i2) =>
+    // IMPORTANT: Copy array before sorting to avoid mutating the original
+    const sorted = [...this.imports].sort((i1, i2) =>
       importSort(i1, i2, this.order),
     );
     return [