more fixes

Author: N2D4

AGENTS.md

@@ -95,6 +95,7 @@ To see all development ports, refer to the index.html of `apps/dev-launchpad/pub
 - When building internal tools for Stack Auth developers (eg. internal interfaces like the WAL info log etc.): Make the interfaces look very concise, assume the user is a pro-user. This only applies to internal tools that are used primarily by Stack Auth developers.
 - When building frontend or React code for the dashboard, refer to DESIGN-GUIDE.md.
 - NEVER implement a hacky solution without EXPLICIT approval from the user. Always go the extra mile to make sure the solution is clean, maintainable, and robust.
+- Fail early, fail loud. Fail fast with an error instead of silently continuing.
 
 ### Code-related
 - Use ES6 maps instead of records wherever you can.

apps/backend/package.json

@@ -94,6 +94,7 @@
     "pg": "^8.16.3",
     "postgres": "^3.4.5",
     "posthog-node": "^4.1.0",
+    "re2": "^1.23.1",
     "react": "19.2.3",
     "react-dom": "19.2.3",
     "resend": "^6.0.1",
@@ -113,6 +114,7 @@
     "@types/nodemailer": "^6.4.14",
     "@types/oidc-provider": "^8.5.1",
     "@types/pg": "^8.16.0",
+    "@types/re2": "^1.10.8",
     "@types/react": "19.2.7",
     "@types/react-dom": "19.2.3",
     "@types/semver": "^7.5.8",

apps/backend/src/lib/cel-evaluator.ts

@@ -1,4 +1,5 @@
-import { evaluate, parse, CelEvaluationError, CelParseError, CelTypeError } from "cel-js";
+import { CelEvaluationError, CelParseError, CelTypeError, evaluate, parse } from "cel-js";
+import RE2 from "re2";
 
 /**
  * Context variables available for sign-up rule CEL expressions.
@@ -75,8 +76,12 @@ function preprocessExpression(
       }
       case 'matches': {
         try {
-          result = new RegExp(arg).test(varValue);
+          // Use RE2 for regex matching to prevent ReDoS attacks
+          // RE2 uses a linear-time matching algorithm, preventing catastrophic backtracking
+          const regex = new RE2(arg);
+          result = regex.test(varValue);
         } catch {
+          // Invalid regex pattern - treat as non-match
           result = false;
         }
         break;

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sign-up-rules/page-client.tsx

@@ -2,26 +2,26 @@
 
 import { ConditionBuilder } from "@/components/rule-builder";
 import {
-    ActionDialog,
-    Alert,
-    Button,
-    cn,
-    Input,
-    Select,
-    SelectContent,
-    SelectItem,
-    SelectTrigger,
-    SelectValue,
-    Spinner,
-    Switch,
-    Typography,
+  ActionDialog,
+  Alert,
+  Button,
+  cn,
+  Input,
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+  Spinner,
+  Switch,
+  Typography,
 } from "@/components/ui";
 import {
-    createEmptyCondition,
-    createEmptyGroup,
-    parseCelToVisualTree,
-    visualTreeToCel,
-    type RuleNode,
+  createEmptyCondition,
+  createEmptyGroup,
+  parseCelToVisualTree,
+  visualTreeToCel,
+  type RuleNode,
 } from "@/lib/cel-visual-parser";
 import { useUpdateConfig } from "@/lib/config-update";
 import { closestCenter, DndContext, KeyboardSensor, PointerSensor, useSensor, useSensors, type DragEndEvent } from '@dnd-kit/core';

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/sign-up-rules/page.tsx

@@ -1,5 +1,3 @@
-import PageClient from "./page-client";
+"use client";
 
-export default async function Page() {
-  return <PageClient />;
-}
+export { default } from "./page-client";

apps/dashboard/src/app/(main)/(protected)/projects/[projectId]/users/[userId]/page-client.tsx

@@ -6,42 +6,42 @@ import { InputField, SelectField } from "@/components/form-fields";
 import { StyledLink } from "@/components/link";
 import { SettingCard } from "@/components/settings";
 import {
-    Accordion,
-    AccordionContent,
-    AccordionItem,
-    AccordionTrigger,
-    ActionCell,
-    Alert,
-    AlertDescription,
-    AlertTitle,
-    Avatar,
-    AvatarFallback,
-    AvatarImage,
-    Button,
-    Dialog,
-    DialogContent,
-    DialogDescription,
-    DialogFooter,
-    DialogHeader,
-    DialogTitle,
-    DropdownMenu,
-    DropdownMenuContent,
-    DropdownMenuItem,
-    DropdownMenuSeparator,
-    DropdownMenuTrigger,
-    Input,
-    Separator,
-    SimpleTooltip,
-    Table,
-    TableBody,
-    TableCell,
-    TableHead,
-    TableHeader,
-    TableRow,
-    Textarea,
-    Typography,
-    cn,
-    useToast
+  Accordion,
+  AccordionContent,
+  AccordionItem,
+  AccordionTrigger,
+  ActionCell,
+  Alert,
+  AlertDescription,
+  AlertTitle,
+  Avatar,
+  AvatarFallback,
+  AvatarImage,
+  Button,
+  Dialog,
+  DialogContent,
+  DialogDescription,
+  DialogFooter,
+  DialogHeader,
+  DialogTitle,
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuSeparator,
+  DropdownMenuTrigger,
+  Input,
+  Separator,
+  SimpleTooltip,
+  Table,
+  TableBody,
+  TableCell,
+  TableHead,
+  TableHeader,
+  TableRow,
+  Textarea,
+  Typography,
+  cn,
+  useToast
 } from "@/components/ui";
 import { DeleteUserDialog, ImpersonateUserDialog } from "@/components/user-dialogs";
 import { useThemeWatcher } from '@/lib/theme';

apps/dashboard/src/components/rule-builder/condition-builder.tsx

@@ -2,13 +2,13 @@
 
 import { Button, cn } from "@/components/ui";
 import {
-    type ConditionField,
-    type ConditionNode,
-    type ConditionOperator,
-    createEmptyCondition,
-    createEmptyGroup,
-    type GroupNode,
-    type RuleNode,
+  type ConditionField,
+  type ConditionNode,
+  type ConditionOperator,
+  createEmptyCondition,
+  createEmptyGroup,
+  type GroupNode,
+  type RuleNode,
 } from "@/lib/cel-visual-parser";
 import { PlusIcon, TrashIcon } from "@phosphor-icons/react";
 import React from "react";

apps/dashboard/src/lib/cel-visual-parser.test.ts

@@ -0,0 +1,152 @@
+import { describe, it, expect } from 'vitest';
+import { visualTreeToCel, parseCelToVisualTree, createEmptyCondition } from './cel-visual-parser';
+
+describe('cel-visual-parser', () => {
+  describe('CEL string escaping', () => {
+    it('should escape double quotes in condition values', () => {
+      const condition = {
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'contains' as const,
+        value: 'test"value',
+      };
+
+      const cel = visualTreeToCel(condition);
+      // Should escape the quote
+      expect(cel).toBe('email.contains("test\\"value")');
+      // Should NOT contain unescaped quote that would break CEL
+      expect(cel).not.toMatch(/contains\("test"value"\)/);
+    });
+
+    it('should escape backslashes in condition values', () => {
+      const condition = {
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'contains' as const,
+        value: 'test\\value',
+      };
+
+      const cel = visualTreeToCel(condition);
+      // Should escape the backslash
+      expect(cel).toBe('email.contains("test\\\\value")');
+    });
+
+    it('should escape both quotes and backslashes together', () => {
+      const condition = {
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'equals' as const,
+        value: 'test\\"value',
+      };
+
+      const cel = visualTreeToCel(condition);
+      // Backslash escaped first, then quote
+      expect(cel).toBe('email == "test\\\\\\"value"');
+    });
+
+    it('should prevent CEL injection via malicious value', () => {
+      // Attacker tries: test" || true || "
+      // Without escaping this becomes: email == "test" || true || ""
+      // Which would always be true due to || true
+      const condition = {
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'equals' as const,
+        value: 'test" || true || "',
+      };
+
+      const cel = visualTreeToCel(condition);
+      // Should escape quotes, preventing injection
+      expect(cel).toBe('email == "test\\" || true || \\""');
+      // Should NOT allow the injection pattern
+      expect(cel).not.toContain('" || true || "');
+    });
+
+    it('should escape values in all operator types', () => {
+      const maliciousValue = 'inject"attack';
+
+      // Test equals
+      expect(visualTreeToCel({
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'equals' as const,
+        value: maliciousValue,
+      })).toContain('\\"');
+
+      // Test not_equals
+      expect(visualTreeToCel({
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'not_equals' as const,
+        value: maliciousValue,
+      })).toContain('\\"');
+
+      // Test matches
+      expect(visualTreeToCel({
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'matches' as const,
+        value: maliciousValue,
+      })).toContain('\\"');
+
+      // Test ends_with
+      expect(visualTreeToCel({
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'ends_with' as const,
+        value: maliciousValue,
+      })).toContain('\\"');
+
+      // Test starts_with
+      expect(visualTreeToCel({
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'starts_with' as const,
+        value: maliciousValue,
+      })).toContain('\\"');
+
+      // Test contains
+      expect(visualTreeToCel({
+        ...createEmptyCondition(),
+        field: 'email' as const,
+        operator: 'contains' as const,
+        value: maliciousValue,
+      })).toContain('\\"');
+    });
+
+    it('should escape values in in_list operator', () => {
+      const condition = {
+        ...createEmptyCondition(),
+        field: 'emailDomain' as const,
+        operator: 'in_list' as const,
+        value: ['safe.com', 'inject"attack.com', 'also\\bad.com'],
+      };
+
+      const cel = visualTreeToCel(condition);
+      expect(cel).toContain('inject\\"attack.com');
+      expect(cel).toContain('also\\\\bad.com');
+    });
+  });
+
+  describe('CEL to visual tree parsing', () => {
+    it('should parse simple equality condition', () => {
+      const result = parseCelToVisualTree('email == "test@example.com"');
+      expect(result).toBeDefined();
+      if (result?.type === 'condition') {
+        expect(result.field).toBe('email');
+        expect(result.operator).toBe('equals');
+        expect(result.value).toBe('test@example.com');
+      }
+    });
+
+    it('should parse endsWith condition', () => {
+      const result = parseCelToVisualTree('email.endsWith("@gmail.com")');
+      expect(result).toBeDefined();
+      if (result?.type === 'condition') {
+        expect(result.field).toBe('email');
+        expect(result.operator).toBe('ends_with');
+        expect(result.value).toBe('@gmail.com');
+      }
+    });
+  });
+});