fix(security): resolve exponential ReDoS in globmatch via dynamic programming (fixes #241)

[iapoorv01]

Context

The Pathway document-store REST endpoints (/v1/inputs, /v1/retrieve, /v2/answer) expose the filepath_globpattern parameter to unauthenticated requests. Currently, this pattern is compiled into a custom globmatch JMESPath expression and evaluated using _globmatch_impl.

Because _globmatch_impl recursed on two branches for every ** wildcard without state caching, it suffered from a classic Algorithmic Complexity vulnerability (CWE-400 / ReDoS). A maliciously crafted unauthenticated payload (e.g., **/a/**/a/**/a/**/a/**/b) forced $O(2^k)$ exponential recursive calls, effectively pinning a worker CPU core indefinitely and causing a Denial of Service.

Evaluation of Remediation Approaches

When addressing this vulnerability, three primary mitigation strategies were evaluated:

1. API-Level Validation (Capping ** segments or string length)
   • Pros: Quick to implement at the schema level.
   • Cons: This is a band-aid solution that treats the symptom, not the disease. It unfairly limits legitimate users who have deeply nested directory structures and requires maintaining validation logic across multiple (and future) REST schemas.
2. Regex Automaton Translation
   • Pros: Compiling the glob to a standard regular expression utilizes C-optimized matchers.
   • Cons: High risk of breaking backward compatibility. Translating fnmatch semantics perfectly into Regex edge-cases is error-prone and can sometimes introduce native ReDoS vulnerabilities in the re module itself.
3. Dynamic Programming via State Memoization (Selected Approach)
   • Pros: Surgically neutralizes the root cause while remaining 100% semantically identical to the original logic.

What this PR does

This PR implements Approach 3 (Memoization).
I rewrote _globmatch_impl to pass a memo dictionary down the recursive stack, explicitly caching the (pat_i, p_i) state grid.

• This algebraically crushes the matching time complexity from Exponential $O(2^k)$ down to Polynomial $O(N \times M)$ (where N and M are the lengths of the pattern and path).
• Heavy payload benchmarks that previously timed out after minutes now evaluate in < 1ms.
• No API-level input capping is required, preserving maximum functionality for users.
• Note: Also included a missing import jmespath.exceptions at the top of the file to resolve a latent IDE unresolved-reference warning on line 252.

How has this been tested?

• Local Benchmarking: Verified locally against the malicious PoC payload (**/a/**/a/**/a...). The un-memoized implementation hung indefinitely; the memoized implementation returned immediately.
• Regression testing: Relies on the standard CI/CD pytest suite to ensure no existing JMESPath metadata filtering tests are broken by the memo dictionary inclusion.

Related issue(s):

1. Resolves Unauthenticated exponential-complexity DoS via filepath_globpattern on the document-store / RAG REST endpoints #241

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature or improvement (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update