Add protections for loop-bound injections

Author: christopherholland-workday

packages/components/evaluation/EvaluationRunner.ts

@@ -88,6 +88,27 @@ export class EvaluationRunner {
 
     public async runEvaluations(data: ICommonObject) {
         const chatflowIds = JSON.parse(data.chatflowId)
+
+        // Validate chatflowIds is an actual array to prevent DoS attacks
+        if (!Array.isArray(chatflowIds)) {
+            throw new Error('chatflowId must be a valid array')
+        }
+
+        const MAX_CHATFLOWS = 1000
+        if (chatflowIds.length > MAX_CHATFLOWS) {
+            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOWS} chatflows at once`)
+        }
+
+        // Validate dataset.rows is an actual array to prevent DoS attacks
+        if (!data.dataset || !Array.isArray(data.dataset.rows)) {
+            throw new Error('dataset.rows must be a valid array')
+        }
+
+        const MAX_ROWS = 1000
+        if (data.dataset.rows.length > MAX_ROWS) {
+            throw new Error(`Dataset cannot exceed ${MAX_ROWS} rows`)
+        }
+
         const returnData: ICommonObject = {}
         returnData.evaluationId = data.evaluationId
         returnData.runDate = new Date()

packages/server/src/services/evaluations/EvaluatorRunner.ts

@@ -10,13 +10,31 @@ interface EvaluatorReturnType {
     result: 'Pass' | 'Fail' | 'Error'
 }
 
+// Limit maximum array sizes to prevent DoS attacks
+const MAX_OUTPUTS = 10000
+const MAX_EVALUATORS = 1000
+const MAX_SPLIT_VALUES = 1000
+
 export const runAdditionalEvaluators = async (
     metricsArray: ICommonObject[],
     actualOutputArray: string[],
     errorArray: string[],
     selectedEvaluators: string[],
     workspaceId: string
 ) => {
+    // Validate inputs are arrays and enforce size limits
+    if (!Array.isArray(actualOutputArray) || !Array.isArray(selectedEvaluators)) {
+        throw new Error('Invalid input: expected arrays')
+    }
+
+    if (actualOutputArray.length > MAX_OUTPUTS) {
+        throw new Error(`Too many outputs: maximum allowed is ${MAX_OUTPUTS}`)
+    }
+
+    if (selectedEvaluators.length > MAX_EVALUATORS) {
+        throw new Error(`Too many evaluators: maximum allowed is ${MAX_EVALUATORS}`)
+    }
+
     const evaluationResults: any[] = []
     const evaluatorDict: any = {}
 
@@ -103,6 +121,11 @@ export const runAdditionalEvaluators = async (
                         case 'ContainsAny':
                             passed = false
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
+
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
                                     passed = true
@@ -117,6 +140,11 @@ export const runAdditionalEvaluators = async (
                         case 'ContainsAll':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
+
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (!actualOutput.includes(splitValues[i])) {
                                     passed = false
@@ -131,6 +159,11 @@ export const runAdditionalEvaluators = async (
                         case 'DoesNotContainAny':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
+
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
                                     passed = false
@@ -145,6 +178,11 @@ export const runAdditionalEvaluators = async (
                         case 'DoesNotContainAll':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
+                            // Limit split values to prevent unbounded iteration
+                            if (splitValues.length > MAX_SPLIT_VALUES) {
+                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
+                            }
+
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
                                     passed = false

packages/server/src/services/evaluations/index.ts

@@ -72,14 +72,44 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
         const row = appServer.AppDataSource.getRepository(Evaluation).create(newEval)
         row.average_metrics = JSON.stringify({})
 
+        // Parse and validate evaluator arrays to prevent DoS attacks
+        const chatflowTypes = body.chatflowType ? JSON.parse(body.chatflowType) : []
+        if (!Array.isArray(chatflowTypes)) {
+            throw new Error('chatflowType must be a valid array')
+        }
+
+        const MAX_CHATFLOW_TYPES = 1000
+        if (chatflowTypes.length > MAX_CHATFLOW_TYPES) {
+            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOW_TYPES} chatflow types at once`)
+        }
+
+        const simpleEvaluators = body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : []
+        if (!Array.isArray(simpleEvaluators)) {
+            throw new Error('selectedSimpleEvaluators must be a valid array')
+        }
+
+        const MAX_EVALUATORS = 1000
+        if (simpleEvaluators.length > MAX_EVALUATORS) {
+            throw new Error(`Cannot use more than ${MAX_EVALUATORS} simple evaluators at once`)
+        }
+
         const additionalConfig: ICommonObject = {
-            chatflowTypes: body.chatflowType ? JSON.parse(body.chatflowType) : [],
+            chatflowTypes: chatflowTypes,
             datasetAsOneConversation: body.datasetAsOneConversation,
-            simpleEvaluators: body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : []
+            simpleEvaluators: simpleEvaluators
         }
 
         if (body.evaluationType === 'llm') {
-            additionalConfig.lLMEvaluators = body.selectedLLMEvaluators.length > 0 ? JSON.parse(body.selectedLLMEvaluators) : []
+            const lLMEvaluators = body.selectedLLMEvaluators.length > 0 ? JSON.parse(body.selectedLLMEvaluators) : []
+            if (!Array.isArray(lLMEvaluators)) {
+                throw new Error('selectedLLMEvaluators must be a valid array')
+            }
+
+            if (lLMEvaluators.length > MAX_EVALUATORS) {
+                throw new Error(`Cannot use more than ${MAX_EVALUATORS} LLM evaluators at once`)
+            }
+
+            additionalConfig.lLMEvaluators = lLMEvaluators
             additionalConfig.llmConfig = {
                 credentialId: body.credentialId,
                 llm: body.llm,
@@ -123,6 +153,17 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
         // When chatflow has an APIKey
         const apiKeys: { chatflowId: string; apiKey: string }[] = []
         const chatflowIds = JSON.parse(body.chatflowId)
+
+        // Validate chatflowIds is an actual array to prevent DoS attacks
+        if (!Array.isArray(chatflowIds)) {
+            throw new Error('chatflowId must be a valid array')
+        }
+
+        const MAX_CHATFLOWS_EVAL = 100
+        if (chatflowIds.length > MAX_CHATFLOWS_EVAL) {
+            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOWS_EVAL} chatflows at once`)
+        }
+
         for (let i = 0; i < chatflowIds.length; i++) {
             const chatflowId = chatflowIds[i]
             const cFlow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
@@ -246,7 +287,7 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
                             metricsArray,
                             actualOutputArray,
                             errorArray,
-                            body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : [],
+                            additionalConfig.simpleEvaluators,
                             workspaceId
                         )
 
@@ -257,7 +298,7 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
 
                         if (body.evaluationType === 'llm') {
                             resultRow.llmConfig = additionalConfig.llmConfig
-                            resultRow.LLMEvaluators = body.selectedLLMEvaluators.length > 0 ? JSON.parse(body.selectedLLMEvaluators) : []
+                            resultRow.LLMEvaluators = additionalConfig.lLMEvaluators
                             const llmEvaluatorMap: { evaluatorId: string; evaluator: any }[] = []
                             for (let i = 0; i < resultRow.LLMEvaluators.length; i++) {
                                 const evaluatorId = resultRow.LLMEvaluators[i]