Add protections for loop-bound injections

[christopherholland-workday]

Follow up of #5773 which was accidentally merged.

Adds DoS protections via input validation/ ensuring that the array is valid.

[gemini-code-assist]

Summary of Changes

Hello @christopherholland-workday, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces critical security enhancements by adding comprehensive input validation to prevent Denial of Service attacks stemming from malformed array inputs. By ensuring that various parameters, particularly those used in loops or array operations, are correctly formatted arrays, the changes safeguard the application against potential loop-bound injection vulnerabilities and improve overall system stability and resilience.

Highlights

• Input Validation: Implemented robust input validation checks across multiple evaluation-related services to ensure that expected array inputs are indeed arrays, preventing potential Denial of Service (DoS) attacks.
• DoS Protection: Specifically targeted loop-bound injection vulnerabilities by validating array types for chatflowIds, dataset.rows, actualOutputArray, selectedEvaluators, chatflowType, selectedSimpleEvaluators, and selectedLLMEvaluators before processing.
• Code Refactoring: Refactored the createEvaluation function to store parsed and validated evaluator arrays in additionalConfig, streamlining their usage and reducing redundant parsing/validation logic.

Changelog

• packages/components/evaluation/EvaluationRunner.ts
  • Added validation to ensure chatflowIds and data.dataset.rows are valid arrays before processing.
• packages/server/src/services/evaluations/EvaluatorRunner.ts
  • Introduced validation for actualOutputArray and selectedEvaluators to confirm they are arrays at the start of the runAdditionalEvaluators function.
• packages/server/src/services/evaluations/index.ts
  • Added validation for chatflowType, selectedSimpleEvaluators, and selectedLLMEvaluators after JSON parsing.
  • Refactored the assignment of evaluator arrays to additionalConfig to use pre-validated variables.
  • Included validation for chatflowIds after JSON parsing before iterating through them.
  • Updated calls to runAdditionalEvaluators and resultRow.LLMEvaluators to use the validated additionalConfig properties.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces important input validation to protect against potential Denial of Service attacks by ensuring that inputs expected to be arrays are correctly validated. The changes are a good step towards improving the application's security and robustness. I've included a few suggestions to further enhance these protections and improve code quality, mainly focusing on handling potential crashes from invalid input, addressing a discrepancy between a comment and its implementation, and a refactoring opportunity to reduce code duplication.

[gemini-code-assist]

There's repetition in parsing and validating arrays from the request body (chatflowTypes, simpleEvaluators, lLMEvaluators). To improve code clarity and maintainability, consider extracting this logic into a helper function. This would also be a good place to handle potential JSON.parse errors with a try-catch block for more specific error messages.

Example:
const parseJsonArray = (input: string | undefined, fieldName: string): any[] => {
if (!input) {
return [];
}
try {
const parsed = JSON.parse(input);
if (!Array.isArray(parsed)) {
throw new Error(${fieldName} must be a valid array);
}
return parsed;
} catch (e) {
throw new Error(Invalid JSON for ${fieldName}: ${e.message});
}
};

References

1. Prioritize code readability and understandability over conciseness. A series of simple, chained operations can be preferable to a single, more complex one if it improves understandability and reduces the potential for future errors.

[HenryHengZJ]

can we get rid of the comments ...prevent DoS attack