fix(security): resolve ReDoS vulnerability in function execute tag pattern

[waleedlatif1]

Summary

• Simplified regex in resolveTagVariables to eliminate overlapping quantifiers ([a-zA-Z0-9_.]*[a-zA-Z0-9_]) that caused exponential backtracking on malformed input (e.g., <aaaa... without closing >)
• Also dismissed 7 pre-existing CodeQL SSRF false positives across Confluence, TTS, STT, Google Sheets, and Excel routes — all use hardcoded domains with validated input

Type of Change

• Bug fix

Testing

• bun run lint passes
• bun run test — all 5031 tests pass (5 pre-existing import failures unrelated)
• TypeScript compiles clean (pre-existing type errors only in templates/file-viewer)

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs	Skipped		Apr 14, 2026 3:21am

[cursor]

PR Summary

Low Risk
Low risk: change is localized to tag parsing in the function-execution API and swaps a regex implementation to reduce ReDoS risk, with minimal behavioral impact expected beyond which substrings are considered tag matches.

Overview
Updates function tag resolution in apps/sim/app/api/function/execute/route.ts to use the shared createReferencePattern() (cached as TAG_PATTERN) instead of an inline reference-matching regex.

This removes the previous potentially backtracking-heavy pattern and centralizes tag parsing behavior to the common reference-validation utility, mitigating ReDoS risk from malformed/untrusted code inputs.

^{Reviewed by Cursor Bugbot for commit 4e21a08. Configure here.}

[greptile-apps]

Greptile Summary

This PR fixes a ReDoS vulnerability in resolveTagVariables by replacing an inline regex with overlapping quantifiers with the codebase-standard createReferencePattern() utility (which produces <([^<>]+)> — a negated character class that cannot catastrophically backtrack). The hoisting of TAG_PATTERN to module level is safe because String.prototype.match() resets lastIndex to 0 before each call, so the shared global RegExp instance has no stale-state risk across requests.

Confidence Score: 5/5

• Safe to merge — targeted security fix with no correctness regressions or new risks introduced.
• The change is a minimal, well-scoped replacement of a ReDoS-vulnerable regex with the codebase-standard pattern. The new pattern [^<>]+ is linear and cannot catastrophically backtrack. The module-level hoisting with .match() is safe (lastIndex is reset). All remaining items from prior review threads are resolved. No P0/P1 findings.
• No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/app/api/function/execute/route.ts	Replaced vulnerable inline regex in resolveTagVariables with module-level TAG_PATTERN = createReferencePattern(), which uses [^<>]+ to eliminate catastrophic backtracking. No correctness regressions detected.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["resolveTagVariables(code, ...)"] --> B["resolvedCode.match(TAG_PATTERN)"]
    B --> C{"matches found?"}
    C -- "no" --> Z["return resolvedCode"]
    C -- "yes" --> D["for each match"]
    D --> E["slice <...> to get tagName"]
    E --> F["resolveBlockReference(blockName, fieldPath)"]
    F --> G{"result found?"}
    G -- "no" --> D
    G -- "yes" --> H{"tagValue === undefined?"}
    H -- "yes" --> I["replace match with 'undefined'/'None'"]
    H -- "no" --> J["build safeVarName\n__tag_..."]
    J --> K["contextVariables[safeVarName] = tagValue"]
    K --> L["replace match with safeVarName in code"]
    I --> D
    L --> D
    D --> Z

    style B fill:#d4edda,stroke:#28a745
    note1["TAG_PATTERN = createReferencePattern()\n= /&lt;([^&lt;&gt;]+)&gt;/g\n(no ReDoS risk)"]

Loading

_{Reviews (3): Last reviewed commit: "refactor(security): use createReferenceP..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit 4e21a08. Configure here.}