fix(core): prevent race condition in policy persistence (#18506)

Co-authored-by: Allen Hutchison <adh@google.com>
2026-04-30 15:04:16 -07:00 · 2026-02-10 15:35:09 -08:00
parent be2ebd1772
commit 6d3fff2ea4
6 changed files with 256 additions and 86 deletions
@@ -12,7 +12,7 @@ import {
  type SafetyCheckerRule,
  InProcessCheckerType,
 } from './types.js';
-import { buildArgsPatterns } from './utils.js';
+import { buildArgsPatterns, isSafeRegExp } from './utils.js';
 import fs from 'node:fs/promises';
 import path from 'node:path';
 import toml from '@iarna/toml';
@@ -356,7 +356,7 @@ export async function loadPoliciesFromToml(
                // Compile regex pattern
                if (argsPattern) {
                  try {
-                    policyRule.argsPattern = new RegExp(argsPattern);
+                    new RegExp(argsPattern);
                  } catch (e) {
                    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
                    const error = e as Error;
@@ -370,9 +370,24 @@ export async function loadPoliciesFromToml(
                      suggestion:
                        'Check regex syntax for errors like unmatched brackets or invalid escape sequences',
                    });
-                    // Skip this rule if regex compilation fails
                    return null;
                  }
+
+                  if (!isSafeRegExp(argsPattern)) {
+                    errors.push({
+                      filePath,
+                      fileName: file,
+                      tier: tierName,
+                      errorType: 'regex_compilation',
+                      message: 'Unsafe regex pattern (potential ReDoS)',
+                      details: `Pattern: ${argsPattern}`,
+                      suggestion:
+                        'Avoid nested quantifiers or extremely long patterns',
+                    });
+                    return null;
+                  }
+
+                  policyRule.argsPattern = new RegExp(argsPattern);
                }

                return policyRule;
@@ -421,7 +436,7 @@ export async function loadPoliciesFromToml(

                if (argsPattern) {
                  try {
-                    safetyCheckerRule.argsPattern = new RegExp(argsPattern);
+                    new RegExp(argsPattern);
                  } catch (e) {
                    // eslint-disable-next-line @typescript-eslint/no-unsafe-type-assertion
                    const error = e as Error;
@@ -435,6 +450,21 @@ export async function loadPoliciesFromToml(
                    });
                    return null;
                  }
+
+                  if (!isSafeRegExp(argsPattern)) {
+                    errors.push({
+                      filePath,
+                      fileName: file,
+                      tier: tierName,
+                      errorType: 'regex_compilation',
+                      message:
+                        'Unsafe regex pattern in safety checker (potential ReDoS)',
+                      details: `Pattern: ${argsPattern}`,
+                    });
+                    return null;
+                  }
+
+                  safetyCheckerRule.argsPattern = new RegExp(argsPattern);
                }

                return safetyCheckerRule;