fix(core): prevent race condition in policy persistence (#18506)

Co-authored-by: Allen Hutchison <adh@google.com>

packages/core/src/policy/utils.ts

@@ -11,6 +11,37 @@ export function escapeRegex(text: string): string {
   return text.replace(/[-[\]{}()*+?.,\\^$|#\s"]/g, '\\$&');
 }
 
+/**
+ * Basic validation for regular expressions to prevent common ReDoS patterns.
+ * This is a heuristic check and not a substitute for a full ReDoS scanner.
+ */
+export function isSafeRegExp(pattern: string): boolean {
+  try {
+    // 1. Ensure it's a valid regex
+    new RegExp(pattern);
+  } catch {
+    return false;
+  }
+
+  // 2. Limit length to prevent extremely long regexes
+  if (pattern.length > 2048) {
+    return false;
+  }
+
+  // 3. Heuristic: Check for nested quantifiers which are a primary source of ReDoS.
+  // Examples: (a+)+, (a|b)*, (.*)*, ([a-z]+)+
+  // We look for a group (...) followed by a quantifier (+, *, or {n,m})
+  // where the group itself contains a quantifier.
+  // This matches a '(' followed by some content including a quantifier, then ')',
+  // followed by another quantifier.
+  const nestedQuantifierPattern = /\([^)]*[*+?{].*\)[*+?{]/;
+  if (nestedQuantifierPattern.test(pattern)) {
+    return false;
+  }
+
+  return true;
+}
+
 /**
  * Builds a list of args patterns for policy matching.
  *