fix(security): resolve ReDoS vulnerability in function execute tag pattern (#4149)

waleedlatif1 · web-flow · commit 0e6ada4bdbe5 · 2026-04-13T20:34:25.000-07:00
* fix(security): resolve ReDoS vulnerability in function execute tag pattern

Simplified regex to eliminate overlapping quantifiers that caused exponential
backtracking on malformed input without closing delimiter.

* fix(security): exclude trailing-dot refs and hoist tag pattern to module level

* fix(security): align tag pattern with codebase standard [^&lt;&gt;]+ pattern

Matches createReferencePattern() from reference-validation.ts used by the
core executor. Invalid refs handled gracefully by resolveBlockReference.

* refactor(security): use createReferencePattern() instead of inline regex
diff --git a/apps/sim/app/api/function/execute/route.ts b/apps/sim/app/api/function/execute/route.ts
@@ -18,6 +18,7 @@ import { type OutputSchema, resolveBlockReference } from '@/executor/utils/block
 import { formatLiteralForCode } from '@/executor/utils/code-formatting'
 import {
   createEnvVarPattern,
+  createReferencePattern,
   createWorkflowVariablePattern,
 } from '@/executor/utils/reference-validation'
 export const dynamic = 'force-dynamic'
@@ -27,6 +28,8 @@ export const MAX_DURATION = 210
 
 const logger = createLogger('FunctionExecuteAPI')
 
+const TAG_PATTERN = createReferencePattern()
+
 const E2B_JS_WRAPPER_LINES = 3
 const E2B_PYTHON_WRAPPER_LINES = 1
 
@@ -493,11 +496,7 @@ function resolveTagVariables(
   let resolvedCode = code
   const undefinedLiteral = language === 'python' ? 'None' : 'undefined'
 
-  const tagPattern = new RegExp(
-    `${REFERENCE.START}([a-zA-Z_](?:[a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*[a-zA-Z0-9_])?)${REFERENCE.END}`,
-    'g'
-  )
-  const tagMatches = resolvedCode.match(tagPattern) || []
+  const tagMatches = resolvedCode.match(TAG_PATTERN) || []
 
   for (const match of tagMatches) {
     const tagName = match.slice(REFERENCE.START.length, -REFERENCE.END.length).trim()
