Add protections for loop-bound injections

christopherholland-workday · christopherholland-workday · commit c75f4fcb2d0f · 2026-02-25T13:43:15.000-08:00
diff --git a/packages/components/evaluation/EvaluationRunner.ts b/packages/components/evaluation/EvaluationRunner.ts
@@ -94,21 +94,11 @@ export class EvaluationRunner {
             throw new Error('chatflowId must be a valid array')
         }
 
-        const MAX_CHATFLOWS = 1000
-        if (chatflowIds.length > MAX_CHATFLOWS) {
-            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOWS} chatflows at once`)
-        }
-
         // Validate dataset.rows is an actual array to prevent DoS attacks
         if (!data.dataset || !Array.isArray(data.dataset.rows)) {
             throw new Error('dataset.rows must be a valid array')
         }
 
-        const MAX_ROWS = 1000
-        if (data.dataset.rows.length > MAX_ROWS) {
-            throw new Error(`Dataset cannot exceed ${MAX_ROWS} rows`)
-        }
-
         const returnData: ICommonObject = {}
         returnData.evaluationId = data.evaluationId
         returnData.runDate = new Date()
diff --git a/packages/server/src/services/evaluations/EvaluatorRunner.ts b/packages/server/src/services/evaluations/EvaluatorRunner.ts
@@ -10,11 +10,6 @@ interface EvaluatorReturnType {
     result: 'Pass' | 'Fail' | 'Error'
 }
 
-// Limit maximum array sizes to prevent DoS attacks
-const MAX_OUTPUTS = 10000
-const MAX_EVALUATORS = 1000
-const MAX_SPLIT_VALUES = 1000
-
 export const runAdditionalEvaluators = async (
     metricsArray: ICommonObject[],
     actualOutputArray: string[],
@@ -27,14 +22,6 @@ export const runAdditionalEvaluators = async (
         throw new Error('Invalid input: expected arrays')
     }
 
-    if (actualOutputArray.length > MAX_OUTPUTS) {
-        throw new Error(`Too many outputs: maximum allowed is ${MAX_OUTPUTS}`)
-    }
-
-    if (selectedEvaluators.length > MAX_EVALUATORS) {
-        throw new Error(`Too many evaluators: maximum allowed is ${MAX_EVALUATORS}`)
-    }
-
     const evaluationResults: any[] = []
     const evaluatorDict: any = {}
 
@@ -121,10 +108,6 @@ export const runAdditionalEvaluators = async (
                         case 'ContainsAny':
                             passed = false
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
-                            // Limit split values to prevent unbounded iteration
-                            if (splitValues.length > MAX_SPLIT_VALUES) {
-                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
-                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
@@ -140,10 +123,6 @@ export const runAdditionalEvaluators = async (
                         case 'ContainsAll':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
-                            // Limit split values to prevent unbounded iteration
-                            if (splitValues.length > MAX_SPLIT_VALUES) {
-                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
-                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (!actualOutput.includes(splitValues[i])) {
@@ -159,10 +138,6 @@ export const runAdditionalEvaluators = async (
                         case 'DoesNotContainAny':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
-                            // Limit split values to prevent unbounded iteration
-                            if (splitValues.length > MAX_SPLIT_VALUES) {
-                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
-                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
@@ -178,10 +153,6 @@ export const runAdditionalEvaluators = async (
                         case 'DoesNotContainAll':
                             passed = true
                             splitValues = value.split(',').map((v) => v.trim().toLowerCase()) // Split, trim, and convert to lowercase
-                            // Limit split values to prevent unbounded iteration
-                            if (splitValues.length > MAX_SPLIT_VALUES) {
-                                throw new Error(`Too many split values: maximum allowed is ${MAX_SPLIT_VALUES}`)
-                            }
 
                             for (let i = 0; i < splitValues.length; i++) {
                                 if (actualOutput.includes(splitValues[i])) {
diff --git a/packages/server/src/services/evaluations/index.ts b/packages/server/src/services/evaluations/index.ts
@@ -78,21 +78,11 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
             throw new Error('chatflowType must be a valid array')
         }
 
-        const MAX_CHATFLOW_TYPES = 1000
-        if (chatflowTypes.length > MAX_CHATFLOW_TYPES) {
-            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOW_TYPES} chatflow types at once`)
-        }
-
         const simpleEvaluators = body.selectedSimpleEvaluators.length > 0 ? JSON.parse(body.selectedSimpleEvaluators) : []
         if (!Array.isArray(simpleEvaluators)) {
             throw new Error('selectedSimpleEvaluators must be a valid array')
         }
 
-        const MAX_EVALUATORS = 1000
-        if (simpleEvaluators.length > MAX_EVALUATORS) {
-            throw new Error(`Cannot use more than ${MAX_EVALUATORS} simple evaluators at once`)
-        }
-
         const additionalConfig: ICommonObject = {
             chatflowTypes: chatflowTypes,
             datasetAsOneConversation: body.datasetAsOneConversation,
@@ -105,10 +95,6 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
                 throw new Error('selectedLLMEvaluators must be a valid array')
             }
 
-            if (lLMEvaluators.length > MAX_EVALUATORS) {
-                throw new Error(`Cannot use more than ${MAX_EVALUATORS} LLM evaluators at once`)
-            }
-
             additionalConfig.lLMEvaluators = lLMEvaluators
             additionalConfig.llmConfig = {
                 credentialId: body.credentialId,
@@ -159,11 +145,6 @@ const createEvaluation = async (body: ICommonObject, baseURL: string, orgId: str
             throw new Error('chatflowId must be a valid array')
         }
 
-        const MAX_CHATFLOWS_EVAL = 100
-        if (chatflowIds.length > MAX_CHATFLOWS_EVAL) {
-            throw new Error(`Cannot evaluate more than ${MAX_CHATFLOWS_EVAL} chatflows at once`)
-        }
-
         for (let i = 0; i < chatflowIds.length; i++) {
             const chatflowId = chatflowIds[i]
             const cFlow = await appServer.AppDataSource.getRepository(ChatFlow).findOneBy({
