+29 -4

src/forms/form-builder.ts

reviewed

··· 227 227 } 228 228 229 229 // Custom validation pattern (length-limited + ReDoS-safe) 230 230 - // #540: Reject patterns with nested quantifiers that cause catastrophic backtracking 230 230 + // #540: Reject patterns that risk catastrophic backtracking (ReDoS) 231 231 if (question.validationPattern && question.validationPattern.length <= 200) { 232 232 try { 233 233 - // Block nested quantifiers: (x+)+, (x*)+, (x+)*, etc. — common ReDoS vectors 234 234 - if (/([+*])\s*[)]\s*[+*{]/.test(question.validationPattern) || 235 235 - /([+*])\s*[+*]/.test(question.validationPattern)) { 233 233 + if (isReDoSRisk(question.validationPattern)) { 236 234 // Dangerous pattern — skip validation rather than risk hanging 237 235 } else { 238 236 const re = new RegExp(question.validationPattern); ··· 245 243 } 246 244 247 245 return null; 246 246 + } 247 247 + 248 248 + /** 249 249 + * Detect regex patterns likely to cause catastrophic backtracking (ReDoS). 250 250 + * 251 251 + * Checks for: 252 252 + * 1. Nested quantifiers: (x+)+, (x*)+, (x+)*, (x{2,})+, etc. 253 253 + * 2. Adjacent quantifiers: a++, a*+, a+* 254 254 + * 3. Overlapping alternation with quantifier: (a|a)+, (a|ab)+ 255 255 + * 4. Backreference-based amplification: (a+)\1+ 256 256 + */ 257 257 + export function isReDoSRisk(pattern: string): boolean { 258 258 + // Nested quantifiers: quantifier immediately before group close followed by quantifier 259 259 + // e.g. (x+)+, (x*)+, (x+)*, (x{2,})+, (.+){2,} 260 260 + if (/[+*}]\s*\)\s*[+*{]/.test(pattern)) return true; 261 261 + 262 262 + // Adjacent quantifiers without grouping: a++, a*+, a+* 263 263 + if (/[+*]\s*[+*]/.test(pattern)) return true; 264 264 + 265 265 + // Quantified group containing alternation with overlapping branches 266 266 + // e.g. (a|a)+, (a|ab)+, (\d|\d+)+ 267 267 + if (/\([^)]*\|[^)]*\)\s*[+*{]/.test(pattern)) return true; 268 268 + 269 269 + // Backreference after quantified group: (a+)\1 270 270 + if (/\([^)]*[+*][^)]*\)\s*\\[1-9]/.test(pattern)) return true; 271 271 + 272 272 + return false; 248 273 } 249 274 250 275 /**

+35 -11

src/sheets/calendar-view.ts

reviewed

··· 9 9 rowIndex: number; 10 10 title: string; 11 11 date: Date; 12 12 + /** Optional end date for multi-day events (inclusive). */ 13 13 + endDate?: Date; 12 14 fields: { label: string; value: string }[]; 13 15 } 14 16 ··· 23 25 dateCol: number; 24 26 /** Column index for event title */ 25 27 titleCol: number; 28 28 + /** Optional column index containing end dates (for multi-day events) */ 29 29 + endDateCol?: number; 26 30 /** Additional column indices to show */ 27 31 fieldCols: number[]; 28 32 } ··· 48 52 return d; 49 53 } 50 54 55 55 + /** Normalize a Date to midnight for day-level comparison. */ 56 56 + function startOfDay(d: Date): Date { 57 57 + return new Date(d.getFullYear(), d.getMonth(), d.getDate()); 58 58 + } 59 59 + 51 60 /** 52 61 * Extract calendar events from sheet data. 53 62 */ ··· 70 79 const titleRaw = cellValues.get(titleCellId); 71 80 const title = titleRaw ? String(titleRaw).trim() : `Row ${r}`; 72 81 82 82 + let endDate: Date | undefined; 83 83 + if (config.endDateCol != null) { 84 84 + const endCellId = `${colToLetter(config.endDateCol)}${r}`; 85 85 + const endRaw = cellValues.get(endCellId); 86 86 + const parsed = parseDate(endRaw); 87 87 + if (parsed && parsed.getTime() >= date.getTime()) { 88 88 + endDate = parsed; 89 89 + } 90 90 + } 91 91 + 73 92 const fields: CalendarEvent['fields'] = []; 74 93 for (const colIdx of config.fieldCols) { 75 94 const cellId = `${colToLetter(colIdx)}${r}`; ··· 80 99 }); 81 100 } 82 101 83 83 - events.push({ rowIndex: r, title, date, fields }); 102 102 + events.push({ rowIndex: r, title, date, endDate, fields }); 84 103 } 85 104 86 105 return events; ··· 111 130 days.push({ date, inMonth, events: [] }); 112 131 } 113 132 114 114 - // Place events on their dates 133 133 + // Place events on their dates (multi-day events appear on every spanned day) 115 134 for (const event of events) { 116 116 - const eventDate = event.date; 117 117 - const placed = days.find(d => 118 118 - d.date.getFullYear() === eventDate.getFullYear() && 119 119 - d.date.getMonth() === eventDate.getMonth() && 120 120 - d.date.getDate() === eventDate.getDate(), 121 121 - ); 135 135 + let placedAny = false; 136 136 + const eventStart = startOfDay(event.date).getTime(); 137 137 + const eventEnd = event.endDate 138 138 + ? startOfDay(event.endDate).getTime() 139 139 + : eventStart; 140 140 + 141 141 + for (const d of days) { 142 142 + const dayTime = startOfDay(d.date).getTime(); 143 143 + if (dayTime >= eventStart && dayTime <= eventEnd) { 144 144 + d.events.push(event); 145 145 + placedAny = true; 146 146 + } 147 147 + } 122 148 123 123 - if (placed) { 124 124 - placed.events.push(event); 125 125 - } else { 149 149 + if (!placedAny) { 126 150 unplaced.push(event); 127 151 } 128 152 }

+4 -2

src/slides/canvas-engine.ts

reviewed

··· 196 196 */ 197 197 export function bringToFront(state: DeckState, elementId: string): DeckState { 198 198 const slide = currentSlide(state); 199 199 - const maxZ = Math.max(...slide.elements.map(e => e.zIndex), 0); 199 199 + const others = slide.elements.filter(e => e.id !== elementId); 200 200 + const maxZ = others.length > 0 ? Math.max(...others.map(e => e.zIndex)) : 0; 200 201 return updateElement(state, elementId, { zIndex: maxZ + 1 }); 201 202 } 202 203 ··· 205 206 */ 206 207 export function sendToBack(state: DeckState, elementId: string): DeckState { 207 208 const slide = currentSlide(state); 208 208 - const minZ = Math.min(...slide.elements.map(e => e.zIndex), 0); 209 209 + const others = slide.elements.filter(e => e.id !== elementId); 210 210 + const minZ = others.length > 0 ? Math.min(...others.map(e => e.zIndex)) : 0; 209 211 return updateElement(state, elementId, { zIndex: minZ - 1 }); 210 212 } 211 213

+91

tests/form-builder.test.ts

reviewed

··· 13 13 questionCount, 14 14 requiredCount, 15 15 duplicateForm, 16 16 + isReDoSRisk, 16 17 type QuestionType, 17 18 type Question, 18 19 type FormSchema, ··· 565 566 const q = makeQ({ type: 'short_text', validationPattern: '[invalid' }); 566 567 expect(validateAnswer(q, 'anything')).toBeNull(); 567 568 }); 569 569 + 570 570 + it('skips nested quantifier pattern (a+)+ (ReDoS)', () => { 571 571 + const q = makeQ({ type: 'short_text', validationPattern: '(a+)+$' }); 572 572 + expect(validateAnswer(q, 'aaaaaaaaaaaaaaaaab')).toBeNull(); 573 573 + }); 574 574 + 575 575 + it('skips overlapping alternation pattern (a|a)+ (ReDoS)', () => { 576 576 + const q = makeQ({ type: 'short_text', validationPattern: '(a|a)+$' }); 577 577 + expect(validateAnswer(q, 'aaaaaaaaaaaaaaaaab')).toBeNull(); 578 578 + }); 579 579 + 580 580 + it('skips (\\d+)+ pattern (ReDoS)', () => { 581 581 + const q = makeQ({ type: 'short_text', validationPattern: '(\\d+)+$' }); 582 582 + expect(validateAnswer(q, '1234567890123456x')).toBeNull(); 583 583 + }); 584 584 + 585 585 + it('skips (.*)* pattern (ReDoS)', () => { 586 586 + const q = makeQ({ type: 'short_text', validationPattern: '(.*)*$' }); 587 587 + expect(validateAnswer(q, 'test')).toBeNull(); 588 588 + }); 589 589 + 590 590 + it('allows safe patterns through', () => { 591 591 + const q = makeQ({ type: 'short_text', validationPattern: '^[A-Z]{2}\\d{4}$' }); 592 592 + expect(validateAnswer(q, 'AB1234')).toBeNull(); 593 593 + expect(validateAnswer(q, 'bad')).toBe('Invalid format'); 594 594 + }); 568 595 }); 569 596 570 597 describe('text types (no special validation)', () => { ··· 742 769 expect(copy.targetSheetId).toBe('sheet-abc'); 743 770 }); 744 771 }); 772 772 + 773 773 + // --- isReDoSRisk --- 774 774 + 775 775 + describe('isReDoSRisk', () => { 776 776 + it('detects nested quantifier (a+)+', () => { 777 777 + expect(isReDoSRisk('(a+)+')).toBe(true); 778 778 + }); 779 779 + 780 780 + it('detects nested quantifier (a*)+', () => { 781 781 + expect(isReDoSRisk('(a*)+')).toBe(true); 782 782 + }); 783 783 + 784 784 + it('detects nested quantifier (a+)*', () => { 785 785 + expect(isReDoSRisk('(a+)*')).toBe(true); 786 786 + }); 787 787 + 788 788 + it('detects nested quantifier with curly brace (.+){2,}', () => { 789 789 + expect(isReDoSRisk('(.+){2,}')).toBe(true); 790 790 + }); 791 791 + 792 792 + it('detects adjacent quantifiers a++', () => { 793 793 + expect(isReDoSRisk('a++')).toBe(true); 794 794 + }); 795 795 + 796 796 + it('detects adjacent quantifiers a*+', () => { 797 797 + expect(isReDoSRisk('a*+')).toBe(true); 798 798 + }); 799 799 + 800 800 + it('detects overlapping alternation (a|a)+', () => { 801 801 + expect(isReDoSRisk('(a|a)+')).toBe(true); 802 802 + }); 803 803 + 804 804 + it('detects overlapping alternation (a|ab)+', () => { 805 805 + expect(isReDoSRisk('(a|ab)+')).toBe(true); 806 806 + }); 807 807 + 808 808 + it('detects overlapping alternation with quantifier (\\d|\\d+)+', () => { 809 809 + expect(isReDoSRisk('(\\d|\\d+)+')).toBe(true); 810 810 + }); 811 811 + 812 812 + it('detects backreference amplification (a+)\\1', () => { 813 813 + expect(isReDoSRisk('(a+)\\1')).toBe(true); 814 814 + }); 815 815 + 816 816 + it('allows simple anchored pattern ^\\d{5}$', () => { 817 817 + expect(isReDoSRisk('^\\d{5}$')).toBe(false); 818 818 + }); 819 819 + 820 820 + it('allows character class with quantifier [A-Z]+', () => { 821 821 + expect(isReDoSRisk('[A-Z]+')).toBe(false); 822 822 + }); 823 823 + 824 824 + it('allows email-like pattern', () => { 825 825 + expect(isReDoSRisk('^[^\\s@]+@[^\\s@]+\\.[^\\s@]+$')).toBe(false); 826 826 + }); 827 827 + 828 828 + it('allows simple group without nested quantifier (abc)+', () => { 829 829 + expect(isReDoSRisk('(abc)+')).toBe(false); 830 830 + }); 831 831 + 832 832 + it('allows non-quantified alternation (a|b)', () => { 833 833 + expect(isReDoSRisk('(a|b)')).toBe(false); 834 834 + }); 835 835 + });

+67

tests/slides-z-order.test.ts

reviewed

··· 2 2 import { 3 3 createDeck, 4 4 addElement, 5 5 + removeElement, 5 6 bringToFront, 6 7 sendToBack, 7 8 currentSlide, ··· 82 83 expect(Number.isFinite(z1)).toBe(true); 83 84 expect(Number.isFinite(z2)).toBe(true); 84 85 expect(z2).toBeGreaterThanOrEqual(z1); 86 86 + }); 87 87 + 88 88 + it('bringToFront on empty slide (non-existent element) is a safe no-op', () => { 89 89 + const state = createDeck(); 90 90 + const result = bringToFront(state, 'non-existent'); 91 91 + expect(currentSlide(result).elements).toHaveLength(0); 92 92 + }); 93 93 + 94 94 + it('sendToBack on empty slide (non-existent element) is a safe no-op', () => { 95 95 + const state = createDeck(); 96 96 + const result = sendToBack(state, 'non-existent'); 97 97 + expect(currentSlide(result).elements).toHaveLength(0); 98 98 + }); 99 99 + 100 100 + it('bringToFront excludes the target element from max calculation', () => { 101 101 + let state = createDeck(); 102 102 + state = addElement(state, 'text', 0, 0, 100, 50, 'A'); // zIndex 0 103 103 + state = addElement(state, 'shape', 50, 50, 100, 50, 'B'); // zIndex 1 104 104 + 105 105 + const elB = currentSlide(state).elements[1]; 106 106 + // B is already highest. New zIndex = max(others) + 1 = 0 + 1 = 1 107 107 + state = bringToFront(state, elB.id); 108 108 + const updated = currentSlide(state).elements.find(e => e.id === elB.id)!; 109 109 + expect(updated.zIndex).toBe(1); 110 110 + }); 111 111 + 112 112 + it('sendToBack excludes the target element from min calculation', () => { 113 113 + let state = createDeck(); 114 114 + state = addElement(state, 'text', 0, 0, 100, 50, 'A'); // zIndex 0 115 115 + state = addElement(state, 'shape', 50, 50, 100, 50, 'B'); // zIndex 1 116 116 + 117 117 + const elA = currentSlide(state).elements[0]; 118 118 + // A is already lowest. New zIndex = min(others) - 1 = 1 - 1 = 0 119 119 + state = sendToBack(state, elA.id); 120 120 + const updated = currentSlide(state).elements.find(e => e.id === elA.id)!; 121 121 + expect(updated.zIndex).toBe(0); 122 122 + }); 123 123 + 124 124 + it('repeated bringToFront does not cause unbounded zIndex growth', () => { 125 125 + let state = createDeck(); 126 126 + state = addElement(state, 'text', 0, 0, 100, 50, 'A'); 127 127 + state = addElement(state, 'shape', 50, 50, 100, 50, 'B'); 128 128 + 129 129 + const elA = currentSlide(state).elements[0]; 130 130 + for (let i = 0; i < 10; i++) { 131 131 + state = bringToFront(state, elA.id); 132 132 + } 133 133 + 134 134 + const finalZ = currentSlide(state).elements.find(e => e.id === elA.id)!.zIndex; 135 135 + // zIndex should stabilize at max(others) + 1, not grow unboundedly 136 136 + expect(finalZ).toBeLessThanOrEqual(5); 137 137 + }); 138 138 + 139 139 + it('bringToFront after removing all other elements defaults to zIndex 1', () => { 140 140 + let state = createDeck(); 141 141 + state = addElement(state, 'text', 0, 0, 100, 50, 'A'); 142 142 + state = addElement(state, 'shape', 50, 50, 100, 50, 'B'); 143 143 + 144 144 + const elA = currentSlide(state).elements[0]; 145 145 + const elB = currentSlide(state).elements[1]; 146 146 + state = removeElement(state, elB.id); 147 147 + state = bringToFront(state, elA.id); 148 148 + 149 149 + const updated = currentSlide(state).elements.find(e => e.id === elA.id)!; 150 150 + expect(Number.isFinite(updated.zIndex)).toBe(true); 151 151 + expect(updated.zIndex).toBe(1); 85 152 }); 86 153 });