core: fix (CWE-94) when implemented in vs code/ browser env

RubenHalman · RubenHalman · commit 10f64a5eb193 · 2025-12-12T10:07:26.000+01:00
diff --git a/packages/core/src/main/rules/APIVersion.ts b/packages/core/src/main/rules/APIVersion.ts
@@ -15,45 +15,72 @@ export class APIVersion extends RuleCommon implements IRuleDefinition {
   }
 
   protected check(
-  flow: core.Flow,
-  options: { expression?: string } | undefined,
-  _suppressions: Set<string>
-): core.Violation[] {
-
-  let flowAPIVersionNumber: number | null = null;
-  if (flow.xmldata.apiVersion) {
-    flowAPIVersionNumber = +flow.xmldata.apiVersion;
-  }
+    flow: core.Flow,
+    options: { expression?: string } | undefined,
+    _suppressions: Set<string>
+  ): core.Violation[] {
 
-  // No API version
-  if (!flowAPIVersionNumber) {
-    return [
-      new core.Violation(
-        new core.FlowAttribute("API Version <49", "apiVersion", "<49")
-      )
-    ];
-  }
+    let flowAPIVersionNumber: number | null = null;
+    if (flow.xmldata.apiVersion) {
+      flowAPIVersionNumber = +flow.xmldata.apiVersion;
+    }
 
-  // Custom logic
-  if (options?.expression) {
-    const isValid = new Function(
-      `return ${flowAPIVersionNumber}${options.expression};`
-    )();
-      
-    if (!isValid) {
+    // No API version
+    if (!flowAPIVersionNumber) {
       return [
         new core.Violation(
-          new core.FlowAttribute(
-            `${flowAPIVersionNumber}`,
-            "apiVersion",
-            options.expression
-          )
+          new core.FlowAttribute("API Version <49", "apiVersion", "<49")
         )
       ];
     }
-  }
 
-  return [];
-}
+    // Custom logic
+    if (options?.expression) {
+
+      // Match something like: >= 58
+      const match = options.expression.match(/^\s*(>=|<=|>|<|===|!==)\s*(\d+)\s*$/);
+
+      if (!match) {
+        // Invalid expression format
+        return [
+          new core.Violation(
+            new core.FlowAttribute(
+              "Invalid API rule expression",
+              "apiVersion",
+              options.expression
+            )
+          )
+        ];
+      }
+
+      const [, operator, versionStr] = match;
+      const target = parseFloat(versionStr);
+
+      let isValid = true;
+
+      switch (operator) {
+        case ">": isValid = flowAPIVersionNumber > target; break;
+        case "<": isValid = flowAPIVersionNumber < target; break;
+        case ">=": isValid = flowAPIVersionNumber >= target; break;
+        case "<=": isValid = flowAPIVersionNumber <= target; break;
+        case "===": isValid = flowAPIVersionNumber === target; break;
+        case "!==": isValid = flowAPIVersionNumber !== target; break;
+      }
+
+      if (!isValid) {
+        return [
+          new core.Violation(
+            new core.FlowAttribute(
+              `${flowAPIVersionNumber}`,
+              "apiVersion",
+              options.expression
+            )
+          )
+        ];
+      }
+    }
+
+    return [];
+  }
 
 }
