fix(security): exclude trailing-dot refs and hoist tag pattern to module level

waleedlatif1 · waleedlatif1 · commit 28f3401cac75 · 2026-04-13T20:05:44.000-07:00
diff --git a/apps/sim/app/api/function/execute/route.ts b/apps/sim/app/api/function/execute/route.ts
@@ -27,6 +27,11 @@ export const MAX_DURATION = 210
 
 const logger = createLogger('FunctionExecuteAPI')
 
+const TAG_PATTERN = new RegExp(
+  `${REFERENCE.START}([a-zA-Z_](?:\\${REFERENCE.PATH_DELIMITER}[a-zA-Z0-9_]+|[a-zA-Z0-9_])*)${REFERENCE.END}`,
+  'g'
+)
+
 const E2B_JS_WRAPPER_LINES = 3
 const E2B_PYTHON_WRAPPER_LINES = 1
 
@@ -493,11 +498,7 @@ function resolveTagVariables(
   let resolvedCode = code
   const undefinedLiteral = language === 'python' ? 'None' : 'undefined'
 
-  const tagPattern = new RegExp(
-    `${REFERENCE.START}([a-zA-Z_][a-zA-Z0-9_${REFERENCE.PATH_DELIMITER}]*)${REFERENCE.END}`,
-    'g'
-  )
-  const tagMatches = resolvedCode.match(tagPattern) || []
+  const tagMatches = resolvedCode.match(TAG_PATTERN) || []
 
   for (const match of tagMatches) {
     const tagName = match.slice(REFERENCE.START.length, -REFERENCE.END.length).trim()
