Skip to content

[plan] Pre-compile heredoc regexp patterns in template_injection_validation.go #22081

New issue
New issue
Closed
#22104
Closed
[plan] Pre-compile heredoc regexp patterns in template_injection_validation.go#22081
#22104
Assignees
pelikhancopilot-swe-agent
Labels
ai-generatedcookieIssue Monster Loves Cookies!plan
@github-actions

Description

@github-actions
github-actions
bot
opened on Mar 21, 2026

Objective

Move the 14 regexp.MustCompile calls inside removeHeredocContent() to package-level variables so they are compiled once at program start instead of on every validation call.

Context

From Sergo audit discussion #22033. removeHeredocContent() in pkg/workflow/template_injection_validation.go iterates over a fixed 7-element commonDelimiterSuffixes slice and compiles 2 patterns per suffix (14 total) on every invocation. Since all suffixes are hardcoded constants, these patterns never change and can be pre-compiled.

Locations

  • pkg/workflow/template_injection_validation.go:164commonDelimiterSuffixes slice
  • pkg/workflow/template_injection_validation.go:173quotedRegex := regexp.MustCompile(...) inside loop
  • pkg/workflow/template_injection_validation.go:179unquotedRegex := regexp.MustCompile(...) inside loop

Approach

Replace runtime compilation with a package-level var initialized by an IIFE:

type heredocPattern struct {
    quoted   *regexp.Regexp
    unquoted *regexp.Regexp
}

var heredocPatterns = func() []heredocPattern {
    suffixes := []string{"EOF", "EOL", "END", "HEREDOC", "JSON", "YAML", "SQL"}
    patterns := make([]heredocPattern, len(suffixes))
    for i, suffix := range suffixes {
        patterns[i] = heredocPattern{
            quoted:   regexp.MustCompile(fmt.Sprintf(`(?ms)<<\s*['"]\w*%s['"].*?\n\s*\w*%s\s*$`, suffix, suffix)),
            unquoted: regexp.MustCompile(fmt.Sprintf(`(?ms)<<\s*\w*%s.*?\n\s*\w*%s\s*$`, suffix, suffix)),
        }
    }
    return patterns
}()

func removeHeredocContent(content string) string {
    result := content
    for _, p := range heredocPatterns {
        result = p.quoted.ReplaceAllString(result, "# heredoc removed")
        result = p.unquoted.ReplaceAllString(result, "# heredoc removed")
    }
    return result
}

Verify the exact pattern strings match the current implementation before replacing.

Acceptance Criteria

  • 14 regexp.MustCompile calls moved out of removeHeredocContent to package-level
  • Template injection validation tests pass with identical heredoc removal output
  • make fmt && make test-unit passes

Generated by Plan Command for issue #discussion #22033 ·

  • expires on Mar 23, 2026, 4:03 AM UTC

Metadata

Metadata

Assignees

Labels

ai-generatedcookieIssue Monster Loves Cookies!plan

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions