Skip to content

fix: persist task permissions in HistoryItem and add ReDoS mitigation#12338

Closed
roomote-v0[bot] wants to merge 1 commit into
feature/task-permissions-phase-3bfrom
feature/task-permissions-persistence-redos
Closed

fix: persist task permissions in HistoryItem and add ReDoS mitigation#12338
roomote-v0[bot] wants to merge 1 commit into
feature/task-permissions-phase-3bfrom
feature/task-permissions-persistence-redos

Conversation

@roomote-v0
Copy link
Copy Markdown
Contributor

@roomote-v0 roomote-v0 Bot commented May 12, 2026
edited
Loading

Related GitHub Issue

Addresses remaining considerations from PR #12337 (Phase 3b), linked to Issue #12330.

Description

This PR attempts to address the two remaining considerations raised in the PR #12337 review before merging:

  1. Permission persistence in HistoryItem -- taskPermissions are now saved to disk as part of the task history, so they survive VS Code restarts.
  2. ReDoS mitigation for model-provided regex patterns -- An isSafeRegex() heuristic rejects patterns with nested quantifiers and excessive length at both parse time (Zod schema) and runtime (matchesAnyPattern).

Feedback and guidance are welcome.

Changes

File Change
packages/types/src/task-permissions.ts Add isSafeRegex() heuristic, apply as Zod refinement and runtime guard in matchesAnyPattern
packages/types/src/history.ts Add optional taskPermissions field to historyItemSchema
src/core/task-persistence/taskMetadata.ts Accept and persist taskPermissions in metadata
src/core/task/Task.ts Pass serializable permission fields to taskMetadata() on save
src/core/webview/ClineProvider.ts Restore permissions via toTaskPermissions() in createTaskWithHistoryItem
packages/types/src/__tests__/task-permissions.spec.ts 32 new tests for isSafeRegex, schema validation, runtime safety, persistence round-trip

Recommendation

Both fixes should be included before merging PR #12337:

  • Permission persistence is low-effort, architecturally clean, and prevents a class of bugs when Phase 3c/3d introduces longer-lived subtasks.
  • ReDoS mitigation is also low-effort and eliminates a known attack surface. The heuristic is conservative (rejects nested quantifiers and long patterns) with clear error messages so the model can self-correct.

Test Procedure

  • 53 tests pass in packages/types (32 new + 21 existing)
  • 13 tests pass in enforcement spec (all existing)
  • 40 tests pass in validateToolUse + newTaskTool specs (all existing)
  • Full type-check and lint pass across all 10 packages

Pre-Submission Checklist

Interactively review PR in Roo Code Cloud

@roomote
fix: persist task permissions in HistoryItem and add ReDoS mitigation
c2711b6 
- Add taskPermissions field to historyItemSchema so permissions survive
  VS Code restarts
- Pass taskPermissions through taskMetadata when saving task history
- Restore permissions via toTaskPermissions() in createTaskWithHistoryItem
- Add isSafeRegex() heuristic that detects nested quantifiers and
  excessive pattern length (ReDoS vectors)
- Apply safety check in both Zod schema validation (parse time) and
  matchesAnyPattern() (runtime belt-and-suspenders)
- Add 32 new tests covering isSafeRegex, schema rejection of unsafe
  patterns, runtime skipping, HistoryItem round-trip, and edge cases

Addresses remaining considerations from PR #12337 review before merge.
@roomote-v0 roomote-v0 Bot mentioned this pull request May 12, 2026
Open
2 tasks
@roomote-v0
Copy link
Copy Markdown
Contributor Author

roomote-v0 Bot commented May 12, 2026

Closing this PR as requested -- the persistence and ReDoS fixes are already included in #12337.

@roomote-v0 roomote-v0 Bot closed this May 12, 2026
@github-project-automation github-project-automation Bot moved this from New to Done in Roo Code Roadmap May 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens will be requested when the pull request is marked ready for review mrubens is a code owner

@cte cte Awaiting requested review from cte cte will be requested when the pull request is marked ready for review cte is a code owner

@jr jr Awaiting requested review from jr jr will be requested when the pull request is marked ready for review jr is a code owner

@hannesrudolph hannesrudolph Awaiting requested review from hannesrudolph hannesrudolph will be requested when the pull request is marked ready for review hannesrudolph is a code owner

@daniel-lxs daniel-lxs Awaiting requested review from daniel-lxs daniel-lxs will be requested when the pull request is marked ready for review daniel-lxs is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roomote