From e47f67ba1f05acb28e93ecd67df5c282986c1930 Mon Sep 17 00:00:00 2001
From: m0rs3c0d3 <cosmicallyoffline@gmail.com>
Date: Sat, 21 Feb 2026 14:40:48 -0800
Subject: [PATCH] Potential fix for code scanning alert no. 10: Resource
 exhaustion

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 src/core/workflow/WorkflowEngine.ts | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/core/workflow/WorkflowEngine.ts b/src/core/workflow/WorkflowEngine.ts
index 9808096..56a0da4 100644
--- a/src/core/workflow/WorkflowEngine.ts
+++ b/src/core/workflow/WorkflowEngine.ts
@@ -144,14 +144,26 @@ export class WorkflowEngine {
     context: NodeContext,
     timeout?: number
   ): Promise<NodeResult> {
-    if (!timeout) {
+    // Normalize and bound the timeout to prevent resource exhaustion from untrusted values
+    const MAX_NODE_TIMEOUT_MS = 60_000; // 60 seconds hard limit for node timeouts
+    const numericTimeout = typeof timeout === 'number' ? timeout : Number(timeout);
+    const safeTimeout =
+      Number.isFinite(numericTimeout) && numericTimeout > 0
+        ? Math.min(Math.floor(numericTimeout), MAX_NODE_TIMEOUT_MS)
+        : 0;
+
+    // If there is no effective timeout, run the handler directly
+    if (!safeTimeout) {
       return handler(node, context);
     }
 
     return Promise.race([
       handler(node, context),
       new Promise<NodeResult>((_, reject) =>
-        setTimeout(() => reject(new Error(`Node timeout: ${timeout}ms`)), timeout)
+        setTimeout(
+          () => reject(new Error(`Node timeout: ${safeTimeout}ms`)),
+          safeTimeout
+        )
       ),
     ]);
   }