0bc831495c
The action-parsing regex in `MRKLOutputParser.parse()` and `ReActSingleInputOutputParser.parse()` used the pattern `(.*?)[\s]*Action` which causes catastrophic backtracking on crafted input where whitespace characters sit between two partial `Action` tokens. An attacker can trigger near-infinite CPU consumption with a relatively short string. The fix removes the redundant `[\s]*` quantifier between the first capture group and the literal `Action` keyword. Since `re.DOTALL` is active and the preceding `(.*?)` already matches any character (including whitespace), the `[\s]*` was unnecessary and was the source of the ambiguity that enabled backtracking. Adds regression tests for both parsers that use `SIGALRM` timeouts to assert the regex completes in bounded time on adversarial input. This fix was reviewed manually. Created with [Deep Agents CLI](https://docs.langchain.com/oss/python/deepagents/cli/overview).
Packages
Important
This repository is structured as a monorepo, with various packages located in this libs/ directory. Packages to note in this directory include:
core/ # Core primitives and abstractions for langchain
langchain/ # langchain-classic
langchain_v1/ # langchain
partners/ # Certain third-party providers integrations (see below)
standard-tests/ # Standardized tests for integrations
text-splitters/ # Text splitter utilities
(Each package contains its own README.md file with specific details about that package.)
Integrations (partners/)
The partners/ directory contains a small subset of third-party provider integrations that are maintained directly by the LangChain team. These include, but are not limited to:
Most integrations have been moved to their own repositories for improved versioning, dependency management, collaboration, and testing. This includes packages from popular providers such as Google and AWS. Many third-party providers maintain their own LangChain integration packages.
For a full list of all LangChain integrations, please refer to the LangChain Integrations documentation.