fix(data-mapper-v2): Address Copilot review comments for security and robustness

Security fixes:
- Replace polynomial regex with string-based parsing in XsltMetadataSerializer
- Add prototype pollution protection in XsltParser with safe property assignment

Robustness improvements:
- Add robust xslt3 path resolution checking multiple locations
- Add XSLT size validation (5MB limit) before processing
- Add XSLT parsing error handling with user-friendly messages
- Handle empty map definition with null-coalescing fallback
- Prevent stale test results with ref-based deduplication
- Add detailed temp file cleanup logging

Performance optimization:
- Optimize position updates to avoid flooding undo history

Testing:
- Add comprehensive test suites for Redux slices, utilities, and query hooks
- 217 new tests added (484 total tests now passing)

Author: hartra344

Localize/lang/strings.json

@@ -400,6 +400,7 @@
   "7PtWvu": "(UTC-05:00) Eastern Time (US & Canada)",
   "7QymrD": "Required. The string from which the substring is taken.",
   "7ScdN6": "Name",
+  "7V737/": "XSLT not yet generated. Save the map to generate XSLT output.",
   "7X4UA/": "Waiting",
   "7ZF1Hr": "Validation error",
   "7ZR1xr": "Add an action",
@@ -1964,6 +1965,7 @@
   "_7PtWvu.comment": "Time zone value ",
   "_7QymrD.comment": "Required string parameter required to obtain substring",
   "_7ScdN6.comment": "Deployment model resource name label",
+  "_7V737/.comment": "Message to display when XSLT content hasn't been generated yet",
   "_7X4UA/.comment": "The status message to show waiting in monitoring view.",
   "_7ZF1Hr.comment": "The title of the validation error field in the static result parseJson action",
   "_7ZR1xr.comment": "Text on example action node",
@@ -3166,6 +3168,7 @@
   "_arjUBV.comment": "Error message when the workflow dark image is empty",
   "_auUI93.comment": "label to inform to upload or select source schema to be used",
   "_auci7r.comment": "Error validation message for CSVs",
+  "_aulGxd.comment": "Message when XSLT content is not available",
   "_aurgrg.comment": "Authentication type",
   "_b2aL+f.comment": "Text indicating a menu button to pin an action to the side panel",
   "_b6G9bq.comment": "Label for description of custom encodeUriComponent Function",
@@ -3810,7 +3813,6 @@
   "_qJpnIL.comment": "Label for description of custom endsWith Function",
   "_qKVOwV.comment": "Placeholder text for the MCP server name field",
   "_qMFpNH.comment": "Loading dynamic data",
-  "_qNy7WP.comment": "Message to display when XSLT content hasn't been generated yet",
   "_qSejoi.comment": "Label for description of custom lessOrEquals Function",
   "_qSt0Sb.comment": "Accessibility prefix for the input label",
   "_qUWBUX.comment": "A duration of time shown in days",
@@ -4098,7 +4100,7 @@
   "_wQcEXt.comment": "Required parameters for the custom Replace Function",
   "_wQsEwc.comment": "Required length parameter to obtain substring",
   "_wT/gMB.comment": "Description for featured connectors field",
-  "_wTaSTp.comment": "Message when XSLT content is not available",
+  "_wTaSTp.comment": "Tooltip for disabled test button",
   "_wV3Lmd.comment": "Label to delete dictionary item",
   "_wWVQuK.comment": "Label for description of custom if Function",
   "_wWuzqz.comment": "Ok button text",
@@ -4276,6 +4278,7 @@
   "arjUBV": "The dark image version of the workflow is required for publish.",
   "auUI93": "Add or select a source schema to use for your map.",
   "auci7r": "Enter a valid comma-separated string.",
+  "aulGxd": "Please save the map before testing",
   "aurgrg": "Managed identity",
   "b2aL+f": "Pin action",
   "b6G9bq": "URL encodes the input string",
@@ -4920,7 +4923,6 @@
   "qJpnIL": "Checks if the string ends with a value (case-insensitive, invariant culture)",
   "qKVOwV": "Enter a name for the MCP server",
   "qMFpNH": "Loading dynamic data",
-  "qNy7WP": "XSLT not yet generated. Save the map to generate XSLT output.",
   "qSejoi": "Returns true if the first argument is less than or equal to the second",
   "qSt0Sb": "Required",
   "qUWBUX": "{days, plural, one {# day} other {# days}}",

apps/vs-code-designer/src/app/commands/dataMapper/DataMapperPanel.ts

@@ -46,6 +46,52 @@ import { copyOverImportedSchemas } from './DataMapperPanelUtils';
 import { switchToDataMapperV2 } from '../setDataMapperVersion';
 import SaxonJS from 'saxon-js';
 
+/**
+ * Finds the xslt3 CLI path by checking multiple possible locations.
+ * The xslt3 package might be installed in the extension's node_modules,
+ * or hoisted to a parent node_modules directory.
+ *
+ * @param extensionPath - The extension's root path
+ * @returns The path to xslt3.js, or null if not found
+ */
+const findXslt3Path = (extensionPath: string): string | null => {
+  const xslt3File = 'xslt3.js';
+
+  // Possible locations to check in order of preference
+  const possiblePaths = [
+    // Direct dependency in extension's node_modules
+    path.join(extensionPath, 'node_modules', 'xslt3', xslt3File),
+    // Hoisted to workspace root node_modules (for development)
+    path.join(extensionPath, '..', '..', 'node_modules', 'xslt3', xslt3File),
+    // Try using require.resolve as fallback (handles various node_modules structures)
+  ];
+
+  for (const possiblePath of possiblePaths) {
+    if (fileExistsSync(possiblePath)) {
+      return possiblePath;
+    }
+  }
+
+  // Try require.resolve as a final fallback
+  try {
+    // require.resolve finds the module regardless of hoisting
+    const xslt3MainPath = require.resolve('xslt3');
+    const xslt3Dir = path.dirname(xslt3MainPath);
+    const xslt3JsPath = path.join(xslt3Dir, xslt3File);
+    if (fileExistsSync(xslt3JsPath)) {
+      return xslt3JsPath;
+    }
+    // Also check if the main IS xslt3.js
+    if (xslt3MainPath.endsWith(xslt3File)) {
+      return xslt3MainPath;
+    }
+  } catch {
+    // require.resolve failed, xslt3 not found
+  }
+
+  return null;
+};
+
 export default class DataMapperPanel {
   public panel: WebviewPanel;
   public dataMapVersion: number;
@@ -242,6 +288,17 @@ export default class DataMapperPanel {
    * 4. Return result and clean up temp files
    */
   public async handleTestXsltTransform(xsltContent: string, inputXml: string) {
+    // Validate XSLT size before processing to prevent memory issues
+    const MAX_XSLT_SIZE = 5 * 1024 * 1024; // 5MB limit
+    const xsltSize = Buffer.byteLength(xsltContent, 'utf8');
+    console.log('[DataMapper Test] XSLT size:', xsltSize, 'bytes');
+
+    if (xsltSize > MAX_XSLT_SIZE) {
+      const sizeMB = (xsltSize / (1024 * 1024)).toFixed(2);
+      const limitMB = (MAX_XSLT_SIZE / (1024 * 1024)).toFixed(0);
+      throw new Error(`XSLT content is too large (${sizeMB}MB). Maximum size is ${limitMB}MB.`);
+    }
+
     const tempDir = os.tmpdir();
     const uniqueId = Date.now().toString();
     const xsltPath = path.join(tempDir, `datamap-${uniqueId}.xslt`);
@@ -256,12 +313,14 @@ export default class DataMapperPanel {
       writeFileSync(xsltPath, xsltContent, 'utf8');
 
       // Step 2: Find xslt3 CLI path - use the .js file directly for cross-platform compatibility
-      const xslt3Path = path.join(ext.context.extensionPath, 'node_modules', 'xslt3', 'xslt3.js');
+      const xslt3Path = findXslt3Path(ext.context.extensionPath);
       console.log('[DataMapper Test] xslt3 path:', xslt3Path);
-      console.log('[DataMapper Test] xslt3 exists:', fileExistsSync(xslt3Path));
 
-      if (!fileExistsSync(xslt3Path)) {
-        throw new Error(`xslt3 CLI not found at: ${xslt3Path}`);
+      if (!xslt3Path) {
+        throw new Error(
+          'xslt3 CLI not found. Please ensure the xslt3 package is installed. ' +
+            'Checked locations: extension node_modules, workspace node_modules, and require.resolve paths.'
+        );
       }
 
       // Step 3: Compile XSLT to SEF using xslt3 CLI via node
@@ -341,15 +400,24 @@ export default class DataMapperPanel {
     } finally {
       // Clean up temp files
       try {
+        let cleanedXslt = false;
+        let cleanedSef = false;
+
         if (fileExistsSync(xsltPath)) {
           removeFileSync(xsltPath);
+          cleanedXslt = true;
         }
         if (fileExistsSync(sefPath)) {
           removeFileSync(sefPath);
+          cleanedSef = true;
         }
-        console.log('[DataMapper Test] Cleaned up temp files');
-      } catch {
-        // Ignore cleanup errors
+        console.log('[DataMapper Test] Temp file cleanup:', {
+          xsltPath: cleanedXslt ? 'deleted' : 'not found',
+          sefPath: cleanedSef ? 'deleted' : 'not found',
+        });
+      } catch (cleanupError) {
+        // Log cleanup errors for debugging but don't fail the operation
+        console.warn('[DataMapper Test] Temp file cleanup warning:', cleanupError);
       }
     }
   }

apps/vs-code-designer/src/app/commands/dataMapper/dataMapper.ts

@@ -113,8 +113,16 @@ async function loadFromXsltFile(context: IActionContext, xsltPath: string): Prom
 
   const fileContents = await fs.readFile(fileToLoad, 'utf-8');
 
-  // Try to extract embedded metadata
-  const loadedData = DataMapperExt.loadMapFromXslt(fileContents, ext);
+  // Try to extract embedded metadata with error handling
+  let loadedData: ReturnType<typeof DataMapperExt.loadMapFromXslt> = null;
+  try {
+    loadedData = DataMapperExt.loadMapFromXslt(fileContents, ext);
+  } catch (parseError) {
+    const errorMessage = parseError instanceof Error ? parseError.message : 'Unknown error';
+    ext.showError(localize('XsltParsingFailed', 'Failed to parse XSLT file: {0}. The file may be corrupted or malformed.', errorMessage));
+    context.telemetry.properties.xsltParsingError = errorMessage;
+    return;
+  }
 
   if (!loadedData) {
     // XSLT doesn't have embedded metadata - try to find and migrate from LML

apps/vs-code-react/src/webviewCommunication.tsx

@@ -231,7 +231,9 @@ export const WebViewCommunication: React.FC<{ children: ReactNode }> = ({ childr
                 dispatch(changeXsltContentV2(message.data.xsltContent));
               } else {
                 // v2 format: use embedded mapDefinition directly
-                dispatch(changeMapDefinitionV2(message.data.mapDefinition));
+                // Fallback to empty object if mapDefinition is undefined or null
+                const mapDefinition = message.data.mapDefinition ?? {};
+                dispatch(changeMapDefinitionV2(mapDefinition));
               }
 
               dispatch(changeDataMapFilename(message.data.mapDefinitionName));

libs/data-mapper-v2/src/core/DataMapDataProvider.tsx

@@ -11,7 +11,7 @@ import type { AppDispatch } from './state/Store';
 import type { MapDefinitionEntry, DataMapSchema, IFileSysTreeItem, MapMetadataV2 } from '@microsoft/logic-apps-shared';
 import { Theme as ThemeType, SchemaType } from '@microsoft/logic-apps-shared';
 import type React from 'react';
-import { useContext, useEffect, useMemo } from 'react';
+import { useContext, useEffect, useMemo, useRef } from 'react';
 import { useDispatch } from 'react-redux';
 import { MapDefinitionDeserializer } from '../mapHandling/MapDefinitionDeserializer';
 import { updateDeserializationMessages } from './state/ErrorsSlice';
@@ -134,29 +134,50 @@ const DataProviderInner = ({
     dispatch(changeIsTestDisabledForOS(!!isTestDisabledForOS));
   }, [dispatch, isTestDisabledForOS]);
 
+  // Track the last processed result to avoid processing stale or duplicate results
+  const lastProcessedResultRef = useRef<TestXsltTransformResult | null>(null);
+
   // Handle XSLT transform test results from the extension host
   useEffect(() => {
-    if (testXsltTransformResult) {
-      if (testXsltTransformResult.success) {
-        dispatch(
-          updateTestOutput({
-            response: {
-              statusCode: testXsltTransformResult.statusCode,
-              statusText: testXsltTransformResult.statusText,
-              outputInstance: {
-                $content: testXsltTransformResult.outputXml ?? '',
-                '$content-type': 'application/xml',
-              },
+    // Skip if no result or if we've already processed this exact result
+    if (!testXsltTransformResult) {
+      return;
+    }
+
+    // Check if this is the same result we already processed (prevents duplicate dispatches)
+    const lastResult = lastProcessedResultRef.current;
+    if (
+      lastResult &&
+      lastResult.success === testXsltTransformResult.success &&
+      lastResult.outputXml === testXsltTransformResult.outputXml &&
+      lastResult.error === testXsltTransformResult.error &&
+      lastResult.statusCode === testXsltTransformResult.statusCode
+    ) {
+      return; // Skip duplicate result
+    }
+
+    // Store the current result as processed
+    lastProcessedResultRef.current = testXsltTransformResult;
+
+    if (testXsltTransformResult.success) {
+      dispatch(
+        updateTestOutput({
+          response: {
+            statusCode: testXsltTransformResult.statusCode,
+            statusText: testXsltTransformResult.statusText,
+            outputInstance: {
+              $content: testXsltTransformResult.outputXml ?? '',
+              '$content-type': 'application/xml',
             },
-          })
-        );
-      } else {
-        dispatch(
-          updateTestOutput({
-            error: new Error(testXsltTransformResult.error ?? 'XSLT transformation failed'),
-          })
-        );
-      }
+          },
+        })
+      );
+    } else {
+      dispatch(
+        updateTestOutput({
+          error: new Error(testXsltTransformResult.error ?? 'XSLT transformation failed'),
+        })
+      );
     }
   }, [dispatch, testXsltTransformResult]);