Skip to content

🛡️ Sentinel: Enforce max version string length (DoS prevention) #799

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
google-labs-jules wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

🛡️ Sentinel: Enforce max version string length (DoS prevention) #799

google-labs-jules wants to merge 1 commit into from

Conversation

@google-labs-jules
Copy link
Contributor

@google-labs-jules google-labs-jules bot commented Jan 8, 2026
edited by cubic-dev-ai bot
Loading

🛡️ Sentinel: [MEDIUM] Fix DoS risk via long input strings

Severity: MEDIUM
Vulnerability: The version comparison logic accepted strings of arbitrary length. Extremely long strings could cause CPU exhaustion or OOM due to internal string operations (replace, split) and regex checks.
Impact: Denial of Service (DoS) if user-supplied input is passed unchecked to the library.
Fix: Enforced a MAX_VERSION_LENGTH of 256 characters. Inputs longer than this are immediately rejected (return NaN), preserving existing fail-closed behavior.
Verification: Added a test case in src/security.test.ts verifying that a string of 300 characters is rejected.

PR created automatically by Jules for task 4012677338304431508 started by @srod

Summary by cubic

Enforces a 256-character max for version strings to prevent DoS from extremely long inputs. Inputs over the limit now fail closed by returning NaN.

  • Bug Fixes
    • Added MAX_VERSION_LENGTH check in compareTo; rejects inputs >256 chars (returns NaN).
    • Added a test that ensures 300-char inputs make isAtLeast/isAtMost return false.

Written for commit f598875. Summary will update on new commits.

@google-labs-jules
feat(security): enforce maximum version string length
f598875 
Add `MAX_VERSION_LENGTH` constant (256) to prevent processing of excessively long strings in `compareTo`, mitigating potential DoS/CPU exhaustion risks. Input strings exceeding this limit now return NaN (fail-closed).
@google-labs-jules
Copy link
Contributor Author

google-labs-jules bot commented Jan 8, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@changeset-bot
Copy link

changeset-bot bot commented Jan 8, 2026

⚠️ No Changeset found

Latest commit: f598875

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link

coderabbitai bot commented Jan 8, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov
Copy link

codecov bot commented Jan 8, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (0c22e76) to head (f598875).

Additional details and impacted files 
@@            Coverage Diff            @@
##              main      #799   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            1         1           
  Lines           46        49    +3     
  Branches        16        17    +1     
=========================================
+ Hits            46        49    +3
Flag Coverage Δ
unittests 100.00% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant