🛡️ Sentinel: Add input length limits to prevent DoS

[tblakex01]

🚨 Severity: MEDIUM
💡 Vulnerability: Missing input length limits on user configuration fields (Name, System Instructions, Greeting).
🎯 Impact: Potential Denial of Service (DoS) or performance degradation if massive strings are input.
🔧 Fix:

• Added MAX_INPUT_LENGTHS to constants.ts.
• Enforced maxLength on inputs in WelcomeScreen.tsx.
• Added character counters for better UX.
• Fixed missing entry point in index.html.
  ✅ Verification:
• npm test passed.
• Frontend verification confirmed counters work and UI is functional.

---

PR created automatically by Jules for task 4003401425753474456 started by @tblakex01

Summary by Sourcery

Enforce bounded user input lengths in the welcome screen configuration and wire up the app entry point script.

New Features:

• Add configurable maximum length constants for user-facing text fields.
• Display live character counters for name, system instructions, and greeting inputs on the welcome screen.

Bug Fixes:

• Prevent excessively long name, system instruction, and greeting values from being accepted to mitigate potential DoS issues.
• Ensure the application entry point script is loaded by adding the missing index.tsx reference in index.html.

Enhancements:

• Update tests to assert truncation behavior based on defined maximum input lengths.
• Document the unbounded input vulnerability and its mitigation in the Sentinel security notes.

Summary by CodeRabbit

Release Notes

• New Features

  • Added real-time character counters to Name, System Instructions, and Greeting Message fields, showing current input length against maximum allowed.

• Bug Fixes

  • Implemented input length limits on key fields to improve application stability and prevent service disruptions.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request introduces input length validation across the application by defining a MAX_INPUT_LENGTHS constant (with limits: name 50, systemInstruction 2000, greeting 500, description 100), applying these via maxLength attributes in WelcomeScreen component with character counters, updating corresponding tests, and adding documentation about a DoS vulnerability. An index.html script module tag is also added.

Changes

Cohort / File(s)	Summary
Input Validation Constants constants.ts, constants.test.ts	Added new exported constant MAX_INPUT_LENGTHS object with name, systemInstruction, greeting, and description length limits; tests verify existence and exact values (50, 2000, 500, 100).
WelcomeScreen Component components/WelcomeScreen.tsx, components/WelcomeScreen.test.tsx	Imported MAX_INPUT_LENGTHS constant; added maxLength attributes and live character counters to Name, System Instructions, and Greeting Message fields; test suite updated to use these limits for constraining long input assertions and payload comparisons.
Vulnerability Documentation .jules/sentinel.md	Added new dated entry (2026-01-28) documenting DoS risk from unlimited string length acceptance and recommending strict input limits via maxLength and validated constants.
HTML Entry Point index.html	Added module script tag to load /index.tsx frontend entry point on page load.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• PR #30: Conflicts directly with updates to WelcomeScreen input-handling tests and behavior targeted by the MAX_INPUT_LENGTHS enforcement implementation.

Poem

🐰 A rabbit secures the garden gate,
With limits set, no more to wait—
Fifty chars here, two thousand there,
Character counters floating in air!
DoS fears vanish, validation's here,
Safe inputs bring the rabbit cheer! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main objective of adding input length limits to prevent DoS, which is the core change across all modified files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[sourcery-ai]

Reviewer's Guide

Adds centralized maximum length constraints for configurable persona fields and wires them into the welcome screen inputs, updating tests and documentation, while also fixing the missing frontend entry script in index.html.

Class diagram for WelcomeScreen and MAX_INPUT_LENGTHS usage

classDiagram
  class WelcomeScreenProps {
    +onStartCall(config PersonaConfig) void
  }

  class PersonaConfig {
    +name string
    +systemInstruction string
    +greeting string
    +voice VoiceName
  }

  class VoiceName {
  }

  class Constants {
    <<module>>
    +MAX_INPUT_LENGTHS name:number, systemInstruction:number, greeting:number, description:number
    +VOICE_NAMES VoiceName[]
    +PERSONA_PRESETS PersonaConfig[]
  }

  class WelcomeScreen {
    <<ReactComponent>>
    -customConfig PersonaConfig
    -handleConfigChange(field string, value string) void
  }

  WelcomeScreen ..> WelcomeScreenProps : uses
  WelcomeScreen ..> PersonaConfig : manages
  WelcomeScreen ..> VoiceName : selects
  WelcomeScreen ..> Constants : imports
  Constants --> VoiceName : defines
  Constants --> PersonaConfig : presets

Loading

Architecture/flow diagram for index.html entry and React bootstrap

flowchart LR
  Browser["Browser loads index_html"] --> HTMLBody["<div id=root>"]
  HTMLBody --> ScriptTag["<script type=module src=/index_tsx>"]
  ScriptTag --> EntryModule[index_tsx]
  EntryModule --> ReactRoot["ReactDOM_createRoot(root)"]
  ReactRoot --> WelcomeScreenComponent["Render WelcomeScreen"]
  WelcomeScreenComponent --> Inputs["Name/SystemInstructions/Greeting inputs with maxLength from MAX_INPUT_LENGTHS"]

Loading

File-Level Changes

Change	Details	Files
Enforce max character limits and show counters for persona configuration inputs on the welcome screen.	Import shared MAX_INPUT_LENGTHS constants into the welcome screen component. Add maxLength attributes to Name, System Instructions, and Greeting Message inputs/textareas using the shared limits. Render live character counters next to each label using current field length and configured maximums.	components/WelcomeScreen.tsx
Align tests with new input length constraints to ensure values are truncated and propagated correctly.	Update name input test to expect truncated value based on MAX_INPUT_LENGTHS.name and to assert the truncated value is passed to onStartCall. Update greeting message test to expect the DOM value to be truncated according to MAX_INPUT_LENGTHS.greeting.	components/WelcomeScreen.test.tsx
Define and export shared maximum input length constants for persona-related fields.	Introduce MAX_INPUT_LENGTHS in constants with explicit caps for name, systemInstruction, greeting, and description. Export the new constant for use across the app.	constants.ts constants.test.ts
Document the new unbounded-input vulnerability and its mitigation in the Sentinel security notes.	Add a dated entry describing the unbounded input vulnerability, lessons learned, and the prevention approach using maxLength and validated constants.	.jules/sentinel.md
Ensure the frontend bundle is loaded by adding the missing entry script tag to the HTML shell.	Add a type="module" script tag referencing /index.tsx in index.html so the React app mounts correctly.	index.html

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've left some high level feedback:

• The MAX_INPUT_LENGTHS.description entry is defined but never used; either wire it up to the corresponding input or remove it to avoid dead configuration.
• The new label + counter + input/textarea pattern for Name, System Instructions, and Greeting is duplicated; consider extracting a small reusable component to keep the markup and behavior consistent and easier to maintain.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `MAX_INPUT_LENGTHS.description` entry is defined but never used; either wire it up to the corresponding input or remove it to avoid dead configuration.
- The new label + counter + input/textarea pattern for Name, System Instructions, and Greeting is duplicated; consider extracting a small reusable component to keep the markup and behavior consistent and easier to maintain.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @.jules/sentinel.md:
- Line 7: Update the compound modifier “unlimited length strings” to the
hyphenated form “unlimited-length strings” wherever that exact phrase appears
(the sentence describing the vulnerability for Name, Greeting, and System
Instructions); ensure spacing and punctuation remain correct and run a quick
proofread to confirm no other similar compound modifiers need hyphenation.

🧹 Nitpick comments (2)

components/WelcomeScreen.test.tsx (1)

5-5: Add system-instruction truncation coverage for symmetry.

Now that name/greeting assert truncation via MAX_INPUT_LENGTHS, consider updating the system-instruction test to exceed the limit and assert truncation as well.

♻️ Proposed test tweak

-      const longInstructions = 'Instructions '.repeat(100);
+      const longInstructions = 'I'.repeat(MAX_INPUT_LENGTHS.systemInstruction + 50);
       await user.clear(instructionsTextarea);
       await user.paste(longInstructions);
 
-      expect((instructionsTextarea as HTMLTextAreaElement).value).toBe(longInstructions);
+      const expectedInstructions = longInstructions.slice(0, MAX_INPUT_LENGTHS.systemInstruction);
+      expect((instructionsTextarea as HTMLTextAreaElement).value).toBe(expectedInstructions);

Also applies to: 419-428, 457-457

components/WelcomeScreen.tsx (1)

3-3: Clamp config values before storing/submitting (defense in depth).

maxLength only limits user input; presets or future programmatic updates can still set over-limit strings and get sent via onStartCall. Consider clamping in the handlers (and before submit) to keep the limit invariant.

♻️ Suggested implementation

   const [customConfig, setCustomConfig] = useState<PersonaConfig>(PERSONA_PRESETS[0]);
+
+  const clampConfig = (config: PersonaConfig): PersonaConfig => ({
+    ...config,
+    name: config.name.slice(0, MAX_INPUT_LENGTHS.name),
+    systemInstruction: config.systemInstruction.slice(0, MAX_INPUT_LENGTHS.systemInstruction),
+    greeting: config.greeting.slice(0, MAX_INPUT_LENGTHS.greeting),
+  });
 
   const handlePresetChange = (presetId: string) => {
     setSelectedPresetId(presetId);
     if (presetId === 'custom') return;
     
     const preset = PERSONA_PRESETS.find(p => p.id === presetId);
     if (preset) {
-      setCustomConfig(preset);
+      setCustomConfig(clampConfig(preset));
     }
   };
 
   const handleConfigChange = (field: keyof PersonaConfig, value: string) => {
-    setCustomConfig(prev => ({
-      ...prev,
-      [field]: value
-    }));
+    setCustomConfig(prev => clampConfig({
+      ...prev,
+      [field]: value
+    }));
     setSelectedPresetId('custom');
   };
...
-          onClick={() => onStartCall(customConfig)}
+          onClick={() => onStartCall(clampConfig(customConfig))}

Also applies to: 15-33, 79-90, 106-118, 120-132, 138-140

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Minor grammar: hyphenate the compound modifier.

Line 7 reads “unlimited length strings”; standard style is “unlimited-length strings.”

✏️ Proposed fix

-**Vulnerability:** The application accepted unlimited length strings for Name, Greeting, and System Instructions, posing a Denial of Service (DoS) risk.
+**Vulnerability:** The application accepted unlimited-length strings for Name, Greeting, and System Instructions, posing a Denial of Service (DoS) risk.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	**Vulnerability:** The application accepted unlimited length strings for Name, Greeting, and System Instructions, posing a Denial of Service (DoS) risk.
	**Vulnerability:** The application accepted unlimited-length strings for Name, Greeting, and System Instructions, posing a Denial of Service (DoS) risk.

🧰 Tools

🪛 LanguageTool

[grammar] ~7-~7: Use a hyphen to join words.
Context: ...ty:** The application accepted unlimited length strings for Name, Greeting, and S...

(QB_NEW_EN_HYPHEN)

🤖 Prompt for AI Agents

In @.jules/sentinel.md at line 7, Update the compound modifier “unlimited length
strings” to the hyphenated form “unlimited-length strings” wherever that exact
phrase appears (the sentence describing the vulnerability for Name, Greeting,
and System Instructions); ensure spacing and punctuation remain correct and run
a quick proofread to confirm no other similar compound modifiers need
hyphenation.