🛡️ Sentinel: Enforce input length limits to prevent DoS

[tblakex01]

🛡️ Sentinel Security Update

Severity: MEDIUM (DoS Risk)

Vulnerability:
The WelcomeScreen component lacked input validation, allowing users to enter arbitrarily large strings for Name, System Instructions, and Greeting. This could potentially be used to send excessive data to the backend or cause performance issues.

Fix:

1. Defined MAX_INPUT_LENGTHS in constants.ts.
2. Implemented strict length checks and truncation in WelcomeScreen.tsx state updates.
3. Added maxLength attributes to input elements.
4. Added character count indicators (e.g., 12/50) for better user feedback.
5. Bonus Fix: Restored missing <script type="module" src="/index.tsx"></script> in index.html which was preventing the app from loading during verification.

Verification:

• Updated WelcomeScreen.test.tsx to assert that inputs are truncated to the defined limits.
• Ran npm test successfully (all 328 tests passed).
• Verified frontend visually using Playwright (confirmed character counts and truncation).

---

PR created automatically by Jules for task 7113029068086227799 started by @tblakex01

Summary by Sourcery

Enforce input length limits and improve feedback for the Welcome screen to mitigate potential DoS risks and restore the main app script in the HTML entrypoint.

New Features:

• Add central MAX_INPUT_LENGTHS constants to define maximum lengths for persona-related text fields.
• Display live character counters for name, system instruction, and greeting inputs on the Welcome screen.

Bug Fixes:

• Enforce maximum lengths and truncation for Welcome screen inputs to prevent excessively long values from being stored or submitted.
• Restore the missing module script reference in index.html so the React app loads correctly.

Enhancements:

• Apply maxLength attributes and controlled truncation logic to Welcome screen form fields for more robust client-side validation.
• Document the new input validation security consideration in the Sentinel security notes.

Tests:

• Extend WelcomeScreen tests to cover character counters and ensure long inputs are truncated to configured maximum lengths.

Summary by CodeRabbit

• New Features

  • Input fields now enforce maximum character limits to prevent overflow and performance issues.
  • Real-time character counters display current input length against maximum allowed characters for Name, System Instructions, and Greeting fields.

• Documentation

  • Added security/learning documentation regarding input validation best practices.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[sourcery-ai]

Reviewer's Guide

Adds centralized maximum length limits for persona-related inputs on the Welcome screen, enforces them both in React state and HTML attributes with user-visible character counters, updates tests and security documentation, and restores the main script tag in index.html so the app loads correctly.

Sequence diagram for enforcing input length on WelcomeScreen

sequenceDiagram
  actor User
  participant NameInput
  participant WelcomeScreen
  participant MAX_INPUT_LENGTHS
  participant Backend

  User->>NameInput: Type or paste very_long_name
  NameInput->>WelcomeScreen: onChange(value = very_long_name)
  WelcomeScreen->>WelcomeScreen: handleConfigChange(field = name, value)
  WelcomeScreen->>MAX_INPUT_LENGTHS: Read MAX_INPUT_LENGTHS.name
  alt value.length > MAX_INPUT_LENGTHS.name
    WelcomeScreen->>WelcomeScreen: finalValue = value.slice(0, MAX_INPUT_LENGTHS.name)
  else value.length <= MAX_INPUT_LENGTHS.name
    WelcomeScreen->>WelcomeScreen: finalValue = value
  end
  WelcomeScreen->>WelcomeScreen: setCustomConfig with name = finalValue
  WelcomeScreen-->>NameInput: Rerender with value = finalValue
  User->>WelcomeScreen: Click StartCall
  WelcomeScreen->>Backend: onStartCall(customConfig with truncated name)
  Backend-->>WelcomeScreen: Call started with bounded input
  WelcomeScreen-->>User: Call UI shown

Loading

Updated class diagram for WelcomeScreen and constants

classDiagram
  class WelcomeScreenProps {
    +onStartCall(config PersonaConfig) void
  }

  class PersonaConfig {
    +name string
    +description string
    +systemInstruction string
    +greeting string
    +voice VoiceName
  }

  class WelcomeScreen {
    -customConfig PersonaConfig
    -selectedPresetId string
    -selectedVoice VoiceName
    +WelcomeScreen(props WelcomeScreenProps)
    +handleConfigChange(field keyof_PersonaConfig, value string) void
    +handlePresetSelect(presetId string) void
    +handleStartCall() void
  }

  class MAX_INPUT_LENGTHS {
    <<constant_object>>
    +name number
    +description number
    +systemInstruction number
    +greeting number
  }

  class PERSONA_PRESETS {
    <<constant_array>>
    +items PersonaConfig_with_id[]
  }

  class PersonaConfig_with_id {
    +id string
    +name string
    +description string
    +systemInstruction string
    +greeting string
    +voice VoiceName
  }

  class VOICE_NAMES {
    <<constant_array>>
    +items VoiceName[]
  }

  class VoiceName {
    <<type_alias>>
  }

  WelcomeScreen --> WelcomeScreenProps : uses_props
  WelcomeScreen *-- PersonaConfig : manages_customConfig
  WelcomeScreen ..> MAX_INPUT_LENGTHS : enforces_length_limits
  WelcomeScreen ..> PERSONA_PRESETS : uses_default_presets
  WelcomeScreen ..> VOICE_NAMES : uses_allowed_voices
  PERSONA_PRESETS *-- PersonaConfig_with_id : contains
  PersonaConfig_with_id --> PersonaConfig : extends_shape
  VOICE_NAMES o-- VoiceName : elements_of_type

Loading

File-Level Changes

Change	Details	Files
Centralize and enforce maximum lengths for user-configurable persona fields in the Welcome screen UI and state.	Import global max length constants into the WelcomeScreen component and use them to guard persona config updates. Truncate incoming field values in the config change handler before storing them in component state, based on the field-specific maximums. Add maxLength attributes to text input and textarea elements for name, system instructions, and greeting. Display live character count indicators next to each persona input, reflecting the current value length versus the maximum.	components/WelcomeScreen.tsx constants.ts
Strengthen automated tests to cover length enforcement and new UX elements.	Add a test that asserts the character counter for the name field is rendered using preset values and defined limits. Update long-input tests to assert that pasted values are truncated to the configured maximum lengths for all persona fields. Adjust expectations for the data passed to onStartCall to ensure truncated values are used in outbound configs.	components/WelcomeScreen.test.tsx
Document the new input validation issue and ensure the app bootstraps correctly for verification.	Append a new Sentinel security entry describing the uncontrolled input length vulnerability, learnings, and prevention guidance. Restore the missing ES module script tag that loads index.tsx so the app renders in the browser.	.jules/sentinel.md index.html

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes implement input length validation for the WelcomeScreen component by introducing a MAX_INPUT_LENGTHS constant, truncating values in the component logic, adding character counters to the UI, and updating tests to verify the new constraints. A security documentation entry records the vulnerability that prompted these changes.

Changes

Cohort / File(s)	Summary
Documentation .jules/sentinel.md	Added dated security entry documenting an uncontrolled input length vulnerability in React forms with guidance on maxLength and state validation.
Constants & Configuration constants.ts	Introduced new exported constant MAX_INPUT_LENGTHS defining character limits for name, description, systemInstruction, and greeting fields.
Component Implementation components/WelcomeScreen.tsx	Added input validation with value truncation in handleConfigChange, enforced maxLength attributes on inputs/textareas, and implemented live character counters displaying current length versus maximum for name, system instructions, and greeting fields.
Component Tests components/WelcomeScreen.test.tsx	Updated imports to include MAX_INPUT_LENGTHS, added test for character counter display, renamed and refactored long-input tests to enforce and verify max-length truncation for name, systemInstruction, and greeting fields.
Build Configuration index.html	Added module script tag to load /index.tsx as the application entry point, enabling TSX bootstrapping.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• PR #30: Both PRs modify components/WelcomeScreen.test.tsx and focus on input-handling tests for WelcomeScreen; this PR extends that work by adding validation logic and character limit constants to enforce the constraints.

Poem

🐰 Hop, hop, the inputs now have bounds,
No more wild characters sprawling around,
With counters that click and maxLength held tight,
The forms are secure and properly sized right! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: enforcing input length limits in the application to prevent DoS attacks, which is the core objective of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch sentinel/input-validation-fix-7113029068086227799

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[greptile-apps]

Your free trial has ended. If you'd like to continue receiving code reviews, you can add a payment method here.

[sourcery-ai]

Hey - I've left some high level feedback:

• The handleConfigChange truncation logic could be simplified by looking up the max length from MAX_INPUT_LENGTHS[field] (with appropriate typing) instead of a three-branch if/else chain, which will make it easier to extend when new fields are added.
• MAX_INPUT_LENGTHS.description is defined but not used anywhere in this PR; consider either wiring it into the relevant input or removing it to avoid confusion about dead configuration.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The `handleConfigChange` truncation logic could be simplified by looking up the max length from `MAX_INPUT_LENGTHS[field]` (with appropriate typing) instead of a three-branch `if/else` chain, which will make it easier to extend when new fields are added.
- `MAX_INPUT_LENGTHS.description` is defined but not used anywhere in this PR; consider either wiring it into the relevant input or removing it to avoid confusion about dead configuration.

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}