Skip to content

πŸ›‘οΈ Sentinel: [λ³΄μ•ˆ κ°œμ„ ] YouTube URL μž…λ ₯에 μ΅œλŒ€ 길이 μ œν•œ μΆ”κ°€ (DoS λ°©μ§€)#498

Closed
seonghobae wants to merge 2 commits into
developfrom
sentinel-input-length-limit-16441119045255669024
Closed

πŸ›‘οΈ Sentinel: [λ³΄μ•ˆ κ°œμ„ ] YouTube URL μž…λ ₯에 μ΅œλŒ€ 길이 μ œν•œ μΆ”κ°€ (DoS λ°©μ§€)#498
seonghobae wants to merge 2 commits into
developfrom
sentinel-input-length-limit-16441119045255669024

Conversation

@seonghobae

Copy link
Copy Markdown
Collaborator

πŸ›‘οΈ Sentinel: [λ³΄μ•ˆ κ°œμ„ ] YouTube URL μž…λ ₯에 μ΅œλŒ€ 길이 μ œν•œ μΆ”κ°€ (DoS λ°©μ§€)

<Input> μ»΄ν¬λ„ŒνŠΈμ˜ YouTube URL μž…λ ₯λž€μ— maxLength={2048} 속성을 μΆ”κ°€ν•˜μ—¬, μ‚¬μš©μžκ°€ μ˜λ„μΉ˜ μ•Šκ²Œ 맀우 κΈ΄ λ¬Έμžμ—΄μ„ λΆ™μ—¬λ„£μ–΄ λ°œμƒν•  수 μžˆλŠ” λ©”λͺ¨λ¦¬ 고갈 및 UI μ„±λŠ₯ μ €ν•˜(Denial of Service) μœ„ν—˜μ„ λ°©μ§€ν•©λ‹ˆλ‹€.

  • 🚨 심각도: λ³΄μ•ˆ κ°œμ„  (Enhancement)
  • πŸ’‘ 취약점: UI κ³„μΈ΅μ˜ μž…λ ₯ 길이 μ œν•œ λΆ€μž¬ (잠재적 DoS)
  • 🎯 영ν–₯: 맀우 κΈ΄ λ¬Έμžμ—΄ μž…λ ₯ μ‹œ ν΄λΌμ΄μ–ΈνŠΈ λ¦¬μ†ŒμŠ€ 고갈
  • πŸ”§ μˆ˜μ •: <Input> 에 maxLength 속성 μΆ”κ°€ 및 κ΄€λ ¨ ν…ŒμŠ€νŠΈ(App.test.tsx) μž‘μ„±
  • βœ… 검증: 100% ν…ŒμŠ€νŠΈ 컀버리지 달성, λͺ¨λ“  μ›Œν¬μŠ€νŽ˜μ΄μŠ€ ν…ŒμŠ€νŠΈ 및 quickcheck.sh 톡과 μ™„λ£Œ

PR created automatically by Jules for task 16441119045255669024 started by @seonghobae

`<Input>` μ»΄ν¬λ„ŒνŠΈμ˜ YouTube URL μž…λ ₯λž€μ— `maxLength={2048}` 속성을 μΆ”κ°€ν•˜μ—¬, μ‚¬μš©μžκ°€ μ˜λ„μΉ˜ μ•Šκ²Œ 맀우 κΈ΄ λ¬Έμžμ—΄μ„ λΆ™μ—¬λ„£μ–΄ λ°œμƒν•  수 μžˆλŠ” λ©”λͺ¨λ¦¬ 고갈 및 UI μ„±λŠ₯ μ €ν•˜(Denial of Service) μœ„ν—˜μ„ λ°©μ§€ν•©λ‹ˆλ‹€.

🚨 심각도: λ³΄μ•ˆ κ°œμ„  (Enhancement)
πŸ’‘ 취약점: UI κ³„μΈ΅μ˜ μž…λ ₯ 길이 μ œν•œ λΆ€μž¬ (잠재적 DoS)
🎯 영ν–₯: 맀우 κΈ΄ λ¬Έμžμ—΄ μž…λ ₯ μ‹œ ν΄λΌμ΄μ–ΈνŠΈ λ¦¬μ†ŒμŠ€ 고갈
πŸ”§ μˆ˜μ •: `<Input>` 에 `maxLength` 속성 μΆ”κ°€ 및 κ΄€λ ¨ ν…ŒμŠ€νŠΈ(`App.test.tsx`) μž‘μ„±
βœ… 검증: 100% ν…ŒμŠ€νŠΈ 컀버리지 달성, λͺ¨λ“  μ›Œν¬μŠ€νŽ˜μ΄μŠ€ ν…ŒμŠ€νŠΈ 및 `quickcheck.sh` 톡과 μ™„λ£Œ
@google-labs-jules

Copy link
Copy Markdown

πŸ‘‹ Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a πŸ‘€ emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.


For security, I will only act on instructions from the user who triggered this task.

@opencode-agent opencode-agent Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

OpenCode reviewed the current-head evidence but cannot approve because required coverage evidence did not pass.

Findings

1. HIGH .github/workflows/opencode-review.yml:1 - Coverage evidence did not prove required test/docstring evidence

  • Problem: The OpenCode approval path reached an APPROVE control result while the separate coverage-evidence job result was failure.

  • Root cause: Automated approval is only valid when the same-head coverage-evidence job proves supported repository test suites passed and configured docstring gates passed or were advisory, or reports not applicable because no supported source files or package manifests exist. Missing, failed, skipped, unavailable, or unsupported-tooling test evidence is a blocker.

  • Fix: Install or configure the repository test/docstring evidence tooling when source files or package manifests exist, rerun the current-head coverage-evidence job, and approve only after it reports success with required evidence or explicit no-source not-applicable evidence.

  • Regression test: Keep the approval branch checking needs.coverage-evidence.result == success before posting APPROVE.

  • Result: REQUEST_CHANGES

  • Reason: coverage-evidence result was failure, so required test/docstring evidence was not proven for current head 59469e0923eeaf686e5a8b3d4668fb7f73585e9e.

  • Head SHA: 59469e0923eeaf686e5a8b3d4668fb7f73585e9e

  • Workflow run: 28365141945

  • Workflow attempt: 1

Coverage evidence

Coverage Evidence

  • Head SHA: 59469e0923eeaf686e5a8b3d4668fb7f73585e9e
  • Required test evidence: supported repository test suites must pass.
  • Required docstring evidence: repository-owned docstring gates must pass when configured; otherwise docstring coverage is advisory.

Python project dependencies (services/analysis-engine)

Using CPython 3.12.3 interpreter at: /usr/bin/python3.12
Creating virtual environment at: services/analysis-engine/.venv
Resolved 49 packages in 0.57ms
   Building bandscope-analysis @ file:///home/runner/work/bandscope/bandscope/pr-head/services/analysis-engine
Downloading scipy (33.6MiB)
Downloading yt-dlp (3.0MiB)
Downloading mypy (13.0MiB)
Downloading numpy (15.8MiB)
Downloading llvmlite (53.7MiB)
Downloading pygments (1.2MiB)
Downloading scikit-learn (8.5MiB)
Downloading numba (3.6MiB)
Downloading ruff (10.7MiB)
Downloading soundfile (1.3MiB)
 Downloaded soundfile
 Downloaded pygments
      Built bandscope-analysis @ file:///home/runner/work/bandscope/bandscope/pr-head/services/analysis-engine
 Downloaded numba
 Downloaded ruff
 Downloaded scikit-learn
 Downloaded yt-dlp
 Downloaded numpy
 Downloaded llvmlite
 Downloaded scipy
 Downloaded mypy
Prepared 44 packages in 2.03s
Installed 44 packages in 70ms
 + audioread==3.1.0
 + bandit==1.9.4
 + bandscope-analysis==0.1.0 (from file:///home/runner/work/bandscope/bandscope/pr-head/services/analysis-engine)
 + certifi==2026.2.25
 + cffi==2.0.0
 + charset-normalizer==3.4.6
 + coverage==7.13.4
 + decorator==5.2.1
 + idna==3.18
 + iniconfig==2.3.0
 + joblib==1.5.3
 + lazy-loader==0.5
 + librosa==0.11.0
 + librt==0.8.1
 + llvmlite==0.45.1
 + markdown-it-py==4.0.0
 + mdurl==0.1.2
 + msgpack==1.2.1
 + mypy==1.19.1
 + mypy-extensions==1.1.0
 + numba==0.62.1
 + numpy==2.3.5
 + packaging==26.0
 + pathspec==1.0.4
 + platformdirs==4.9.4
 + pluggy==1.6.0
 + pooch==1.9.0
 + pycparser==3.0
 + pygments==2.20.0
 + pytest==9.0.3
 + pytest-cov==7.0.0
 + pyyaml==6.0.3
 + requests==2.33.0
 + rich==15.0.0
 + ruff==0.15.5
 + scikit-learn==1.8.0
 + scipy==1.17.1
 + soundfile==0.13.1
 + soxr==1.0.0
 + stevedore==5.7.0
 + threadpoolctl==3.6.0
 + typing-extensions==4.15.0
 + urllib3==2.7.0
 + yt-dlp==2026.6.9
  • Result: PASS

Python test suite (services/analysis-engine)

============================= test session starts ==============================
platform linux -- Python 3.12.3, pytest-9.0.3, pluggy-1.6.0
rootdir: /home/runner/work/bandscope/bandscope/pr-head/services/analysis-engine
configfile: pyproject.toml
plugins: cov-7.0.0
collected 441 items

tests/test_activity.py ........                                          [  1%]
tests/test_anchors.py ....                                               [  2%]
tests/test_api.py .........................                              [  8%]
tests/test_chord_recognizer.py ....................                      [ 12%]
tests/test_chords.py .........................                           [ 18%]
tests/test_cli.py .................                                      [ 22%]
tests/test_health.py .                                                   [ 22%]
tests/test_pipeline_integration.py .........                             [ 24%]
tests/test_pitch_tracker.py ...............                              [ 28%]
tests/test_priority.py .......                                           [ 29%]
tests/test_ranges.py ...................                                 [ 34%]
tests/test_release_asset_selection.py ........                           [ 35%]
tests/test_release_metadata.py .......                                   [ 37%]
tests/test_release_packaging.py .........                                [ 39%]
tests/test_roles.py .......                                              [ 41%]
tests/test_roles_ml.py ...                                               [ 41%]
tests/test_sections.py ...                                               [ 42%]
tests/test_sections_utils.py ....                                        [ 43%]
tests/test_segmenter.py .....................                            [ 48%]
tests/test_separation.py .................................               [ 55%]
tests/test_supply_chain_policy.py ...................................... [ 64%]
........................................................................ [ 80%]
.....................................................                    [ 92%]
tests/test_temporal.py .........                                         [ 94%]
tests/test_transcription.py ...                                          [ 95%]
tests/test_tuning.py .....                                               [ 96%]
tests/test_youtube.py ................                                   [100%]

=============================== warnings summary ===============================
tests/test_pipeline_integration.py::test_pipeline_without_detected_sections_falls_back
tests/test_roles.py::test_role_extractor_falls_back_when_activity_detection_fails
  /home/runner/work/bandscope/bandscope/pr-head/services/analysis-engine/.venv/lib/python3.12/site-packages/librosa/core/pitch.py:103: UserWarning: Trying to estimate tuning from empty frequency set.
    return pitch_tuning(

tests/test_roles.py::test_role_extractor_falls_back_when_activity_detection_fails
  /home/runner/work/bandscope/bandscope/pr-head/services/analysis-engine/.venv/lib/python3.12/site-packages/librosa/core/spectrum.py:266: UserWarning: n_fft=2048 is too large for input signal of length=100
    warnings.warn(

-- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html
================== 441 passed, 3 warnings in 72.19s (0:01:12) ==================
  • Result: PASS

Python docstring coverage

  • Result: DEFERRED
  • Reason: package.json defines check:python-docstrings; repository-owned docstring coverage runs after package dependency setup.

JavaScript/TypeScript dependencies (npm ci)


added 272 packages, and audited 275 packages in 8s

71 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
  • Result: PASS

Repository docstring coverage


> [email protected] check:python-docstrings
> sh -c 'cd services/analysis-engine && uv run ruff check src tests ../../scripts --select D100,D101,D102,D103,D104,D105,D106,D107'

All checks passed!
  • Result: PASS

JavaScript/TypeScript test coverage


> [email protected] test
> npm run test --workspaces --if-present && sh -c 'cd services/analysis-engine && uv run pytest tests --cov=src/bandscope_analysis --cov-report=term-missing --cov-fail-under=100' --coverage


> @bandscope/[email protected] test
> node -e "require('node:fs').mkdirSync('coverage/.tmp', { recursive: true })" && vitest run --coverage


οΏ½[1mοΏ½[30mοΏ½[46m RUN οΏ½[49mοΏ½[39mοΏ½[22m οΏ½[36mv4.1.9 οΏ½[39mοΏ½[90m/home/runner/work/bandscope/bandscope/pr-head/apps/desktopοΏ½[39m
      οΏ½[2mCoverage enabled with οΏ½[22mοΏ½[33mv8οΏ½[39m

 οΏ½[32mβœ“οΏ½[39m src/lib/export.test.ts οΏ½[2m(οΏ½[22mοΏ½[2m16 testsοΏ½[22mοΏ½[2m)οΏ½[22mοΏ½[32m 17οΏ½[2mmsοΏ½[22mοΏ½[39m
 οΏ½[32mβœ“οΏ½[39m src/lib/analysis.test.ts οΏ½[2m(οΏ½[22mοΏ½[2m14 testsοΏ½[22mοΏ½[2m)οΏ½[22mοΏ½[32m 24οΏ½[2mmsοΏ½[22mοΏ½[39m
 οΏ½[32mβœ“οΏ½[39m src/features/workspace/Workspace.test.tsx οΏ½[2m(οΏ½[22mοΏ½[2m11 testsοΏ½[22mοΏ½[2m)οΏ½[22mοΏ½[33m 2077οΏ½[2mmsοΏ½[22mοΏ½[39m
     οΏ½[33mοΏ½[2mβœ“οΏ½[22mοΏ½[39m enables bass transcription from selected role metadata rather than role id text οΏ½[33m 481οΏ½[2mmsοΏ½[22mοΏ½[39m
 οΏ½[32mβœ“οΏ½[39m src/components/ui/ui-primitives.test.tsx οΏ½[2m(οΏ½[22mοΏ½[2m7 testsοΏ½[22mοΏ½[2m)οΏ½[22mοΏ½[32m 261οΏ½[2mmsοΏ½[22mοΏ½[39m
 οΏ½[32mβœ“οΏ½[39m src/i18n/index.test.ts οΏ½[2m(οΏ½[22mοΏ½[2m9 testsοΏ½[22mοΏ½[2m)οΏ½[22mοΏ½[32m 8οΏ½[2mmsοΏ½[22mοΏ½[39m
οΏ½[90mstderrοΏ½[2m | src/App.test.tsxοΏ½[2m > οΏ½[22mοΏ½[2mAppοΏ½[2m > οΏ½[22mοΏ½[2mapplies pushed analysis status updates over the IPC event bridge
οΏ½[22mοΏ½[39mAn update to App inside a test was not wrapped in act(...).

When testing, code that causes React state updates should be wrapped into act(...):

act(() => {
  /* fire events that update state */
});
/* assert on the output */

This ensures that you're testing the behavior the user would see in the browser. Learn more at https://react.dev/link/wrap-tests-with-act

οΏ½[90mstderrοΏ½[2m | src/App.test.tsxοΏ½[2m > οΏ½[22mοΏ½[2mAppοΏ½[2m > οΏ½[22mοΏ½[2mapplies pushed analysis status updates over the IPC event bridge
οΏ½[22mοΏ½[39mAn update to App inside a test was not wrapped in act(...).

When testing, code that causes React state updates should be wrapped into act(...):

act(() => {
  /* fire events that update state */
});
/* assert on the output */

This ensures that you're testing the behavior the user would see in the browser. Learn more at https://react.dev/link/wrap-tests-with-act
An update to App inside a test was not wrapped in act(...).

When testing, code that causes React state updates should be wrapped into act(...):

act(() => {
  /* fire events that update state */
});
/* assert on the output */

This ensures that you're testing the behavior the user would see in the browser. Learn more at https://react.dev/link/wrap-tests-with-act
An update to App inside a test was not wrapped in act(...).

When testing, code that causes React state updates should be wrapped into act(...):

act(() => {
  /* fire events that update state */
});
/* assert on the output */

This ensures that you're testing the behavior the user would see in the browser. Learn more at https://react.dev/link/wrap-tests-with-act
An update to App inside a test was not wrapped in act(...).

When testing, code that causes React state updates should be wrapped into act(...):

act(() => {
  /* fire events that update state */
});

## Change Flow DAG

```mermaid
flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Changed file (3 files)"]
  S1 --> I1["repository behavior"]
  I1 --> R1["Review risk: Changed file (3 files)"]
  R1 --> V1["required checks"]

@opencode-agent

opencode-agent Bot commented Jun 29, 2026

Copy link
Copy Markdown

OpenCode Review Overview

  • Head SHA: 90c3d3dd64fd5db0f8e279b05d140cbf6a8852ad
  • Workflow run: 28506044083
  • Workflow attempt: 1
  • Gate result: APPROVE (exit 0)

Changed-File Evidence Map

flowchart LR
  PR["PR changed files"] --> Evidence["OpenCode bounded evidence"]
  Evidence --> S1["Changed file (3 files)"]
  S1 --> I1["repository behavior"]
  I1 --> R1["Review risk: Changed file (3 files)"]
  R1 --> V1["required checks"]
Loading

…gth-limit-16441119045255669024

# Conflicts:
#	apps/desktop/src/App.tsx
Copilot AI review requested due to automatic review settings July 1, 2026 09:01

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds a client-side length cap to the desktop app’s YouTube URL input to reduce risk of UI slowdowns/memory pressure from extremely long pasted strings, and documents the security learning in Sentinel notes.

Changes:

  • Add maxLength={2048} to the YouTube URL <Input /> in App.tsx.
  • Add a React Testing Library assertion to ensure the maxLength attribute is present.
  • Record the mitigation and prevention guidance in .jules/sentinel.md.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
apps/desktop/src/App.tsx Adds maxLength={2048} to the YouTube URL input to constrain pasted/typed input length.
apps/desktop/src/App.test.tsx Adds a unit test asserting the YouTube URL input includes the maxLength attribute.
.jules/sentinel.md Documents the input length limit mitigation as a Sentinel security learning entry.

πŸ’‘ Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

Superseded by #528. The replacement keeps the URL length-limit mitigation, adds import-path enforcement across TypeScript/Rust/Python, shares the same cap with the rendered input, and avoids unrelated churn.

@seonghobae

Copy link
Copy Markdown
Collaborator Author

Closing as superseded by clean replacement #528.

@seonghobae seonghobae closed this Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants