Skip to content

🛡️ Sentinel: Limit concurrent daemon socket connections to prevent DoS#89

Open
minibota wants to merge 1 commit intomainfrom
security/nightly-2026-01-28-9011405027792562287
Open

🛡️ Sentinel: Limit concurrent daemon socket connections to prevent DoS#89
minibota wants to merge 1 commit intomainfrom
security/nightly-2026-01-28-9011405027792562287

Conversation

@minibota
Copy link
Copy Markdown
Contributor

@minibota minibota commented Jan 28, 2026

Vulnerability:
The daemon's socket listener (startSocketListener in cmd/daemon.go) spawned a new goroutine for every incoming connection without any concurrency limit. This allowed a local attacker to cause a Denial of Service (DoS) by opening thousands of connections and keeping them idle, exhausting system resources (goroutines and memory).

Fix:
Implemented a semaphore pattern using a buffered channel (maxConcurrentConnections = 50). The listener now acquires a token before spawning a handler goroutine and releases it upon completion. This limits the number of active handlers to 50, providing backpressure to the OS socket backlog when the limit is reached.

Verification:
Added a new regression test TestConcurrencyLimit in cmd/security_concurrency_test.go. The test:

  1. Overrides the limit to 10.
  2. Spawns 50 concurrent client connections.
  3. Verifies that the number of goroutines increases by ~60 (50 clients + 10 handlers) instead of ~100 (unbounded).

Risk Assessment:

  • Impact: Prevents local resource exhaustion DoS.
  • Regression Risk: Low. Legitimate traffic exceeding 50 concurrent active execution reports (which is very high for a single agent) will face delays (queued in OS backlog) or timeouts, which is the intended fail-safe behavior.
  • Compatibility: No API changes.

PR created automatically by Jules for task 9011405027792562287 started by @minibota

@google-labs-jules @minibota
DoS Prevention: Limit concurrent daemon socket connections
cc5c4af 
Implemented a semaphore in `startSocketListener` to limit the number of
concurrent active socket connections to 50. This prevents a local Denial
of Service (DoS) attack where an attacker could exhaust system resources
(goroutines, memory) by opening thousands of idle connections.

Added `cmd/security_concurrency_test.go` to verify the regression.
Updated `.jules/sentinel.md` with the security finding.

Co-authored-by: minibota <1483356+minibota@users.noreply.github.com>
@google-labs-jules
Copy link
Copy Markdown
Contributor

google-labs-jules Bot commented Jan 28, 2026

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@minibota