Skip to content

fix(security): [CRITICAL] resolve Denial of Service (DoS) via memory exhaustion in automaton builders#170

Open
Tugamer89 wants to merge 1 commit into
mainfrom
fix-security-dos-max-states-16975968773069851637
Open

fix(security): [CRITICAL] resolve Denial of Service (DoS) via memory exhaustion in automaton builders#170
Tugamer89 wants to merge 1 commit into
mainfrom
fix-security-dos-max-states-16975968773069851637

Conversation

@Tugamer89

@Tugamer89 Tugamer89 commented Jun 12, 2026

Copy link
Copy Markdown
Owner

Severity: CRITICAL
Vulnerability: Denial of Service (DoS) via memory exhaustion in automaton builders. The AbstractAutomatonBuilder allowed an unbounded number of states to be added, leading to potential OutOfMemoryError and application crashes when constructing overly large or malicious automata.
Impact: An attacker or malicious input could cause the system to allocate massive amounts of memory for states, leading to application downtime.
Fix: Introduced a MAX_STATES limit (10000) in AbstractAutomatonBuilder.java and enforced it inside the addState method. A descriptive IllegalStateException is thrown when the limit is exceeded.
Verification: Added testAddState_ExceedsMaxStates in AbstractAutomatonBuilderTest.java to verify that attempting to add more than 10000 states securely throws an IllegalStateException. Ran mvn test and mvn spotless:apply to ensure functionality and formatting.

PR created automatically by Jules for task 16975968773069851637 started by @Tugamer89

@Tugamer89 @google-labs-jules
fix(security): [CRITICAL] resolve Denial of Service (DoS) via memory …
3b51919 
…exhaustion in automaton builders

Adds a MAX_STATES limit (10000) to AbstractAutomatonBuilder to prevent state explosion and memory exhaustion DoS attacks during manual automaton construction.

Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@google-labs-jules

google-labs-jules Bot commented Jun 12, 2026

Copy link
Copy Markdown
Contributor

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

For security, I will only act on instructions from the user who triggered this task.

@sonarqubecloud

sonarqubecloud Bot commented Jun 12, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
83.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Tugamer89