docs: Report DoS vulnerability in docker wait

[Vaiditya2207]

Identified and documented a Denial of Service vulnerability in the syscore docker manager execution logic where the thread waits indefinitely for untrusted code to exit without a timeout. Documented as a GitHub issue in SECURITY_ISSUE.md and updated the Sentinel journal .jules/sentinel.md.

---

PR created automatically by Jules for task 4689154780573314163 started by @Vaiditya2207

Summary by CodeRabbit

• Documentation
  • Updated security docs with a detailed Denial of Service analysis for unbounded container execution and recommended timeout/termination mitigations.
  • Added a sentinel entry documenting resource-exhaustion risks from indefinitely running processes and remediation guidance.
• Tests
  • CI workflow updated to install Playwright browsers/dependencies during runs instead of relying on a prebuilt container image.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
okernel	Ready	Preview, Comment	Mar 31, 2026 9:53pm

[coderabbitai]

Warning

Rate limit exceeded

@Vaiditya2207 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 17 minutes and 41 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 17 minutes and 41 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 13f51421-6b46-4e6c-bf49-0ac8caf9df14

📥 Commits

Reviewing files that changed from the base of the PR and between 8c2a040 and 90cc4e9.

📒 Files selected for processing (1)

• .github/workflows/tests.yml

📝 Walkthrough

Walkthrough

Documentation and CI workflow updates: added a sentinel entry describing an unbounded Docker container wait in ContainerManager::execute; replaced an arbitrary-file-write narrative in SECURITY_ISSUE.md with a Denial of Service description and remediation; and modified GitHub Actions to remove the job container and install Playwright with npx playwright install --with-deps.

Changes

Cohort / File(s)	Summary
Security Sentinel Documentation .jules/sentinel.md	Appended 2026-03-31 sentinel entry documenting DoS risk from unbounded Docker container waits in ContainerManager::execute (no code changes).
Security Issue Documentation SECURITY_ISSUE.md	Rewrote vulnerability narrative from arbitrary file write/path traversal to Denial of Service caused by unbounded docker.wait_container(...).next().await; updated reproduction, impact, and remediation guidance (recommend tokio::time::timeout and container kill on timeout).
CI Workflow .github/workflows/tests.yml	Removed job-level Docker container image for test-web and added explicit npx playwright install --with-deps step to install Playwright browsers/deps during workflow run.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

documentation, security, ci

Poem

🐇 I nibble bytes where timeouts sleep,
A container lingers, promises keep.
I thump the log and plant a sign,
"Wrap waits in timeouts, end the line."
Hop, patch, and peace — the system's fine.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: documenting a DoS vulnerability in docker wait logic, which is reflected in updates to SECURITY_ISSUE.md and the sentinel entry.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/sentinel-dos-docker-wait-4689154780573314163

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@SECURITY_ISSUE.md`:
- Around line 40-61: The doc sample must match the remediation: wrap the
self.docker.wait_container::<String>(&id, None).next() future with
tokio::time::timeout(Duration::from_secs(...)) and, on timeout (Err), first
attempt to stop the container via self.docker.stop_container(&id, None).await
and then remove it (force if needed) via self.docker.remove_container(&id, /*
force/remove options */).await; ensure tracing logs reflect both the timeout and
the subsequent stop+remove actions so the example implements “kill and remove”
rather than only stopping the container.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: bd5e348a-9870-4fc2-baee-3157fe7b75e3

📥 Commits

Reviewing files that changed from the base of the PR and between 0d72e5f and 5247705.

📒 Files selected for processing (2)

• .jules/sentinel.md
• SECURITY_ISSUE.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Align remediation text and sample code on timeout handling.

Line 40 says to kill and remove the container, but the example only calls stop_container. Please make the snippet match the stated remediation (or adjust the text) to avoid ambiguous fixes.

Suggested doc patch

-Wrap the `docker.wait_container` call with an explicit timeout using `tokio::time::timeout`. If the timeout expires before the container finishes, forcibly kill and remove the container to free up resources.
+Wrap the `docker.wait_container` call with an explicit timeout using `tokio::time::timeout`. If the timeout expires before the container finishes, explicitly stop/kill it and remove it to free up resources.
@@
     Err(_) => {
         tracing::error!("[Job {}] Execution timed out, killing container...", job_id);
-        // Force remove or stop container here
+        // Stop/kill timed-out container
         let _ = self.docker.stop_container(&id, None).await;
+        // Remove container after stop to avoid resource buildup
+        // let _ = self.docker.remove_container(&id, None).await;
     }
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@SECURITY_ISSUE.md` around lines 40 - 61, The doc sample must match the
remediation: wrap the self.docker.wait_container::<String>(&id, None).next()
future with tokio::time::timeout(Duration::from_secs(...)) and, on timeout
(Err), first attempt to stop the container via self.docker.stop_container(&id,
None).await and then remove it (force if needed) via
self.docker.remove_container(&id, /* force/remove options */).await; ensure
tracing logs reflect both the timeout and the subsequent stop+remove actions so
the example implements “kill and remove” rather than only stopping the
container.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/tests.yml:
- Around line 37-38: The workflow sets HOME globally to /root causing
Playwright's "Install Playwright Browsers" step to fail; update the "Install
Playwright Browsers" job step to override HOME for that step (e.g., set env HOME
to runner's default like $HOME or omit /root) so npx playwright install
--with-deps can write caches and browser files; locate the step named "Install
Playwright Browsers" and add a step-level env override for HOME to the
appropriate non-root value.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: f6eb412c-6178-4286-a650-caae484a507b

📥 Commits

Reviewing files that changed from the base of the PR and between 5247705 and 8c2a040.

📒 Files selected for processing (1)

• .github/workflows/tests.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Checking HOME override:"
rg -n '^\s*HOME:\s*/root' .github/workflows/tests.yml

echo
echo "Checking Playwright install step:"
rg -n 'playwright install --with-deps' .github/workflows/tests.yml

echo
echo "Checking for job-level container config (should be absent now):"
rg -n '^\s*container:' .github/workflows/tests.yml || true

Repository: Vaiditya2207/OKernel

Length of output: 259

---

playwright install will fail here because HOME is still forced to /root.

Line 37-38 introduces a Playwright install step on the host runner, but line 18 sets HOME: /root. On ubuntu-latest runners (which execute as non-root), this causes permission and cache write failures during browser installation.

Override HOME at the step level:

Proposed fix

       - name: Install Playwright Browsers
-        run: npx playwright install --with-deps
+        run: HOME=/home/runner npx playwright install --with-deps

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Install Playwright Browsers
	run: npx playwright install --with-deps
	- name: Install Playwright Browsers
	run: HOME=/home/runner npx playwright install --with-deps

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/tests.yml around lines 37 - 38, The workflow sets HOME
globally to /root causing Playwright's "Install Playwright Browsers" step to
fail; update the "Install Playwright Browsers" job step to override HOME for
that step (e.g., set env HOME to runner's default like $HOME or omit /root) so
npx playwright install --with-deps can write caches and browser files; locate
the step named "Install Playwright Browsers" and add a step-level env override
for HOME to the appropriate non-root value.