fix: prevent body DoS and Prometheus label injection in telemetry handler

[tym83]

Summary

Two security issues found during review of #3, both in the existing telemetry ingestion handler:

• Memory exhaustion (DoS): io.ReadAll(r.Body) had no size limit — any client could POST an arbitrarily large body and exhaust pod memory. Fixed with http.MaxBytesReader capped at 10 MB.
• Prometheus label injection: X-Cluster-ID header value was used directly as a Prometheus label value without validation. A value containing ", \n, or } would corrupt the text-format output forwarded to VictoriaMetrics (e.g. X-Cluster-ID: foo",injected="bar would produce broken metrics). Fixed by validating the header against [a-zA-Z0-9._-] (max 253 chars, matching Kubernetes naming rules) and rejecting with 400 otherwise.

Test plan

• POST with a body > 10 MB returns 413
• POST with X-Cluster-ID: foo"bar returns 400
• POST with X-Cluster-ID: valid-cluster.name_01 is accepted as before

🤖 Generated with Claude Code

Summary by CodeRabbit

• Bug Fixes
  • Implemented a 10 MB size limit for incoming telemetry request bodies to prevent resource exhaustion.
  • Enhanced cluster ID header validation with stricter format requirements and more descriptive error messages for invalid or missing values.
  • Improved error handling to gracefully manage oversized requests.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

The main.go file adds telemetry request validation and safety constraints. A 10 MB body size limit is enforced via http.MaxBytesReader, a isValidClusterID function validates the X-Cluster-ID header using alphanumeric and specific special character rules, and error handling now detects and logs oversized request bodies with the errors package.

Changes

Cohort / File(s)	Summary
Telemetry Request Safety main.go	Added maxTelemetryBodySize constant and http.MaxBytesReader to limit incoming request bodies to 10 MB. Introduced isValidClusterID() to validate X-Cluster-ID header format (rejects empty, >253 chars, invalid characters). Enhanced error handling with errors.As() to detect http.MaxBytesError and log early exits. Updated handleTelemetry validation to reject invalid or missing cluster IDs.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hops with glee, a guardian's care,
Bounds are set with validation fair,
Ten megs max, no oversized feast,
Cluster IDs checked (at the least),
Safety guards our telemetry streams! 🛡️

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main security fixes in the changeset: body DoS prevention via MaxBytesReader and Prometheus label injection prevention via X-Cluster-ID validation.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request introduces a 10MB limit on telemetry request bodies and adds validation for the X-Cluster-ID header to prevent injection. The review feedback identifies a bug where exceeding the body size limit results in redundant error responses and suggests handling *http.MaxBytesError specifically. Additionally, it recommends using a regular expression for header validation to improve code idiomaticity and maintainability.

[gemini-code-assist]

Using http.MaxBytesReader is correct for limiting the request body size. However, the error handling for io.ReadAll on the subsequent lines is now incomplete. When the size limit is exceeded, io.ReadAll returns a *http.MaxBytesError. The http.Server automatically sends a 413 response in this case. The current code at lines 144-147 will then attempt to write another error response, which will cause a superfluous response.WriteHeader error log on the server.

You should specifically check for *http.MaxBytesError and return without writing another response.

body, err := io.ReadAll(r.Body)
if err != nil {
    var maxBytesErr *http.MaxBytesError
    if errors.As(err, &maxBytesErr) {
        // http.Server automatically sends a 413 response.
        // We don't need to write another error, just log and return.
        log.Printf("Request rejected: body exceeded %d bytes limit", maxBytesErr.Limit)
        return
    }
    log.Printf("Error reading request body: %v", err)
    http.Error(w, fmt.Sprintf("Error reading request: %v", err), http.StatusBadRequest)
    return
}

You will also need to import the errors package.

[gemini-code-assist]

For validating string formats like this, using a compiled regular expression is a common and idiomatic approach in Go. It's more declarative and can be easier to read and maintain than manual character-by-character iteration.

Consider replacing this function with a regex-based implementation for better readability and maintainability:

// At package level, to compile once:
// var isValidClusterIDRegexp = regexp.MustCompile(`^[a-zA-Z0-9._-]{1,253}$`)

func isValidClusterID(s string) bool {
	// Assumes isValidClusterIDRegexp is defined at package level
	// and 'regexp' package is imported.
	return isValidClusterIDRegexp.MatchString(s)
}

This would make the validation logic more concise and align with common Go practices for this type of task. You would need to add an import for the regexp package.