vault: validate encrypted value size in request validator

[prashantkumar1982]

Summary

• enforce VaultCiphertextSizeLimit in the Vault request validator for create/update requests
• reject oversized EncryptedValue payloads before label verification
• add validator unit tests covering boundary and oversized ciphertext cases

[github-actions]

👋 prashantkumar1982, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bcc73ae63c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Close ciphertext limiter in capability teardown

The new ciphertextLimiter created for RequestValidator is never closed, while Close() only shuts down MaxRequestBatchSizeLimiter. In deployments where the capability is restarted (tests, reconfiguration, process lifecycle), this leaves the limiter's underlying resources/subscriptions alive and can accumulate goroutines or watchers over time. Add MaxCiphertextLengthLimiter.Close() to (*Capability).Close() alongside the existing limiter cleanup.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Release ciphertext limiter in gateway handler close path

This adds a second limiter (ciphertextLimiter) to the handler's validator, but (*handler).Close() still only closes writeMethodsEnabled and MaxRequestBatchSizeLimiter. If the gateway handler is started/stopped repeatedly, the unclosed ciphertext limiter can leak internal limiter resources and degrade long-running processes. Include MaxCiphertextLengthLimiter.Close() in the errors.Join(...) cleanup list.

Useful? React with 👍 / 👎.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
7 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs