vault: validate encrypted value size in request validator

[prashantkumar1982]

Summary

• enforce VaultCiphertextSizeLimit in the Vault request validator for create/update requests
• reject oversized EncryptedValue payloads before label verification
• add validator unit tests covering boundary and oversized ciphertext cases

Testing

• go test ./core/capabilities/vault ./core/services/gateway/handlers/vault

[github-actions]

✅ No conflicts with other open PRs targeting release/2.40.0

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 06563543e1

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Close ciphertext limiter in vault capability lifecycle

NewCapability now creates a ciphertextLimiter, but Capability.Close() still only closes MaxRequestBatchSizeLimiter; this leaves the new limiter open for the lifetime of each start/stop cycle. In deployments where limiters maintain background state (tenant maps/watchers), repeated capability restarts will accumulate leaked resources and stale limit subscriptions. Please close MaxCiphertextLengthLimiter alongside the existing limiter in Close().

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Close ciphertext limiter when vault gateway handler stops

NewHandler now allocates a ciphertextLimiter, but handler.Close() still only closes writeMethodsEnabled and MaxRequestBatchSizeLimiter. That means every handler restart can leak the newly added limiter instance and any associated internal state, which is especially problematic for long-running nodes that reload handlers. Add MaxCiphertextLengthLimiter.Close() to the shutdown join.

Useful? React with 👍 / 👎.

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 26a1afb6f0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Close batch limiter on ciphertext limiter init failure

When MakeUpperBoundLimiter fails here, NewCapability returns without closing the already-created request batch limiter. Since these limiters are closable and may hold settings/watcher state, repeated startup retries can accumulate leaked resources. Close limiter on this error path before returning.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Close batch limiter if ciphertext limiter creation fails

This early return leaks the request batch limiter created just above when ciphertext limiter construction errors. In environments that retry handler initialization, this can leave stale limiter resources subscribed across attempts. Close the previously allocated limiter before returning this error.

Useful? React with 👍 / 👎.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube