CONCEPT Cited by 1 source
Internally-generated untrusted input¶
A trust-boundary confusion where an engineering org treats data it generated itself (config files, feature files, topology snapshots, dynamic rule updates) as implicitly trusted — and therefore skips the input-validation discipline it applies rigorously to user-submitted input.
The intuition is "we wrote the generator, so the output is safe." The failure mode is that the generator's output depends transitively on inputs from other systems — schema migrations, database permission changes, upstream library updates — which are not under the consuming module's control and can shift silently.
The Cloudflare framing¶
Cloudflare's stated #1 remediation project from 2025-11-18:
Hardening ingestion of Cloudflare-generated configuration files in the same way we would for user-generated input.
The posture is an explicit acknowledgement that the trust-boundary was wrong: the correct model is that every input to a hot-path module is untrusted, regardless of provenance. The generator lives across a team boundary (or several) from the consumer; the coupling is implicit; the invariants are only discoverable by running the system in production.
Canonical instance¶
sources/2025-11-18-cloudflare-outage-on-november-18-2025 —
Bot Management's feature file was internally generated from a
ClickHouse query. The ClickHouse team shipped a correct,
defensive permission migration. The feature-file generator's
implicit assumption ("this query only returns default-
database rows") silently became false. The doubled file
loaded into the FL2 bots module's preallocated 200-feature
buffer and triggered a .unwrap() panic. ~3 hours outage.
Validation discipline¶
- Size bounds: validate payload dimensions (row count, byte count, feature count) against module capacity before the load reaches the preallocated buffer.
- Shape / schema checks: types, required fields, value ranges, enumerated sets.
- Cross-field invariants: relationships between fields that downstream logic assumes.
- Fallback to known-good: on violation, log the error, alert operators, keep serving the prior file. Fail-open is the default response for availability-critical modules.
Seen in¶
- sources/2025-11-18-cloudflare-outage-on-november-18-2025 — canonical wiki instance.