Skip to content

PATTERN Cited by 1 source

Harden ingestion of internal config

Apply the same input-validation discipline to internally- generated configuration files that you apply to user-submitted input. Treat every input to a hot-path module as untrusted regardless of provenance.

The pattern

At the module boundary that loads a config file / feature file / rule set:

  1. Validate size / dimensions. Byte count, row count, feature count, rule count — whatever the downstream preallocated buffer is sized for. See concepts/feature-file-size-limit / concepts/preallocated-memory-budget.
  2. Validate shape / schema. Types, required fields, value ranges, enumerated sets.
  3. Validate cross-field invariants. Relationships the downstream logic depends on.
  4. On violation: fail open. Log, alert, and serve the previous known-good version. See concepts/fail-open-vs-fail-closed.
  5. Never load directly into the preallocated buffer. Validate on a staging copy; swap pointers only on validation success.

Why it's load-bearing

The generator and the consumer usually live on different teams, with implicit coupling through the config payload. Three systems removed, a correct migration in system X (e.g., ClickHouse permissions) can shift the shape of a payload generated by system Y and consumed by system Z. Neither X's team nor Y's nor Z's catches it at review time.

Captured explicitly as a concept: concepts/internally-generated-untrusted-input.

Canonical instance

sources/2025-11-18-cloudflare-outage-on-november-18-2025 — a correct ClickHouse permission migration caused the feature- file generator to emit a file with doubled rows. The Bot Management FL2 module's .unwrap() bounds-check panicked; every request 5xx'd. Cloudflare's stated #1 remediation:

Hardening ingestion of Cloudflare-generated configuration files in the same way we would for user-generated input.

Compositional companions

These four patterns compose into a defense-in-depth posture for rapid-response configuration delivery at scale.

Seen in

Last updated · 200 distilled / 1,178 read