PATTERN Cited by 1 source

Harden ingestion of internal config

Apply the same input-validation discipline to internally- generated configuration files that you apply to user-submitted input. Treat every input to a hot-path module as untrusted regardless of provenance.

The pattern

At the module boundary that loads a config file / feature file / rule set:

1. Validate size / dimensions. Byte count, row count, feature count, rule count — whatever the downstream preallocated buffer is sized for. See concepts/feature-file-size-limit / concepts/preallocated-memory-budget.
2. Validate shape / schema. Types, required fields, value ranges, enumerated sets.
3. Validate cross-field invariants. Relationships the downstream logic depends on.
4. On violation: fail open. Log, alert, and serve the previous known-good version. See concepts/fail-open-vs-fail-closed.
5. Never load directly into the preallocated buffer. Validate on a staging copy; swap pointers only on validation success.

Why it's load-bearing

The generator and the consumer usually live on different teams, with implicit coupling through the config payload. Three systems removed, a correct migration in system X (e.g., ClickHouse permissions) can shift the shape of a payload generated by system Y and consumed by system Z. Neither X's team nor Y's nor Z's catches it at review time.

Captured explicitly as a concept: concepts/internally-generated-untrusted-input.

Canonical instance

sources/2025-11-18-cloudflare-outage-on-november-18-2025 — a correct ClickHouse permission migration caused the feature- file generator to emit a file with doubled rows. The Bot Management FL2 module's .unwrap() bounds-check panicked; every request 5xx'd. Cloudflare's stated #1 remediation:

Hardening ingestion of Cloudflare-generated configuration files in the same way we would for user-generated input.

Compositional companions

• patterns/progressive-configuration-rollout — bounds how fast bad config reaches the fleet.
• patterns/global-feature-killswitch — orthogonal fast-off lever when ingestion discipline failed.
• patterns/fast-rollback — revert path once bad config is identified.

These four patterns compose into a defense-in-depth posture for rapid-response configuration delivery at scale.

Seen in

• sources/2025-11-18-cloudflare-outage-on-november-18-2025 — canonical wiki instance (as stated remediation, not yet deployed).

Related

• concepts/internally-generated-untrusted-input
• concepts/feature-file-size-limit
• concepts/preallocated-memory-budget
• concepts/fail-open-vs-fail-closed
• concepts/database-permission-migration-risk
• patterns/progressive-configuration-rollout
• patterns/global-feature-killswitch
• patterns/fast-rollback