Skip to content

Add buf.validate constraints for payload sizes and field bounds #4

Open
Open
Add buf.validate constraints for payload sizes and field bounds#4
Labels
area/protoProto definitions, message design, or wire compatibility work.good first issueSmall, well-scoped tasks for new contributors.help wantedLooking for community contributions.kind/featureNew functionality or enhancement request.priority/highImportant issue to schedule soon.
@lanycrost

Description

@lanycrost
lanycrost
opened on Apr 6, 2026

Problem statement

The proto definitions contain no validation constraints despite having fields that clearly require bounds checking. No buf.validate or protovalidate integration is present. All validation is deferred to runtime implementations, which may be inconsistent across the SDK, operator, and hub.

Key unbounded fields:

  • AudioFrame.pcm, VideoFrame.payload, BinaryFrame.payloadbytes with no size limit
  • metadata maps — no key/value count limit
  • transports, partition_acks — unbounded repeated fields
  • AudioFrame.sample_rate_hz, AudioFrame.channels — signed int32 allowing negative values
  • StreamEnvelope.chunk_index — no constraint relative to chunk_count

Proposed change

  1. Add buf.validate dependency to buf.yaml:
deps:
  - buf.build/bufbuild/protovalidate
  1. Add constraints to proto fields:
import "buf/validate/validate.proto";

message AudioFrame {
  bytes pcm = 1 [(buf.validate.field).bytes.max_len = 10485760]; // 10MB
  int32 sample_rate_hz = 2 [(buf.validate.field).int32 = {gte: 8000, lte: 192000}];
  int32 channels = 3 [(buf.validate.field).int32 = {gte: 1, lte: 8}];
  string codec = 4 [(buf.validate.field).string.max_len = 32];
  uint64 timestamp_ms = 5;
}

message DataRequest {
  map<string, string> metadata = 4 [(buf.validate.field).map.max_pairs = 100];
  repeated TransportDescriptor transports = 7 [(buf.validate.field).repeated.max_items = 10];
}
  1. Apply similar constraints to VideoFrame, BinaryFrame, FlowControl.partition_acks, StreamEnvelope fields.

Affected area

  • Proto definitions
  • Envelope helpers
  • Generated bindings

Compatibility / migration

Adding validation is additive — existing valid payloads will continue to pass. Payloads that exceed new bounds were never intended to be valid. Downstream consumers need to integrate protovalidate runtime to enforce constraints.

Additional context

The core templating layer enforces maxTemplateValidationJSONBytes = 1MB, but the proto layer that feeds data into it has no equivalent limits. Defense-in-depth requires validation at the contract layer. Identified during security review.

Metadata

Metadata

Assignees

No one assigned

    Labels

    area/protoProto definitions, message design, or wire compatibility work.good first issueSmall, well-scoped tasks for new contributors.help wantedLooking for community contributions.kind/featureNew functionality or enhancement request.priority/highImportant issue to schedule soon.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions