egress: optional max-request-size policy (block | noscan) for DLP body scanning #311
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
Add an optional, explicit per-manifest egress control for how the DLP scanner handles oversized request bodies. Default behavior stays: scan all bodies regardless of size.
Motivation
DLP body scanning is
O(body size). Today there is no escape hatch for pathologically large bodies. We considered silently capping the scan length, but that quietly weakens DLP coverage, which is the wrong default.Reasoning on why scanning large bodies by default is fine:
So the default must be "scan everything." But there's still a legitimate need for an explicit operator-set cutoff (perf ceilings, or a hard size policy), and making it explicit beats a hidden magic number.
Proposed design
Add a max-request-size control to the
egresssection of the manifest (global and/or per-route — TBD during design):max_request_bytes: <int>— threshold above which the policy applies.on_oversize: block | noscan— what to do when a body exceeds the threshold:block— hard 403 (fail closed; safest).noscan— forward without DLP scanning (explicit, opt-in risk acceptance).Default: unset → scan all bodies, no cutoff (current behavior).
Open questions
noscanstill apply structural checks (CRLF) and the cheap token-pattern regex, skipping only the expensive known-secret projection passes?dlp.outbound_on_match?Acceptance criteria
blockreturns a hard 403 for oversize bodies;noscanforwards them with scanning skipped per the resolved policy.