Input validation and schema enforcement for Vault gRPC requests

[jh-lee-cryptolab]

Problem

No defense against MCP protocol manipulation attacks where malicious parameters are injected into Vault gRPC requests. When an agent is compromised via prompt injection, it can send abnormal parameters (excessive top_k, wrong types, malicious strings, etc.) to Vault.

Attack scenario

MCP protocol manipulation (malicious parameters)
→ Input validation + schema enforcement

Requirements

gRPC request validation

• Strict validation for all gRPC method input parameters
  • top_k: positive integer, enforce max value (per-user config or global max)
  • query vector: dimension count validation, value range validation (block NaN/Inf)
  • index_name: allow only permitted character patterns (alphanumeric + underscore)
  • String fields: enforce max length limits
• Reflect constraints at Protobuf schema level via protovalidate annotations
• Implement runtime validation as a gRPC interceptor (not scattered across individual method code)

Defense targets

• Integer overflow / underflow
• Empty vectors or vectors with abnormal dimensions
• Path traversal attempts via index name
• Excessively large requests (configure gRPC max message size)

Implementation approach

Two-layer validation via gRPC ServerInterceptor:

1. Proto-level (protovalidate) — constraints declared directly in .proto annotations:

   • token: string {min_len: 1, max_len: 512}
   • top_k: int32 {gte: 1, lte: 300}
   • encrypted_blob_b64: string {min_len: 1}
   • encrypted_metadata_list: repeated {min_items: 1, max_items: 1000, items: {string: {min_len: 1}}}

2. Runtime supplementary — checks not expressible in proto annotations:

   • Control character / null byte rejection in token
   • Leading/trailing whitespace rejection
   • Path traversal prevention for index names (future)

Affected files

• vault/proto/vault_service.proto — protovalidate annotations
• vault/proto/buf/validate/validate.proto — vendored protovalidate proto
• vault/buf/validate/validate_pb2.py — compiled protovalidate stubs
• vault/request_validator.py — runtime validation + protovalidate wrapper
• vault/validation_interceptor.py — gRPC ServerInterceptor
• vault/vault_grpc_server.py — interceptor registration
• vault/requirements.txt — protovalidate dependency
• vault/Dockerfile — new file COPY directives

Priority

High — Standard technique; first line of defense when an agent is compromised via prompt injection.

References

• protovalidate — proto-level validation via CEL annotations