[GDS] Add configurable validation limits for trust list file read/write operations

[Copilot]

Proposed changes

Trust list file operations lacked size validation, allowing unbounded memory allocation. Added configurable limits with overflow protection on both server and client sides, along with comprehensive tests to verify the validation logic.

Server-side (TrustList.cs)

• Added maxTrustListSize parameter (defaults to 1MB when config is 0)
• Track accumulated bytes via m_totalBytesProcessed during Read/Write operations
• Validate before each operation, return BadEncodingLimitsExceeded when exceeded
• All counter access protected by existing m_lock
• Changed default capacity from 64KB to 1MB for consistency

Server-side (ConfigurationNodeManager.cs)

• Pass MaxTrustListSize from application configuration to TrustList constructor

Client-side (GlobalDiscoveryServerClient.cs & ServerPushConfigurationClient.cs)

• Made trust list size limits configurable via optional maxTrustListSize parameter
• Both ReadTrustListAsync and UpdateTrustListAsync accept optional size limit parameter
• Default limit is 1MB when not specified (configurable per call)
• Validates during operations and throws ServiceResultException with BadEncodingLimitsExceeded when exceeded

Tests (TrustListValidationTest.cs)

• NormalSizeTrustListAsync: Verifies normal-sized trust lists work correctly
• WriteTrustListExceedsSizeLimitAsync: Verifies that oversized trust lists throw BadEncodingLimitsExceeded using dynamic size calculation
• TrustListJustUnderLimitAsync: Verifies boundary condition with trust lists at the exact limit
• ReadWriteWithCustomServerMaxTrustListSizeAsync: Comprehensive test validating both server and client-side limits with custom server configuration
• Added GetEncodedSize() helper method for accurate trust list size calculation in tests

Test Infrastructure Updates

• Updated GlobalDiscoveryTestServer to accept and configure maxTrustListSize
• Modified TestUtils.StartGDSAsync to support optional maxTrustListSize parameter
• Enhanced tests to use actual encoded sizes instead of fixed certificate counts for more accurate boundary testing

Security benefits

• Prevents unbounded memory allocation attacks
• Server respects configurable MaxTrustListSize from application configuration
• Client-side limits are configurable per operation with sensible 1MB default
• Supports different limits for different trust list operations as needed

Related Issues

Related to discussion in #3271

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

Optional constructor and method parameters maintain backward compatibility. Existing configurations with MaxTrustListSize = 0 receive 1MB default limit. Client-side methods accept optional size limits, defaulting to 1MB when not specified, allowing per-operation customization.

Tests use dynamic size calculation with GetEncodedSize() helper to accurately test boundary conditions. The comprehensive test suite covers normal operation, error conditions when limits are exceeded, boundary cases at exact limits, and scenarios with custom server-side configuration. All tests use the existing GDS test infrastructure and follow established patterns.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Validate file reads, e.g. GDS reading writing trust list files against the length of the file, with proper upper limits </issue_title>
<issue_description>Enforce Limits when reading or writing trust lists. e.g. in the GlobalDiscoveryClient.ReadTrustlist or in the Server in TrustList.Read.

Originally posted by @cristipogacean in #3271 (comment)
</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Validate file reads, e.g. GDS reading writing trust list files against the length of the file, with proper upper limits  #3278

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ romanett
❌ Copilot
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[romanett]

@copilot please add Tests

[Copilot]

@copilot please add Tests

Added comprehensive tests in TrustListValidationTest.cs:

• NormalSizeTrustListAsync: Verifies normal-sized trust lists work correctly (10 certificates)
• WriteTrustListExceedsSizeLimitAsync: Verifies that oversized trust lists (9000 x 4096-bit certs ≈ 18MB) throw BadEncodingLimitsExceeded
• TrustListJustUnderLimitAsync: Verifies boundary condition with trust lists just under the 16MB limit (7500 x 4096-bit certs ≈ 15MB)

Tests cover both server-side and client-side validation with proper error handling.

Commit: d40437c

[romanett]

@copilot please update the PR Description based on the Code Changes in my last two commits in this branch

[Copilot]

@copilot please update the PR Description based on the Code Changes in my last two commits in this branch

Updated PR description to reflect the changes from commits db9ba94 and 796a230:

Key additions:

• Made client-side limits configurable (both ReadTrustListAsync and UpdateTrustListAsync now accept optional maxTrustListSize parameter, defaulting to 1MB)
• Changed default capacity from 64KB to 1MB for consistency
• Enhanced tests with GetEncodedSize() helper for accurate boundary testing
• Added ReadWriteWithCustomServerMaxTrustListSizeAsync test that validates both server and client-side limits
• Test infrastructure now supports configurable server-side MaxTrustListSize

The PR description now accurately reflects all code changes including configurability improvements and comprehensive test enhancements.