Validate node-store addresses syntactically via parse_address at the store boundary

antoineleclair · claude · antoineleclair · commit 5a5240544227 · 2026-04-30T23:40:58.000-04:00
``MemoryNodeStore`` validated whitespace + non-empty + non-
duplicate but never called ``parse_address``. Malformed entries
(unbracketed IPv6 like ``::1:9001``, non-numeric port,
hostname with no port, credentials shape) leaked
``ValueError`` through the ``ClusterClient._find_leader_impl``
sweep, whose narrow except tuple
(``DqliteConnectionError``, ``ProtocolError``,
``OperationalError``, ``OSError``) does NOT include
``ValueError``. Result: a single bad seed aborted the entire
sweep with the wrong exception class and no per-node attribution.

Apply the same syntactic validation in both ``__init__`` and
``set_nodes``: parse via the existing
``connection._parse_address`` helper, wrap the result with a
named-entry diagnostic. Local imports avoid the
``cluster &lt;-&gt; node_store`` import cycle (cluster already
imports ``NodeStore`` from node_store).

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/node_store.py b/src/dqliteclient/node_store.py
@@ -116,6 +116,23 @@ def __init__(
                 addr = raw.strip()
                 if not addr:
                     raise ValueError("NodeStore addresses must be non-empty 'host:port' strings")
+                # Syntactic validation via the same parser
+                # ``_query_leader`` will use later. Without this,
+                # malformed entries (unbracketed IPv6, non-numeric
+                # port, IDN, credentials shape) leak ``ValueError``
+                # through the ``find_leader`` sweep's narrow except
+                # tuple — aborting the entire sweep with the wrong
+                # exception class and no per-node attribution.
+                # Local import to avoid cluster <-> node_store
+                # circular import (cluster imports NodeStore).
+                from dqliteclient.connection import _parse_address as _parse_addr_validator
+
+                try:
+                    _parse_addr_validator(addr)
+                except ValueError as e:
+                    raise ValueError(
+                        f"NodeStore address {addr!r} is not a valid 'host:port': {e}"
+                    ) from e
                 if addr in seen:
                     continue
                 seen.add(addr)
@@ -152,6 +169,16 @@ async def set_nodes(self, nodes: Sequence[NodeInfo]) -> None:
             addr = node.address.strip()
             if not addr:
                 raise ValueError("NodeInfo.address must be a non-empty 'host:port' string")
+            # Same syntactic validation as ``__init__``; see rationale
+            # there. Local import to avoid the cluster import cycle.
+            from dqliteclient.connection import _parse_address as _parse_addr_validator
+
+            try:
+                _parse_addr_validator(addr)
+            except ValueError as e:
+                raise ValueError(
+                    f"NodeInfo.address {addr!r} is not a valid 'host:port': {e}"
+                ) from e
             if addr in seen:
                 continue
             seen.add(addr)
diff --git a/tests/test_node_store_address_validation.py b/tests/test_node_store_address_validation.py
@@ -0,0 +1,56 @@
+"""Pin: ``MemoryNodeStore`` syntactically validates each address
+via the same ``parse_address`` helper that ``_query_leader`` will
+use later. Without this, malformed entries (unbracketed IPv6,
+non-numeric port, IDN, credentials shape) leak ``ValueError``
+through the ``find_leader`` sweep's narrow except tuple — aborting
+the entire sweep with the wrong exception class.
+"""
+
+from __future__ import annotations
+
+import pytest
+
+from dqliteclient.node_store import MemoryNodeStore, NodeInfo
+from dqlitewire import NodeRole
+
+
+@pytest.mark.parametrize(
+    "bad",
+    [
+        "no-port",
+        "host:abc",
+        "host:99999",
+        "::1:9001",  # unbracketed IPv6
+    ],
+)
+def test_init_rejects_malformed_address(bad: str) -> None:
+    with pytest.raises(ValueError, match="not a valid"):
+        MemoryNodeStore([bad])
+
+
+def test_init_accepts_well_formed_addresses() -> None:
+    store = MemoryNodeStore(["localhost:9001", "[::1]:9002"])
+    nodes = list(store._nodes)
+    assert len(nodes) == 2
+    assert nodes[0].address == "localhost:9001"
+    assert nodes[1].address == "[::1]:9002"
+
+
+@pytest.mark.asyncio
+async def test_set_nodes_rejects_malformed_address() -> None:
+    store = MemoryNodeStore()
+    with pytest.raises(ValueError, match="not a valid"):
+        await store.set_nodes([NodeInfo(node_id=1, address="bogus:notaport", role=NodeRole.VOTER)])
+
+
+@pytest.mark.asyncio
+async def test_set_nodes_accepts_well_formed_addresses() -> None:
+    store = MemoryNodeStore()
+    await store.set_nodes(
+        [
+            NodeInfo(node_id=1, address="localhost:9001", role=NodeRole.VOTER),
+            NodeInfo(node_id=2, address="[::1]:9002", role=NodeRole.STANDBY),
+        ]
+    )
+    nodes = await store.get_nodes()
+    assert len(nodes) == 2
diff --git a/tests/test_pool_acquire_signal_propagation.py b/tests/test_pool_acquire_signal_propagation.py
@@ -84,7 +84,7 @@ async def test_baseexception_during_cleanup_propagates() -> None:
     ``BaseException`` from the cancelled-task drain must propagate.
     The cleanup may not silently swallow them — only ``CancelledError``
     is meant to be drained."""
-    pool = ConnectionPool("localhost:9001", min_size=0, max_size=1, timeout=5.0)  # type: ignore[arg-type]
+    pool = ConnectionPool(["localhost:9001"], min_size=0, max_size=1, timeout=5.0)
     _force_at_capacity(pool, _SentinelBaseException("signal"))
 
     with pytest.raises(_SentinelBaseException, match="signal"):
