Sanitize peer / leader addresses in error messages; cap handshake-failure body

antoineleclair · claude · antoineleclair · commit a251a9adcb1d · 2026-04-29T23:28:00.000-04:00
Three security-adjacent client error-text fixes:

- ``DqliteProtocol._addr_suffix()`` interpolated ``self._address``
  directly into exception messages. The address can be server-
  controlled in the leader-redirect reconnect path
  (LeaderResponse.address is intentionally not sanitised at
  decode — sanitising would split allowlist sets) so a hostile
  leader could inject CRLF / control-chars / U+2028 / U+2029 into
  the address and produce log lines that splice across rows.
  Sanitise via ``_sanitize_server_text`` before interpolation.

- ``cluster._find_leader_impl``'s aggregate error builder
  interpolated ``node.address`` directly at three sites
  (no-leader-known, timed-out, transport-failure). Same hostile-
  leader risk on the redirect-reconnect path. Sanitise each
  interpolation.

- ``DqliteProtocol.handshake``'s failure-response raise wrapped
  ``_failure_text(response)`` directly in a bare ProtocolError,
  bypassing the OperationalError display-cap that bounds every
  other raise site in the protocol module. Run the body through
  ``_truncate_error`` so a hostile-or-buggy peer cannot inflate
  the handshake error into a multi-KiB log line.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqliteclient/cluster.py b/src/dqliteclient/cluster.py
@@ -351,7 +351,16 @@ async def _find_leader_impl(self, *, trust_server_heartbeat: bool) -> str:
                     idx + 1,
                     total_nodes,
                 )
-                errors.append(f"{node.address}: no leader known")
+                # Sanitise the address before interpolating into the
+                # aggregate error so a hostile leader cannot inject
+                # CRLF / control-chars / line separators into log
+                # output. ``node.address`` flows through
+                # ``LeaderResponse.address`` which is deliberately NOT
+                # sanitised at wire decode (allowlist semantics) —
+                # sanitisation must happen at the user-facing error
+                # boundary.
+                _safe_addr = _sanitize_display_text(node.address)
+                errors.append(f"{_safe_addr}: no leader known")
                 continue
             except TimeoutError as e:
                 logger.debug(
@@ -361,7 +370,7 @@ async def _find_leader_impl(self, *, trust_server_heartbeat: bool) -> str:
                     idx + 1,
                     total_nodes,
                 )
-                errors.append(f"{node.address}: timed out")
+                errors.append(f"{_sanitize_display_text(node.address)}: timed out")
                 last_exc = e
                 continue
             except (DqliteConnectionError, ProtocolError, OperationalError, OSError) as e:
@@ -376,7 +385,7 @@ async def _find_leader_impl(self, *, trust_server_heartbeat: bool) -> str:
                     idx + 1,
                     total_nodes,
                 )
-                errors.append(f"{node.address}: {_truncate_error(str(e))}")
+                errors.append(f"{_sanitize_display_text(node.address)}: {_truncate_error(str(e))}")
                 last_exc = e
                 continue
 
diff --git a/src/dqliteclient/protocol.py b/src/dqliteclient/protocol.py
@@ -233,8 +233,17 @@ async def handshake(self, client_id: int | None = None) -> int:
             # server-reported code and peer address so log aggregators
             # can group on the numeric code (DQLITE_PARSE,
             # DQLITE_NOTLEADER, etc.) rather than on text alone.
+            # Truncate the failure body so a hostile-or-buggy peer
+            # cannot inflate the handshake error into a multi-KiB
+            # log line — the rest of the protocol module's
+            # OperationalError raise sites get this for free via
+            # ``OperationalError._MAX_DISPLAY_MESSAGE``; the raw
+            # ProtocolError shape doesn't.
+            from dqliteclient.cluster import _truncate_error
+
             raise ProtocolError(
-                f"Handshake failed: [{response.code}] {self._failure_text(response)}"
+                f"Handshake failed: [{response.code}] "
+                f"{_truncate_error(self._failure_text(response))}"
             )
 
         if not isinstance(response, WelcomeResponse):
@@ -699,8 +708,22 @@ def _addr_suffix(self) -> str:
 
         Returns an empty string when the address is unknown — keeping
         error messages clean for callers that don't thread it in.
+
+        Sanitises the address through ``_sanitize_server_text`` to
+        strip control characters / CR / LF / U+2028 / U+2029 before
+        interpolating it into an exception message. The address can
+        be server-controlled in the leader-redirect reconnect path
+        (LeaderResponse.address is intentionally NOT sanitised at
+        decode time — sanitising would split allowlist sets — so the
+        user-facing error/log boundary must do it instead). Without
+        this, a hostile leader could inject CRLF into the address
+        and produce log lines that splice across rows.
         """
-        return f" to {self._address}" if self._address else ""
+        if not self._address:
+            return ""
+        from dqlitewire.messages.responses import _sanitize_server_text
+
+        return f" to {_sanitize_server_text(self._address)}"
 
     def _failure_text(self, response: FailureResponse) -> str:
         """Render a FailureResponse as the body string for an
