fix: cap heartbeat-derived read timeout to 300 seconds

Prevents a malicious or buggy server from sending an absurdly large
heartbeat_timeout value that would effectively disable read timeouts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqliteclient/protocol.py

@@ -66,7 +66,8 @@ async def handshake(self, client_id: int = 0) -> int:
         # Use heartbeat timeout for subsequent reads if larger than default
         if response.heartbeat_timeout > 0:
             heartbeat_seconds = response.heartbeat_timeout / 1000.0
-            self._timeout = max(self._timeout, heartbeat_seconds)
+            # Cap to prevent a malicious/buggy server from disabling timeouts
+            self._timeout = max(self._timeout, min(heartbeat_seconds, 300.0))
         return response.heartbeat_timeout
 
     async def get_leader(self) -> tuple[int, str]:

tests/test_protocol.py

@@ -28,6 +28,26 @@ async def test_handshake_success(
 
         assert timeout == 15000
 
+    async def test_handshake_caps_heartbeat_timeout(
+        self,
+        mock_reader: AsyncMock,
+        mock_writer: MagicMock,
+    ) -> None:
+        """A huge heartbeat_timeout should be capped to prevent timeout bypass."""
+        from dqlitewire.messages import WelcomeResponse
+
+        # Server sends an absurdly large heartbeat timeout (e.g., corrupted value)
+        huge_timeout_ms = 10_000_000  # 10000 seconds
+        mock_reader.read.return_value = WelcomeResponse(
+            heartbeat_timeout=huge_timeout_ms
+        ).encode()
+
+        protocol = DqliteProtocol(mock_reader, mock_writer, timeout=10.0)
+        await protocol.handshake()
+
+        # The read timeout should be capped, not set to 10000 seconds
+        assert protocol._timeout <= 300.0
+
     async def test_handshake_failure(
         self,
         protocol: DqliteProtocol,