Cap column name length in RowsResponse decoder

A hostile or buggy server can pack a giant column name inside a
frame-legal RowsResponse and force unbounded Python str allocation.
Cap per-column-name at 4 KiB, matching the defense-in-depth pattern
used for FailureResponse.message. Legitimate SQL identifiers are
orders of magnitude smaller.

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -47,6 +47,12 @@
 # above any realistic message so legitimate cases are never clipped.
 _MAX_FAILURE_MESSAGE_SIZE = 64 * 1024
 
+# Per-column-name cap on ``RowsResponse``. SQLite column-name identifiers
+# are short by any realistic standard; 4 KiB is orders of magnitude above
+# legitimate use and well below any memory-exhaustion concern. Same
+# defense-in-depth policy as ``_MAX_FAILURE_MESSAGE_SIZE``.
+_MAX_COLUMN_NAME_SIZE = 4096
+
 # Sanitize server-supplied text destined for exception messages and
 # logs. The C server promises UTF-8 but makes no promise about terminal
 # escapes or log-injection characters: a malicious or compromised peer
@@ -424,6 +430,10 @@ def decode_body(
         column_names: list[str] = []
         for _ in range(column_count):
             name, consumed = decode_text(view[offset:])
+            if len(name) > _MAX_COLUMN_NAME_SIZE:
+                raise DecodeError(
+                    f"column name length {len(name)} exceeds maximum {_MAX_COLUMN_NAME_SIZE}"
+                )
             column_names.append(name)
             offset += consumed
 

tests/test_messages_responses.py

@@ -6,6 +6,7 @@
 from dqlitewire.exceptions import DecodeError, EncodeError
 from dqlitewire.messages.base import Header
 from dqlitewire.messages.responses import (
+    _MAX_COLUMN_NAME_SIZE,
     _MAX_FAILURE_MESSAGE_SIZE,
     DbResponse,
     EmptyResponse,
@@ -768,6 +769,35 @@ def test_zero_columns_with_rows_raises(self) -> None:
             resp.encode_body()
 
 
+class TestRowsResponseColumnNameSize:
+    """Per-column-name length cap in RowsResponse decode.
+
+    The outer 64 MiB frame cap is the ultimate backstop, but a peer can
+    still pack a single giant column name inside a frame-legal response
+    and force the client to allocate it as a Python string. Cap each
+    column name at ``_MAX_COLUMN_NAME_SIZE`` (same policy as
+    ``_MAX_FAILURE_MESSAGE_SIZE``).
+    """
+
+    def _build_body(self, name: str) -> bytes:
+        # One-column RowsResponse, no rows, DONE marker.
+        from dqlitewire.constants import ROW_DONE_MARKER
+
+        return encode_uint64(1) + encode_text(name) + encode_uint64(ROW_DONE_MARKER)
+
+    def test_decode_rejects_oversize_column_name(self) -> None:
+        oversize = "a" * (_MAX_COLUMN_NAME_SIZE + 1)
+        body = self._build_body(oversize)
+        with pytest.raises(DecodeError, match="column name"):
+            RowsResponse.decode_body(body)
+
+    def test_decode_accepts_column_name_at_cap(self) -> None:
+        at_cap = "a" * _MAX_COLUMN_NAME_SIZE
+        body = self._build_body(at_cap)
+        decoded = RowsResponse.decode_body(body)
+        assert decoded.column_names == [at_cap]
+
+
 class TestRowsResponseNullInTypedColumn:
     """137: None values in rows with explicit column types must encode correctly."""