fix: defensive-copy column_names and column_types in RowsResponse

antoineleclair · claude · antoineleclair · commit 218a8d0d6037 · 2026-04-11T10:02:44.000-04:00
RowsResponse used to store caller-supplied column_names and
column_types lists by reference, creating silent aliasing:

1. decode_body and decode_rows_continuation stored column_types via
   `if not column_types: column_types = types` where `types` was
   ALSO stored as all_row_types[0]. The returned response therefore
   had `r.column_types is r.row_types[0] == True`, so
   `r.column_types.append(...)` silently rewrote the first row's
   type list.

2. MessageDecoder.decode_continuation passed the caller's
   column_names list directly into every continuation RowsResponse.
   A caller who sorted or mutated `msg.column_names` on one
   continuation silently mutated every sibling continuation AND the
   original response.

3. User code constructing RowsResponse with lists they intend to
   keep mutating elsewhere would see those mutations reflected in
   the returned object.

Add __post_init__ to RowsResponse that shallow-copies column_names
and column_types. Catches all three sites uniformly with one code
change and survives future construction sites. Cost: two list
allocations per response, negligible compared to the row payload.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqlitewire/messages/responses.py b/src/dqlitewire/messages/responses.py
@@ -219,6 +219,31 @@ class RowsResponse(Message):
     rows: list[list[Any]] = field(default_factory=list)
     has_more: bool = False
 
+    def __post_init__(self) -> None:
+        # Defensive copies (issue 042). Three sources of aliasing
+        # motivate this:
+        #
+        # 1. ``decode_body`` / ``decode_rows_continuation`` store
+        #    ``column_types = types`` where ``types`` is also stored
+        #    as ``all_row_types[0]``, so without a copy
+        #    ``self.column_types is self.row_types[0]`` and mutating
+        #    one silently rewrites the other.
+        #
+        # 2. ``MessageDecoder.decode_continuation`` and
+        #    ``decode_rows_continuation`` pass the caller's
+        #    ``column_names`` list by reference into every
+        #    continuation response; any mutation on one response
+        #    propagates to every sibling.
+        #
+        # 3. User code constructing ``RowsResponse`` directly with a
+        #    list they intend to keep mutating elsewhere.
+        #
+        # Copying here catches all three sites uniformly and survives
+        # future construction sites. The cost is two list allocations
+        # per response — negligible compared to the row payload.
+        self.column_names = list(self.column_names)
+        self.column_types = list(self.column_types)
+
     def _get_row_types(self, row_idx: int, row: list[Any]) -> list[ValueType]:
         """Get types for a row: from row_types, column_types, or inferred."""
         if self.row_types and row_idx < len(self.row_types):
diff --git a/tests/test_messages_responses.py b/tests/test_messages_responses.py
@@ -150,6 +150,88 @@ def test_zero_values(self) -> None:
         assert decoded.rows_affected == 0
 
 
+class TestRowsResponseAliasing:
+    """Regression tests for issue 042.
+
+    ``RowsResponse`` used to store caller-supplied ``column_names`` and
+    ``column_types`` lists by reference, creating two kinds of silent
+    aliasing:
+
+    1. ``column_types`` was stored as ``all_row_types[0]`` inside
+       ``decode_body`` / ``decode_rows_continuation`` via
+       ``if not column_types: column_types = types``. The returned
+       object then had ``r.column_types is r.row_types[0]``, so
+       mutating one list silently rewrote the other.
+    2. ``column_names`` was passed through ``decode_rows_continuation``
+       unchanged and attached directly to every continuation
+       ``RowsResponse``. Callers who mutated ``msg.column_names`` on
+       one continuation silently mutated every sibling continuation
+       AND the original response.
+
+    The fix copies both lists on construction via ``__post_init__``.
+    """
+
+    def test_column_types_is_not_aliased_to_row_types_first(self) -> None:
+        """After decoding, ``column_types`` must be a distinct list
+        object from ``row_types[0]`` so mutation of one does not
+        propagate to the other.
+        """
+        msg = RowsResponse(
+            column_names=["id", "name"],
+            column_types=[ValueType.INTEGER, ValueType.TEXT],
+            rows=[[1, "alice"], [2, "bob"]],
+            has_more=False,
+        )
+        encoded = msg.encode()
+        decoded = RowsResponse.decode_body(encoded[HEADER_SIZE:])
+
+        assert decoded.row_types  # sanity: rows were decoded with types
+        assert decoded.column_types is not decoded.row_types[0], (
+            "column_types must not share identity with row_types[0]"
+        )
+
+        # Prove independence by mutation.
+        decoded.column_types[0] = ValueType.NULL
+        assert decoded.row_types[0][0] != ValueType.NULL
+
+    def test_column_names_defensive_copy_on_construct(self) -> None:
+        """A caller who supplies ``column_names`` to RowsResponse and
+        later mutates the source list must not see the change
+        reflected in the returned object.
+        """
+        names_in = ["a", "b", "c"]
+        msg = RowsResponse(
+            column_names=names_in,
+            column_types=[ValueType.INTEGER, ValueType.TEXT, ValueType.BLOB],
+            row_types=[],
+            rows=[],
+            has_more=False,
+        )
+
+        names_in.append("d")
+
+        assert msg.column_names == ["a", "b", "c"], (
+            "RowsResponse.column_names must not alias the caller's list"
+        )
+
+    def test_column_types_defensive_copy_on_construct(self) -> None:
+        """Same for column_types passed into the constructor."""
+        types_in = [ValueType.INTEGER, ValueType.TEXT]
+        msg = RowsResponse(
+            column_names=["a", "b"],
+            column_types=types_in,
+            row_types=[],
+            rows=[],
+            has_more=False,
+        )
+
+        types_in[0] = ValueType.BLOB
+
+        assert msg.column_types[0] == ValueType.INTEGER, (
+            "RowsResponse.column_types must not alias the caller's list"
+        )
+
+
 class TestRowsResponse:
     def test_empty_result(self) -> None:
         msg = RowsResponse(
