Reject trailing bytes in ServersResponse body decode

antoineleclair · claude · antoineleclair · commit 5b7d0143eea1 · 2026-04-21T17:34:38.000-04:00
ServersResponse decoded a variable-length node list but never
verified the buffer was fully consumed, silently accepting trailing
bytes. This was the only variable-length cluster-topology decoder
still permissive after the strict-decode pass across the other
fixed-body and variable-length responses.

Mirror the strict-decode pattern already applied to FilesResponse
and RowsResponse (zero-column fast path): raise DecodeError naming
the owning class when the per-node loop leaves bytes unconsumed.
Tests pin the exact-body round-trip at 0, 1, and 3 nodes plus
trailing-byte rejection in the empty and populated cases.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqlitewire/messages/responses.py b/src/dqlitewire/messages/responses.py
@@ -736,6 +736,13 @@ def decode_body(cls, data: bytes, schema: int = 0) -> "ServersResponse":
                     f"Invalid node role {raw_role} at offset {offset - 8}; expected one of {valid}"
                 ) from exc
             nodes.append(NodeInfo(node_id, address, role))
+        if offset != len(view):
+            # Strict-decode parity with sibling variable-length
+            # decoders: conforming Go/C servers never emit trailing
+            # padding on this response.
+            raise DecodeError(
+                f"ServersResponse has {len(view) - offset} trailing bytes after {count} nodes"
+            )
         return cls(nodes)
 
 
diff --git a/tests/test_responses_strict_length.py b/tests/test_responses_strict_length.py
@@ -160,6 +160,81 @@ def test_trailing_bytes_rejected(self) -> None:
             WelcomeResponse.decode_body(b"\x00" * 9)
 
 
+class TestServersResponseStrictLength:
+    """Variable-length body: ``uint64 count`` then ``count`` × (id, text
+    address, role). Trailing bytes after the last node had been silently
+    dropped.
+    """
+
+    @staticmethod
+    def _single_node_body(addr: str = "1.2.3.4:9001") -> bytes:
+        from dqlitewire.types import encode_text, encode_uint64
+
+        return (
+            encode_uint64(1)  # count
+            + encode_uint64(1)  # node_id
+            + encode_text(addr)  # address (padded)
+            + encode_uint64(0)  # role = voter
+        )
+
+    def test_empty_list_exact_round_trip(self) -> None:
+        from dqlitewire.messages.responses import ServersResponse
+        from dqlitewire.types import encode_uint64
+
+        msg = ServersResponse.decode_body(encode_uint64(0))
+        assert msg.nodes == []
+
+    def test_single_node_exact_round_trip(self) -> None:
+        from dqlitewire.messages.responses import ServersResponse
+
+        msg = ServersResponse.decode_body(self._single_node_body())
+        assert len(msg.nodes) == 1
+        assert msg.nodes[0].address == "1.2.3.4:9001"
+
+    def test_multi_node_exact_round_trip(self) -> None:
+        """Offset accumulation through multiple iterations — exercises
+        the per-node loop boundary condition that the single-node test
+        cannot reach."""
+        from dqlitewire.messages.responses import ServersResponse
+        from dqlitewire.types import encode_text, encode_uint64
+
+        body = encode_uint64(3)
+        for i in range(3):
+            body += encode_uint64(i)
+            body += encode_text(f"node{i}.example:900{i}")
+            body += encode_uint64(0)
+        msg = ServersResponse.decode_body(body)
+        assert [n.address for n in msg.nodes] == [
+            "node0.example:9000",
+            "node1.example:9001",
+            "node2.example:9002",
+        ]
+
+    def test_trailing_bytes_rejected(self) -> None:
+        from dqlitewire.messages.responses import ServersResponse
+
+        body = self._single_node_body() + b"\x01"
+        with pytest.raises(DecodeError, match=r"ServersResponse has 1 trailing byte"):
+            ServersResponse.decode_body(body)
+
+    def test_trailing_word_rejected(self) -> None:
+        from dqlitewire.messages.responses import ServersResponse
+
+        body = self._single_node_body() + b"\x00" * 8
+        with pytest.raises(DecodeError, match=r"ServersResponse has 8 trailing byte"):
+            ServersResponse.decode_body(body)
+
+    def test_empty_list_trailing_bytes_rejected(self) -> None:
+        """Count=0 with trailing bytes must still raise — otherwise a
+        server could hide bytes behind an empty list."""
+        from dqlitewire.messages.responses import ServersResponse
+        from dqlitewire.types import encode_uint64
+
+        body = encode_uint64(0) + b"\x00" * 8
+        with pytest.raises(DecodeError, match=r"ServersResponse has 8 trailing byte"):
+            ServersResponse.decode_body(body)
+
+
 class TestMetadataResponseStrictLength:
     """Body is two uint64s (failure_domain + weight) — exactly 16 bytes."""
 
