Cap server-address length in LeaderResponse and ServersResponse decoders

antoineleclair · antoineleclair · commit 62c7cac42b57 · 2026-04-19T17:01:57.000-04:00
Cluster addresses are small by any realistic measure (hostname + port,
or IPv6 literal + port). A frame-legal response carrying a multi-MB
"address" is malicious or broken and would amplify through logs and
exception messages even after _sanitize_server_text. Bound each
address at _MAX_ADDRESS_SIZE (256 bytes), applied in
LeaderResponse.decode_body, LeaderResponse.decode_body_legacy, and
the ServersResponse per-node loop.
diff --git a/src/dqlitewire/messages/responses.py b/src/dqlitewire/messages/responses.py
@@ -58,6 +58,14 @@
 # PATH_MAX is 4 KiB and mirrors the column-name cap.
 _MAX_FILENAME_SIZE = 4096
 
+# Per-address cap on ``LeaderResponse`` / ``ServersResponse`` (and their
+# legacy variants). Legitimate cluster addresses are small (hostname
+# + port, or IPv6 literal in brackets + port); RFC 1035 sets domain
+# names at ≤253 bytes and 256 leaves margin for the port. A multi-MB
+# "address" is malicious or broken and would amplify through log /
+# exception messages even after ``_sanitize_server_text``.
+_MAX_ADDRESS_SIZE = 256
+
 # Sanitize server-supplied text destined for exception messages and
 # logs. The C server promises UTF-8 but makes no promise about terminal
 # escapes or log-injection characters: a malicious or compromised peer
@@ -145,6 +153,10 @@ def decode_body(cls, data: bytes, schema: int = 0) -> "LeaderResponse":
         """
         node_id = decode_uint64(data)
         address, _ = decode_text(data[8:])
+        if len(address) > _MAX_ADDRESS_SIZE:
+            raise DecodeError(
+                f"leader address length {len(address)} exceeds maximum {_MAX_ADDRESS_SIZE}"
+            )
         return cls(node_id, _sanitize_server_text(address))
 
     @classmethod
@@ -155,6 +167,10 @@ def decode_body_legacy(cls, data: bytes) -> "LeaderResponse":
         Go reference: DecodeNodeLegacy in internal/protocol/message.go.
         """
         address, _ = decode_text(data)
+        if len(address) > _MAX_ADDRESS_SIZE:
+            raise DecodeError(
+                f"leader address length {len(address)} exceeds maximum {_MAX_ADDRESS_SIZE}"
+            )
         return cls(node_id=0, address=_sanitize_server_text(address))
 
 
@@ -672,6 +688,10 @@ def decode_body(cls, data: bytes, schema: int = 0) -> "ServersResponse":
             node_id = decode_uint64(view[offset:])
             offset += 8
             address, consumed = decode_text(view[offset:])
+            if len(address) > _MAX_ADDRESS_SIZE:
+                raise DecodeError(
+                    f"server address length {len(address)} exceeds maximum {_MAX_ADDRESS_SIZE}"
+                )
             address = _sanitize_server_text(address)
             offset += consumed
             raw_role = decode_uint64(view[offset:])
diff --git a/tests/test_messages_responses.py b/tests/test_messages_responses.py
@@ -6,6 +6,7 @@
 from dqlitewire.exceptions import DecodeError, EncodeError
 from dqlitewire.messages.base import Header
 from dqlitewire.messages.responses import (
+    _MAX_ADDRESS_SIZE,
     _MAX_COLUMN_NAME_SIZE,
     _MAX_FAILURE_MESSAGE_SIZE,
     _MAX_FILENAME_SIZE,
@@ -101,6 +102,34 @@ def test_decode_body_legacy(self) -> None:
         assert decoded.address == "192.168.1.1:9001"
 
 
+class TestLeaderResponseAddressSize:
+    """Per-address length cap applies to modern and legacy decoders.
+
+    Legitimate addresses are short (hostname + port, or IPv6 literal
+    in brackets + port). Cap at ``_MAX_ADDRESS_SIZE`` so an oversize
+    peer-supplied string cannot amplify through logs / exception
+    messages even after sanitization.
+    """
+
+    def test_decode_rejects_oversize_address(self) -> None:
+        oversize = "a" * (_MAX_ADDRESS_SIZE + 1)
+        body = encode_uint64(1) + encode_text(oversize)
+        with pytest.raises(DecodeError, match="leader address"):
+            LeaderResponse.decode_body(body)
+
+    def test_decode_accepts_address_at_cap(self) -> None:
+        at_cap = "a" * _MAX_ADDRESS_SIZE
+        body = encode_uint64(1) + encode_text(at_cap)
+        decoded = LeaderResponse.decode_body(body)
+        assert decoded.address == at_cap
+
+    def test_decode_body_legacy_rejects_oversize_address(self) -> None:
+        oversize = "a" * (_MAX_ADDRESS_SIZE + 1)
+        body = encode_text(oversize)
+        with pytest.raises(DecodeError, match="leader address"):
+            LeaderResponse.decode_body_legacy(body)
+
+
 class TestWelcomeResponse:
     def test_roundtrip(self) -> None:
         msg = WelcomeResponse(heartbeat_timeout=15000)
@@ -1226,6 +1255,29 @@ def test_truncated_file_content_raises(self) -> None:
             FilesResponse.decode_body(body)
 
 
+class TestServersResponseAddressSize:
+    """Per-node address length cap in ServersResponse decode."""
+
+    def _build_body(self, address: str) -> bytes:
+        # One node: uint64 id, text address, uint64 role.
+        return (
+            encode_uint64(1)
+            + encode_uint64(1)
+            + encode_text(address)
+            + encode_uint64(2)  # NodeRole.VOTER
+        )
+
+    def test_decode_rejects_oversize_address(self) -> None:
+        oversize = "a" * (_MAX_ADDRESS_SIZE + 1)
+        with pytest.raises(DecodeError, match="server address"):
+            ServersResponse.decode_body(self._build_body(oversize))
+
+    def test_decode_accepts_address_at_cap(self) -> None:
+        at_cap = "a" * _MAX_ADDRESS_SIZE
+        decoded = ServersResponse.decode_body(self._build_body(at_cap))
+        assert decoded.nodes[0].address == at_cap
+
+
 class TestFilesResponseFilenameSize:
     """Per-filename length cap in FilesResponse decode.
 
