Reject trailing bytes in FailureResponse body decode

FailureResponse discarded the consumed-byte count from decode_text
and never verified the buffer was fully consumed. FailureResponse
carries operator-visible error strings that propagate into DB-API
exceptions; trailing bytes after the padded message were silently
dropped — a corrupt frame that mutated bytes after the message
still decoded successfully while the next message's framing
re-synced on stale bytes.

Mirror the strict-decode pattern now applied to the sibling
variable-length decoders (ServersResponse, LeaderResponse).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -121,11 +121,18 @@ def encode_body(self) -> bytes:
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "FailureResponse":
         code = decode_uint64(data)
-        message, _ = decode_text(data[8:])
+        message, consumed = decode_text(data[8:])
         if len(message) > _MAX_FAILURE_MESSAGE_SIZE:
             raise DecodeError(
                 f"Failure message length {len(message)} exceeds maximum {_MAX_FAILURE_MESSAGE_SIZE}"
             )
+        offset = 8 + consumed
+        if offset != len(data):
+            # Strict-decode parity with sibling decoders: conforming
+            # Go/C servers never emit trailing padding on this body.
+            raise DecodeError(
+                f"FailureResponse has {len(data) - offset} trailing bytes after message"
+            )
         return cls(code, _sanitize_server_text(message))
 
 

tests/test_responses_strict_length.py

@@ -235,6 +235,38 @@ def test_empty_list_trailing_bytes_rejected(self) -> None:
             ServersResponse.decode_body(body)
 
 
+class TestFailureResponseStrictLength:
+    """Body: uint64 code + padded text message. Trailing bytes after
+    the padded message had been silently accepted."""
+
+    @staticmethod
+    def _body(code: int = 5, message: str = "database is locked") -> bytes:
+        from dqlitewire.types import encode_text, encode_uint64
+
+        return encode_uint64(code) + encode_text(message)
+
+    def test_exact_round_trip(self) -> None:
+        from dqlitewire.messages.responses import FailureResponse
+
+        msg = FailureResponse.decode_body(self._body())
+        assert msg.code == 5
+        assert msg.message == "database is locked"
+
+    def test_trailing_byte_rejected(self) -> None:
+        from dqlitewire.messages.responses import FailureResponse
+
+        body = self._body() + b"\x01"
+        with pytest.raises(DecodeError, match=r"FailureResponse has 1 trailing byte"):
+            FailureResponse.decode_body(body)
+
+    def test_trailing_word_rejected(self) -> None:
+        from dqlitewire.messages.responses import FailureResponse
+
+        body = self._body() + b"\x00" * 8
+        with pytest.raises(DecodeError, match=r"FailureResponse has 8 trailing byte"):
+            FailureResponse.decode_body(body)
+
+
 class TestLeaderResponseStrictLength:
     """Modern body: uint64 node_id + padded text address. Legacy body:
     padded text address only. Trailing bytes after the address had