Reject trailing bytes in WelcomeResponse and MetadataResponse bodies

Audit after the StmtResponse strict-decode tightening surfaced these
two as the last remaining fixed-body response decoders without an
explicit class-owned length check — both had been leaning on the
underlying decode_uint64 helper to raise on short input, but silently
accepted oversized bodies. Match the sibling pattern (DbResponse,
EmptyResponse, ResultResponse, FilesResponse, StmtResponse): body
must be exactly the declared size, with an error message naming the
owning class so operators reading logs can trace the frame.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -191,6 +191,8 @@ def encode_body(self) -> bytes:
 
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "WelcomeResponse":
+        if len(data) != 8:
+            raise DecodeError(f"WelcomeResponse body must be exactly 8 bytes, got {len(data)}")
         heartbeat_timeout = decode_uint64(data)
         return cls(heartbeat_timeout)
 
@@ -757,6 +759,8 @@ def encode_body(self) -> bytes:
 
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "MetadataResponse":
+        if len(data) != 16:
+            raise DecodeError(f"MetadataResponse body must be exactly 16 bytes, got {len(data)}")
         failure_domain = decode_uint64(data)
         weight = decode_uint64(data[8:])
         return cls(failure_domain, weight)

tests/test_responses_strict_length.py

@@ -136,3 +136,49 @@ def test_trailing_bytes_rejected_schema1(self) -> None:
         body = self._body_schema1() + b"\x02"
         with pytest.raises(DecodeError, match=r"StmtResponse schema=1 body must be exactly 24"):
             StmtResponse.decode_body(body, schema=1)
+
+
+class TestWelcomeResponseStrictLength:
+    """Body is uint64(heartbeat_timeout) — exactly 8 bytes."""
+
+    def test_short_body_rejected(self) -> None:
+        from dqlitewire.messages.responses import WelcomeResponse
+
+        with pytest.raises(DecodeError, match=r"WelcomeResponse body must be exactly 8"):
+            WelcomeResponse.decode_body(b"\x00" * 7)
+
+    def test_exact_length_accepted(self) -> None:
+        from dqlitewire.messages.responses import WelcomeResponse
+
+        msg = WelcomeResponse.decode_body((42).to_bytes(8, "little"))
+        assert msg.heartbeat_timeout == 42
+
+    def test_trailing_bytes_rejected(self) -> None:
+        from dqlitewire.messages.responses import WelcomeResponse
+
+        with pytest.raises(DecodeError, match=r"WelcomeResponse body must be exactly 8"):
+            WelcomeResponse.decode_body(b"\x00" * 9)
+
+
+class TestMetadataResponseStrictLength:
+    """Body is two uint64s (failure_domain + weight) — exactly 16 bytes."""
+
+    def test_short_body_rejected(self) -> None:
+        from dqlitewire.messages.responses import MetadataResponse
+
+        with pytest.raises(DecodeError, match=r"MetadataResponse body must be exactly 16"):
+            MetadataResponse.decode_body(b"\x00" * 15)
+
+    def test_exact_length_accepted(self) -> None:
+        from dqlitewire.messages.responses import MetadataResponse
+
+        body = (3).to_bytes(8, "little") + (7).to_bytes(8, "little")
+        msg = MetadataResponse.decode_body(body)
+        assert msg.failure_domain == 3
+        assert msg.weight == 7
+
+    def test_trailing_bytes_rejected(self) -> None:
+        from dqlitewire.messages.responses import MetadataResponse
+
+        with pytest.raises(DecodeError, match=r"MetadataResponse body must be exactly 16"):
+            MetadataResponse.decode_body(b"\x00" * 17)