Cap filename length in FilesResponse decoder

Mirror of the column-name cap: bound per-filename decode to
_MAX_FILENAME_SIZE (4 KiB, matching POSIX PATH_MAX) so a frame-legal
FilesResponse cannot force unbounded string allocation through a
single giant filename entry.

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -53,6 +53,11 @@
 # defense-in-depth policy as ``_MAX_FAILURE_MESSAGE_SIZE``.
 _MAX_COLUMN_NAME_SIZE = 4096
 
+# Per-filename cap on ``FilesResponse``. dqlite file entries are the
+# on-disk page-backed database files (``main``, ``wal``, etc.); POSIX
+# PATH_MAX is 4 KiB and mirrors the column-name cap.
+_MAX_FILENAME_SIZE = 4096
+
 # Sanitize server-supplied text destined for exception messages and
 # logs. The C server promises UTF-8 but makes no promise about terminal
 # escapes or log-injection characters: a malicious or compromised peer
@@ -590,6 +595,10 @@ def decode_body(cls, data: bytes, schema: int = 0) -> "FilesResponse":
             )
         for _ in range(count):
             name, consumed = decode_text(view[offset:])
+            if len(name) > _MAX_FILENAME_SIZE:
+                raise DecodeError(
+                    f"filename length {len(name)} exceeds maximum {_MAX_FILENAME_SIZE}"
+                )
             offset += consumed
             size = decode_uint64(view[offset:])
             offset += 8

tests/test_messages_responses.py

@@ -8,6 +8,7 @@
 from dqlitewire.messages.responses import (
     _MAX_COLUMN_NAME_SIZE,
     _MAX_FAILURE_MESSAGE_SIZE,
+    _MAX_FILENAME_SIZE,
     DbResponse,
     EmptyResponse,
     FailureResponse,
@@ -1225,6 +1226,32 @@ def test_truncated_file_content_raises(self) -> None:
             FilesResponse.decode_body(body)
 
 
+class TestFilesResponseFilenameSize:
+    """Per-filename length cap in FilesResponse decode.
+
+    The outer 64 MiB frame cap bounds total bytes, but a peer can still
+    pack a giant filename in a frame-legal FilesResponse. Cap each
+    filename at ``_MAX_FILENAME_SIZE`` (POSIX PATH_MAX convention).
+    """
+
+    def _build_body(self, name: str) -> bytes:
+        # Single entry with word-aligned content.
+        content = b"\x00" * 8
+        return encode_uint64(1) + encode_text(name) + encode_uint64(len(content)) + content
+
+    def test_decode_rejects_oversize_filename(self) -> None:
+        oversize = "a" * (_MAX_FILENAME_SIZE + 1)
+        body = self._build_body(oversize)
+        with pytest.raises(DecodeError, match="filename"):
+            FilesResponse.decode_body(body)
+
+    def test_decode_accepts_filename_at_cap(self) -> None:
+        at_cap = "a" * _MAX_FILENAME_SIZE
+        body = self._build_body(at_cap)
+        decoded = FilesResponse.decode_body(body)
+        assert at_cap in decoded.files
+
+
 class TestServersResponse:
     def test_empty(self) -> None:
         msg = ServersResponse(nodes=[])