fix: defensive-copy _get_row_types fallback path

antoineleclair · claude · antoineleclair · commit e45c920ab1b5 · 2026-04-11T15:56:02.000-04:00
`RowsResponse._get_row_types` returned `self.column_types` by
reference on the no-per-row-types fallback, punching a hole in the
aliasing invariant that `__post_init__` establishes: a caller who
captured the return value and mutated it would silently rewrite the
message's private copy. Return a fresh `list(self.column_types)`
instead.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/src/dqlitewire/messages/responses.py b/src/dqlitewire/messages/responses.py
@@ -245,11 +245,18 @@ def __post_init__(self) -> None:
         self.column_types = list(self.column_types)
 
     def _get_row_types(self, row_idx: int, row: list[Any]) -> list[ValueType]:
-        """Get types for a row: from row_types, column_types, or inferred."""
+        """Get types for a row: from row_types, column_types, or inferred.
+
+        The ``column_types`` fallback returns a fresh copy rather than
+        ``self.column_types`` itself, so that a caller who mutates the
+        return value cannot silently rewrite the message's private
+        copy. This preserves the aliasing invariant that
+        ``__post_init__`` establishes (issue 042, issue 052).
+        """
         if self.row_types and row_idx < len(self.row_types):
             return self.row_types[row_idx]
         if self.column_types:
-            return self.column_types
+            return list(self.column_types)
         # Infer from values
         from dqlitewire.types import encode_value
 
diff --git a/tests/test_messages_responses.py b/tests/test_messages_responses.py
@@ -231,6 +231,42 @@ def test_column_types_defensive_copy_on_construct(self) -> None:
             "RowsResponse.column_types must not alias the caller's list"
         )
 
+    def test_get_row_types_does_not_alias_column_types(self) -> None:
+        """Regression for issue 052.
+
+        ``__post_init__`` defensively copies ``column_types`` so that
+        mutation of a caller-supplied or decoder-supplied list cannot
+        rewrite the ``RowsResponse``'s private copy. ``_get_row_types``
+        used to return ``self.column_types`` by reference on the
+        "no per-row types" fallback path, which silently punched a
+        hole in that invariant: a caller who captured the return
+        value and mutated it would mutate the message's private
+        list.
+
+        This test asserts that the returned list is a distinct object
+        from ``self.column_types`` and that mutating the return value
+        does not affect the message.
+        """
+        msg = RowsResponse(
+            column_names=["x"],
+            column_types=[ValueType.INTEGER],
+            row_types=[],
+            rows=[[1]],
+            has_more=False,
+        )
+
+        row_types = msg._get_row_types(0, [1])
+
+        assert row_types is not msg.column_types, (
+            "_get_row_types must return a fresh list, not alias column_types"
+        )
+
+        row_types.append(ValueType.BLOB)
+        assert msg.column_types == [ValueType.INTEGER], (
+            "mutating the _get_row_types return value must not affect "
+            "msg.column_types (issue 042 invariant)"
+        )
+
 
 class TestRowsResponse:
     def test_empty_result(self) -> None:
