Reject non-bit BOOLEAN values in wire decoder

antoineleclair · antoineleclair · commit e522b059baa7 · 2026-04-19T17:03:12.000-04:00
decode_value for BOOLEAN previously called bool(decode_uint64(...)),
silently coercing any uint64 to True/False. That was asymmetric with
encode_value (which rejects integers outside {0, 1}) and made
round-trips lossy: uint64=2 decoded to True, re-encoded as 1, so the
bytes changed. Require the wire value to be exactly 0 or 1 and raise
DecodeError otherwise, matching the existing strictness for row
markers and other enforced wire invariants.
diff --git a/src/dqlitewire/types.py b/src/dqlitewire/types.py
@@ -327,7 +327,14 @@ def decode_value(data: bytes | memoryview, value_type: ValueType) -> tuple[Any,
     Returns (value, bytes_consumed).
     """
     if value_type == ValueType.BOOLEAN:
-        return bool(decode_uint64(data)), 8
+        # Symmetric with encode_value: BOOLEAN must be exactly 0 or 1 on
+        # the wire. Silently coercing any uint64 to True/False would make
+        # round-trips lossy (encoding restores 1/0) and hide malformed
+        # frames produced by a broken or hostile peer.
+        raw = decode_uint64(data)
+        if raw not in (0, 1):
+            raise DecodeError(f"BOOLEAN wire value must be 0 or 1, got {raw}")
+        return bool(raw), 8
     elif value_type == ValueType.INTEGER:
         return decode_int64(data), 8
     elif value_type == ValueType.UNIXTIME:
diff --git a/tests/test_types.py b/tests/test_types.py
@@ -435,6 +435,23 @@ def test_decode_boolean(self) -> None:
         assert value is True
         assert consumed == 8
 
+    def test_decode_boolean_zero(self) -> None:
+        value, consumed = decode_value(encode_int64(0), ValueType.BOOLEAN)
+        assert value is False
+        assert consumed == 8
+
+    def test_decode_boolean_rejects_non_bit(self) -> None:
+        """Decoder is symmetric with encoder: only {0, 1} are valid BOOLEAN
+        wire values. Silently coercing any uint64 via ``bool(...)`` would
+        make round-trips lossy (e.g., uint64=2 → True → re-encodes as 1)
+        and would mask protocol violations that we want to surface.
+        """
+        from dqlitewire.exceptions import DecodeError
+
+        for bad in (2, 3, 255, 2**63 - 1):
+            with pytest.raises(DecodeError, match="BOOLEAN"):
+                decode_value(encode_int64(bad), ValueType.BOOLEAN)
+
     def test_encode_decode_iso8601_roundtrips_as_text(self) -> None:
         """ISO8601 is stored as text at the wire level — datetime conversion
         lives in the driver/DBAPI layer, matching C and Go's split.
