Cap FailureResponse message at encoder and decoder

A peer returning a multi-megabyte error message forces an allocation
and a full-string C0-sanitize scan on every FAILURE response. Real
SQLite error strings are under a few hundred characters; anything
beyond the new 64 KiB cap is malicious or broken. Cap at both encode
and decode, consistent with _MAX_COLUMN_COUNT / _MAX_FILE_COUNT /
_MAX_NODE_COUNT in the same file.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: antoineleclair

src/dqlitewire/messages/responses.py

@@ -40,6 +40,13 @@
 _MAX_FILE_COUNT = 100
 _MAX_NODE_COUNT = 10_000
 
+# Per-field cap on ``FailureResponse.message``. The frame-size cap
+# in ``buffer.py`` (64 MiB) bounds total bytes, but error messages in
+# practice are short (SQLite's own error strings are under ~200 chars).
+# A peer sending megabytes of text is malicious or broken; cap well
+# above any realistic message so legitimate cases are never clipped.
+_MAX_FAILURE_MESSAGE_SIZE = 64 * 1024
+
 # Sanitize server-supplied text destined for exception messages and
 # logs. The C server promises UTF-8 but makes no promise about terminal
 # escapes or log-injection characters: a malicious or compromised peer
@@ -84,12 +91,21 @@ class FailureResponse(Message):
     message: str
 
     def encode_body(self) -> bytes:
+        if len(self.message) > _MAX_FAILURE_MESSAGE_SIZE:
+            raise EncodeError(
+                f"Failure message length {len(self.message)} "
+                f"exceeds maximum {_MAX_FAILURE_MESSAGE_SIZE}"
+            )
         return encode_uint64(self.code) + encode_text(self.message)
 
     @classmethod
     def decode_body(cls, data: bytes, schema: int = 0) -> "FailureResponse":
         code = decode_uint64(data)
         message, _ = decode_text(data[8:])
+        if len(message) > _MAX_FAILURE_MESSAGE_SIZE:
+            raise DecodeError(
+                f"Failure message length {len(message)} exceeds maximum {_MAX_FAILURE_MESSAGE_SIZE}"
+            )
         return cls(code, _sanitize_server_text(message))
 
 

tests/test_messages_responses.py

@@ -6,6 +6,7 @@
 from dqlitewire.exceptions import DecodeError, EncodeError
 from dqlitewire.messages.base import Header
 from dqlitewire.messages.responses import (
+    _MAX_FAILURE_MESSAGE_SIZE,
     DbResponse,
     EmptyResponse,
     FailureResponse,
@@ -19,6 +20,7 @@
     StmtResponse,
     WelcomeResponse,
 )
+from dqlitewire.types import encode_text, encode_uint64
 
 
 class TestFailureResponse:
@@ -42,6 +44,31 @@ def test_empty_message(self) -> None:
         assert decoded.code == 0
         assert decoded.message == ""
 
+    def test_decode_rejects_oversize_message(self) -> None:
+        """A peer claiming a multi-megabyte error message can force a large
+        allocation and full-string scan through _sanitize_server_text. Cap
+        the decoded message at _MAX_FAILURE_MESSAGE_SIZE so the decoder
+        fails fast before the sanitize scan runs."""
+        oversize = "a" * (_MAX_FAILURE_MESSAGE_SIZE + 1)
+        body = encode_uint64(1) + encode_text(oversize)
+        with pytest.raises(DecodeError, match="exceeds maximum"):
+            FailureResponse.decode_body(body)
+
+    def test_decode_accepts_message_at_cap(self) -> None:
+        """Exactly-cap message must still decode."""
+        at_cap = "a" * _MAX_FAILURE_MESSAGE_SIZE
+        body = encode_uint64(1) + encode_text(at_cap)
+        decoded = FailureResponse.decode_body(body)
+        assert decoded.code == 1
+        assert len(decoded.message) == _MAX_FAILURE_MESSAGE_SIZE
+
+    def test_encode_rejects_oversize_message(self) -> None:
+        """Encoder mirrors the decode cap so callers fail fast on an
+        accidentally-huge message string."""
+        msg = FailureResponse(code=1, message="a" * (_MAX_FAILURE_MESSAGE_SIZE + 1))
+        with pytest.raises(EncodeError, match="exceeds maximum"):
+            msg.encode_body()
+
 
 class TestLeaderResponse:
     def test_roundtrip(self) -> None: