backup: reject truncated DynamoDB keys (PR #716, round 3)

bootjp · bootjp · commit 9029addb3dbd · 2026-04-30T20:14:02.000+09:00
Two Codex P2 strict-validation follow-ups. #117 -- empty table-meta segment. HandleTableMeta accepted `!ddb|meta|table|` (no encoded segment) because base64.RawURLEncoding.DecodeString("") returns empty bytes without error, so the schema would route under the empty table name. Now rejected with ErrDDBMalformedKey before the JSON decode. TestDDB_RejectsTableMetaKeyWithEmptySegment. #303 -- truncated item key. parseDDBItemKey accepted `!ddb|item|<table>|7|` (gen separator present, no primary-key payload). The gen-end check was "genEnd > 0" which a trailing `|` satisfies. Added a follow-up check that genEnd+1 != len(afterTable) so a payload-less key surfaces as ErrDDBMalformedKey rather than emit under value-side attributes only. TestDDB_RejectsItemKeyWithEmptyPrimaryKeyPayload.
diff --git a/internal/backup/dynamodb.go b/internal/backup/dynamodb.go
@@ -113,6 +113,13 @@ func (d *DDBEncoder) HandleTableMeta(key, value []byte) error {
 	if err != nil {
 		return errors.Wrap(ErrDDBMalformedKey, err.Error())
 	}
+	if encoded == "" {
+		// base64.RawURLEncoding.DecodeString("") succeeds with an
+		// empty slice, so without this guard a truncated key like
+		// `!ddb|meta|table|` would be routed under the empty table
+		// name. That hides corruption (Codex P2 #117).
+		return errors.Wrapf(ErrDDBMalformedKey, "empty table segment: %q", key)
+	}
 	rawName, err := base64.RawURLEncoding.DecodeString(encoded)
 	if err != nil {
 		return errors.Wrap(ErrDDBMalformedKey, err.Error())
@@ -305,6 +312,16 @@ func parseDDBItemKey(key []byte) (string, uint64, error) {
 	if err != nil {
 		return "", 0, errors.Wrap(ErrDDBMalformedKey, err.Error())
 	}
+	// Item keys must carry a primary-key payload after the gen
+	// separator (the encoded hash + range bytes). A bare
+	// `!ddb|item|<table>|<gen>|` cannot identify any item; treating
+	// such a key as valid would let a truncated record slip past
+	// malformed-key detection and emit under value-side attributes
+	// only, masking snapshot corruption (Codex P2 #303).
+	if genEnd+1 == len(afterTable) {
+		return "", 0, errors.Wrapf(ErrDDBMalformedKey,
+			"item key missing primary-key payload: %q", key)
+	}
 	return enc, gen, nil
 }
 
diff --git a/internal/backup/dynamodb_test.go b/internal/backup/dynamodb_test.go
@@ -490,6 +490,30 @@ func TestDDB_ParseItemKeyExtractsGeneration(t *testing.T) {
 	}
 }
 
+func TestDDB_RejectsTableMetaKeyWithEmptySegment(t *testing.T) {
+	t.Parallel()
+	enc, _ := newDDBEncoder(t)
+	// `!ddb|meta|table|` (no encoded segment) -- base64url-decodes to
+	// an empty name and would otherwise route the schema under "".
+	// Codex P2 #117.
+	err := enc.HandleTableMeta([]byte(DDBTableMetaPrefix), []byte("ignored"))
+	if !errors.Is(err, ErrDDBMalformedKey) {
+		t.Fatalf("err=%v", err)
+	}
+}
+
+func TestDDB_RejectsItemKeyWithEmptyPrimaryKeyPayload(t *testing.T) {
+	t.Parallel()
+	// `!ddb|item|<table>|7|` -- gen separator present but no
+	// primary-key payload. Codex P2 #303.
+	key := []byte(DDBItemPrefix)
+	key = append(key, []byte("dA")...) // base64url("t")
+	key = append(key, []byte("|7|")...)
+	if _, _, err := parseDDBItemKey(key); !errors.Is(err, ErrDDBMalformedKey) {
+		t.Fatalf("err=%v want ErrDDBMalformedKey for truncated item key", err)
+	}
+}
+
 func TestDDB_RejectsKeyWithMissingTableSegment(t *testing.T) {
 	t.Parallel()
 	enc, _ := newDDBEncoder(t)
