Skip to content

Limit chained Content-Encoding decoders to 5#1027

Merged
Kludex merged 10 commits into
mainfrom
limit-content-encoding-chain
Jun 11, 2026
Merged

Limit chained Content-Encoding decoders to 5#1027
Kludex merged 10 commits into
mainfrom
limit-content-encoding-chain

Conversation

@Kludex

@Kludex Kludex commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown
Member

A response can carry multiple Content-Encoding values, which we decode by building a MultiDecoder chain. Today that chain is unbounded - a response can list an arbitrary number of encodings and we'll happily build a decoder for each one.

Real responses apply one encoding, occasionally two. There's no legitimate reason to chain more than a handful, so this caps the chain at 5 and raises DecodingError past that.

The limit lives as a ClassVar on MultiDecoder so it stays easy to find and adjust.

AI Disclaimer

This PR was developed with the assistance of either Claude or Codex. I've reviewed and verified the changes.

@github-actions

github-actions Bot commented Jun 6, 2026

Copy link
Copy Markdown

Docs preview:

@codspeed-hq

codspeed-hq Bot commented Jun 6, 2026
edited
Loading

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 15 untouched benchmarks
⏩ 7 skipped benchmarks1

Comparing limit-content-encoding-chain (548c187) with main (873af0a)

Open in CodSpeed

Footnotes

  1. 7 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 6, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 3 files

Re-trigger cubic

chatgpt-codex-connector[bot]
chatgpt-codex-connector Bot reviewed Jun 6, 2026
View reviewed changes

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0190de0d72

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/httpx2/httpx2/_decoders.py Outdated
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 6, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files (changes from recent commits).

Reply with feedback, questions, or to request a fix.

Re-trigger cubic

Comment thread src/httpx2/httpx2/_decoders.py
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 6, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 3 files (changes from recent commits).

Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic

Comment thread src/httpx2/httpx2/_models.py Outdated
@Kludex
Count real decoders, not declared tokens, against chain limit
0e3f269 
Identity and unsupported encodings no longer count toward the limit, so a response that lists junk labels but applies few real decoders keeps decoding instead of raising.
@Kludex
Filter identity at the call site, not inside MultiDecoder
91b6036 
MultiDecoder no longer special-cases 'identity'; the response decoder drops it before building the chain.
@Kludex
Cover brotli/zstd empty-flush path via a real two-decoder chain
b18088e 
Filtering identity collapsed the old br,identity chains to single decoders, dropping coverage of the empty-data guard in BrotliDecoder/ZStandardDecoder. A br,zstd chain exercises it directly.
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Jun 8, 2026
View reviewed changes

@cubic-dev-ai cubic-dev-ai Bot left a comment
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3 issues found across 3 files (changes from recent commits).

Tip: Review your code locally with the cubic CLI to iterate faster.

Re-trigger cubic

Comment thread src/httpx2/httpx2/_instrumentation.py Outdated
Comment thread src/httpx2/httpx2/_instrumentation.py Outdated
Comment thread src/httpx2/httpx2/_instrumentation.py Outdated
Kludex
Kludex commented Jun 8, 2026
View reviewed changes
Comment thread tests/httpx2/test_decoders.py Outdated
@Kludex Kludex merged commit 2dc6324 into main Jun 11, 2026
15 checks passed
@Kludex Kludex deleted the limit-content-encoding-chain branch June 11, 2026 05:44
@Kludex Kludex mentioned this pull request Jun 11, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kludex