🐛 Fix HTTP error reason handling by truncating messages and replacing newlines; add tests for safe_status_message

Author: pcrespov

packages/service-library/src/servicelib/aiohttp/rest_responses.py

@@ -92,8 +92,7 @@ def create_http_error(
     )
 
     return http_error_cls(
-        # Multiline not allowed in HTTP reason
-        reason=reason.replace("\n", " ") if reason else None,
+        reason=safe_status_message(reason),
         text=json_dumps(
             payload,
         ),
@@ -129,3 +128,18 @@ def _pred(obj) -> bool:
     assert len(http_statuses) == len(found), "No duplicates"  # nosec
 
     return http_statuses
+
+
+def safe_status_message(message: str | None, max_length: int = 1500) -> str | None:
+    """
+    Truncates a status-message (i.e. `reason` in HTTP errors) to a maximum length, replacing newlines with spaces.
+
+    This prevents issues such as:
+        - `aiohttp.http_exceptions.LineTooLong`: 400, message: Got more than 8190 bytes when reading Status line is too long.
+        - Multiline not allowed in HTTP reason attribute (aiohttp now raises ValueError).
+
+    See:
+        - [RFC 9112, Section 4.1: HTTP/1.1 Message Syntax and Routing](https://datatracker.ietf.org/doc/html/rfc9112#section-4.1) (status line length limits)
+        - [RFC 9110, Section 15.5: Reason Phrase](https://datatracker.ietf.org/doc/html/rfc9110#section-15.5) (reason phrase definition)
+    """
+    return message.replace("\n", " ")[:max_length] if message else None

packages/service-library/tests/aiohttp/test_rest_responses.py

@@ -97,3 +97,55 @@ def tests_exception_to_response(skip_details: bool, error_code: ErrorCodeStr | N
     assert response_json["error"]["message"] == expected_reason
     assert response_json["error"]["supportId"] == error_code
     assert response_json["error"]["status"] == response.status
+
+
+@pytest.mark.parametrize(
+    "input_message, expected_output",
+    [
+        (None, None),  # None input returns None
+        ("", None),  # Empty string returns None
+        ("Simple message", "Simple message"),  # Simple message stays the same
+        (
+            "Message\nwith\nnewlines",
+            "Message with newlines",
+        ),  # Newlines are replaced with spaces
+        ("A" * 2000, "A" * 1500),  # Long message gets truncated to max_length (1500)
+        (
+            "Line1\nLine2\nLine3" + "X" * 1500,
+            "Line1 Line2 Line3" + "X" * 1483,
+        ),  # Combined case: newlines and truncation
+    ],
+    ids=[
+        "none_input",
+        "empty_string",
+        "simple_message",
+        "newlines_replaced",
+        "long_message_truncated",
+        "newlines_and_truncation",
+    ],
+)
+def test_safe_status_message(input_message: str | None, expected_output: str | None):
+    from servicelib.aiohttp.rest_responses import safe_status_message
+
+    result = safe_status_message(input_message)
+    assert result == expected_output
+
+    # Test with custom max_length
+    custom_max = 10
+    result_custom = safe_status_message(input_message, max_length=custom_max)
+
+    # Check length constraint is respected
+    if result_custom is not None:
+        assert len(result_custom) <= custom_max
+
+    # Verify it can be used in a web response without raising exceptions
+    try:
+        # This would fail with long or multiline reasons
+        if result is not None:
+            web.Response(reason=result)
+
+        # Test with custom length result too
+        if result_custom is not None:
+            web.Response(reason=result_custom)
+    except ValueError:
+        pytest.fail("safe_status_message result caused an exception in web.Response")