fix(assertBodySize): disallow both content-length and transfer-encoding headers

pi0 · pi0 · commit 9ccd301cf023 · 2025-10-27T08:54:33.000+01:00
diff --git a/src/utils/body.ts b/src/utils/body.ts
@@ -140,9 +140,14 @@ async function isBodySizeWithin(
     return true;
   }
 
-  const bodyLen = req.headers.get("content-length");
-  if (bodyLen !== null && !req.headers.has("transfer-encoding")) {
-    return +bodyLen <= limit;
+  const contentLength = req.headers.get("content-length");
+  if (contentLength) {
+    const transferEncoding = req.headers.get("transfer-encoding");
+    if (transferEncoding) {
+      // https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.2
+      throw new HTTPError({ status: 400 });
+    }
+    return +contentLength <= limit;
   }
 
   const reader = req.clone().body!.getReader();
diff --git a/test/unit/body-limit.test.ts b/test/unit/body-limit.test.ts
@@ -66,15 +66,21 @@ describe("body limit (unit)", () => {
       const eventMock = mockEvent("/", {
         method: "POST",
         body: streamBytesFrom(BODY_PARTS),
-        headers: {
-          // Should ignore content-length
-          "content-length": "7",
-          "transfer-encoding": "chunked",
-        },
+        headers: { "transfer-encoding": "chunked" },
       });
 
       await expect(assertBodySize(eventMock, 100)).resolves.toBeUndefined();
       await expect(assertBodySize(eventMock, 10)).rejects.toThrow(HTTPError);
     });
+
+    it("both content length and transfer encoding", async () => {
+      const eventMock = mockEvent("/", {
+        method: "POST",
+        body: "test",
+        headers: { "transfer-encoding": "chunked", "content-length": "4" },
+      });
+      await expect(assertBodySize(eventMock, 10)).rejects.toThrow(HTTPError);
+      await expect(assertBodySize(eventMock, 100)).rejects.toThrow(HTTPError);
+    });
   });
 });
