[pull] master from koajs:master#150
Merged
Merged
Conversation
## Problem
`ctx.request.length` uses `~~len` (double bitwise NOT) to parse the
Content-Length header, which truncates values to a signed 32-bit
integer. For Content-Length values exceeding 2,147,483,647 bytes (~2GB),
the result silently wraps to incorrect values:
```js
~~'2147483648' → -2147483648 (sign flip)
~~'4294967296' → 0
~~'10000000000' → 1410065408 (garbage)
```
This affects any middleware using `ctx.request.length` for upload size
enforcement, rate limiting, or request body pre-allocation. In the era
of large file uploads and video processing APIs, this is a realistic
scenario.
## Solution
Replace `~~len` with `Number.parseInt(len, 10)`:
- Replace ~~len (32-bit truncation) with Number.parseInt(len, 10)
- Handles arbitrarily large Content-Length values up to
Number.MAX_SAFE_INTEGER
- Preserves existing behavior for values under 2GB, including zero
- Add comprehensive test cases for overflow boundaries and edge cases
Fixes integer overflow where ~~'2147483648' returned -2147483648 instead
of the correct value. Now correctly parses large file uploads and
returns undefined for unparseable values, consistent with existing
patterns.
## Test Coverage
Added 6 comprehensive test cases covering:
- Zero value (edge case)
- Content-Length > 2GB (2147483648, 10000000000) — new capability
- Floating-point strings ('10.5') — truncation behavior preserved
- Non-numeric strings ('invalid') — returns undefined
- Empty string — already guarded by if check
All existing tests pass (439/439). No breaking changes.
## Checklist
- [x] I have ensured my pull request is not behind the main or master
branch of the original repository.
- [x] I have rebased all commits where necessary so that reviewing this
pull request can be done without having to merge it first.
- [x] I have written a commit message that passes commitlint linting.
- [x] I have ensured that my code changes pass linting tests.
- [x] I have ensured that my code changes pass unit tests.
- [x] I have described my pull request and the reasons for code changes
along with context if necessary.
Node.js 24 ships with a recent npm, removing the need for the "Install npm@latest" step which was causing CI failures.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )