fix(body): enforce stream-based body size check regardless of content-length header

Author: pi0

src/utils/body.ts

@@ -162,9 +162,13 @@ async function isBodySizeWithin(event: HTTPEvent, limit: number): Promise<boolea
       // https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.2
       throw new HTTPError({ status: 400 });
     }
-    return +contentLength <= limit;
+    // Fail-fast: reject if declared size exceeds limit
+    if (+contentLength > limit) {
+      return false;
+    }
   }
 
+  // Always verify actual body size via stream
   const reader = req.clone().body!.getReader();
   let chunk = await reader.read();
   let size = 0;

test/unit/body-limit.test.ts

@@ -49,6 +49,17 @@ describe("body limit (unit)", () => {
       await expect(assertBodySize(eventMock, 10)).rejects.toThrow(HTTPError);
     });
 
+    it("spoofed content-length smaller than actual body", async () => {
+      const LARGE_BODY = "A".repeat(1024); // 1KB actual body
+      const eventMock = mockEvent("/", {
+        method: "POST",
+        body: LARGE_BODY,
+        headers: { "content-length": "10" }, // lie: claim 10 bytes
+      });
+      // Should reject based on actual body size, not Content-Length header
+      await expect(assertBodySize(eventMock, 100)).rejects.toThrow(HTTPError);
+    });
+
     it("both content length and transfer encoding", async () => {
       const eventMock = mockEvent("/", {
         method: "POST",