Skip to content

fix: reject malformed content-length request headers#5060

Merged
mcollina merged 3 commits intonodejs:mainfrom
trivikr:tighten-content-length
Apr 19, 2026
Merged

fix: reject malformed content-length request headers#5060
mcollina merged 3 commits intonodejs:mainfrom
trivikr:tighten-content-length

Conversation

@trivikr
Copy link
Copy Markdown
Member

@trivikr trivikr commented Apr 19, 2026

This relates to...

Fixes: #5059

Rationale

content-length was being validated too loosely because malformed values could be partially normalized before later request-body length checks.

This change makes the header validation stricter so only digit-only values are accepted during request parsing.

Changes

  • Reject non-string, empty, fractional, signed, and partially numeric content-length values before parsing them.
  • Preserve existing behavior for valid decimal integer content-length values.

Features

N/A

Bug Fixes

Request content-length malformed values are rejected with InvalidArgumentError('invalid content-length header') instead of being normalized or deferred into a later mismatch error.

Breaking Changes and Deprecations

Requests that previously accepted malformed content-length values will now fail immediately during header validation.

Status

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Apr 19, 2026

Codecov Report

❌ Patch coverage is 90.47619% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 93.09%. Comparing base (a1d6766) to head (46a5113).

Files with missing lines Patch % Lines
lib/core/request.js 88.23% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5060      +/-   ##
==========================================
- Coverage   93.10%   93.09%   -0.01%     
==========================================
  Files         110      110              
  Lines       35770    35788      +18     
==========================================
+ Hits        33303    33318      +15     
- Misses       2467     2470       +3

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

mcollina
mcollina approved these changes Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina merged commit c8d50b4 into nodejs:main Apr 19, 2026
34 of 35 checks passed
@trivikr trivikr deleted the tighten-content-length branch April 19, 2026 10:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

content-length request header parsing accepts malformed values and normalizes them instead of rejecting them

3 participants

@trivikr @codecov-commenter @mcollina