Skip to content

Fix Content-Length based request parsing #2

Open
Open
Fix Content-Length based request parsing#2
Assignees
greatm3
Labels
bugSomething isn't workingcriticalsecurity
@greatm3

Description

@greatm3
greatm3
opened on Oct 4, 2025

Description:

Current implementation uses data.includes("\r\n\r\n") to detect request end. This is vulnerable to request smuggling if the body contains \r\n\r\n. Need to parse Content-Length header and only consider request complete when exact number of bytes received.

Tasks:

  • Parse Content-Length header from request headers
  • Calculate total expected bytes: headerEndIndex + 4 + contentLength
  • Only trigger request handler when data.length >= expectedBytes
  • Handle GET/HEAD requests with no body (Content-Length: 0 or missing)
  • Add validation for invalid Content-Length values

Files to modify:

  • src/httpServer.ts - data event handler
  • src/utils/utils.ts - parseRequestMessage function

References:

  • RFC 7230 Section 3.3.3 (Message Body Length)
  • CWE-444: HTTP Request Smuggling

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingcriticalsecurity

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions