Fix Content-Length based request parsing #2
Description
Description:
Current implementation uses data.includes("\r\n\r\n") to detect request end. This is vulnerable to request smuggling if the body contains \r\n\r\n. Need to parse Content-Length header and only consider request complete when exact number of bytes received.
Tasks:
- Parse
Content-Lengthheader from request headers - Calculate total expected bytes:
headerEndIndex + 4 + contentLength - Only trigger request handler when
data.length >= expectedBytes - Handle GET/HEAD requests with no body (Content-Length: 0 or missing)
- Add validation for invalid Content-Length values
Files to modify:
src/httpServer.ts- data event handlersrc/utils/utils.ts- parseRequestMessage function
References:
- RFC 7230 Section 3.3.3 (Message Body Length)
- CWE-444: HTTP Request Smuggling