test(rate-limit): cover request-size boundary and chunked cases#312
Open
Muyideen-js wants to merge 2 commits into
Open
test(rate-limit): cover request-size boundary and chunked cases#312Muyideen-js wants to merge 2 commits into
Muyideen-js wants to merge 2 commits into
Conversation
|
@Muyideen-js Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Muyideen-js
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #280
Description:
Adds deterministic integration tests to ensure request size limits cannot be bypassed.
Tests added to requestLimits.integration.test.ts:
Declared-small-but-actually-large: crafts a raw TCP request that declares a small Content-Length but sends a larger body; verifies the server either responds with HTTP 413 or closes the connection (no buffering of oversized body).
Chunked transfer exceeding limit: sends a Transfer-Encoding: chunked stream with a large chunk to ensure the middleware enforces streaming limits early and either returns 413 or terminates the connection.
These tests complement existing boundary tests (exact-limit and one-byte-over) to exercise header tampering and chunked encoding flows.
Goal: prevent bypasses via mismatched headers or chunked uploads and ensure safe/early termination.
Files changed:
Modified: requestLimits.integration.test.ts — added two tests using raw TCP sockets for accurate protocol control.
How to run locally:
Acceptance criteria checklist (for reviewers)
Deterministic tests for declared-small-but-actually-large and chunked exceeding cases pass in CI.
The server returns a 413 response when possible, or terminates the connection without buffering the oversized body.
requestLimits.ts remains covered at >=95% for changed lines (if not, add tests for missing branches).
No secrets added; environment-driven configuration used.
Security notes
Tests simulate header tampering and chunked streaming to validate early termination logic.
The request limits middleware performs:
immediate Content-Length validation (rejects if declared > limit),
streaming byte counting for chunked or tampered requests (destroys request and sets a stream error on limit exceeded),
consistent mapping to safe error codes (payload_too_large) via the global error handler.
These tests help ensure that oversized payloads cannot be buffered or processed, mitigating DoS risk.