fix: reject malformed content-length request headers (#5060)

trivikr · mcollina · commit d94c36d983e9 · 2026-04-29T06:49:29.000+02:00
(cherry picked from commit c8d50b4)
diff --git a/lib/core/request.js b/lib/core/request.js
@@ -27,6 +27,21 @@ const { headerNameLowerCasedRecord } = require('./constants')
 // Verifies that a given path is valid does not contain control chars \x00 to \x20
 const invalidPathRegex = /[^\u0021-\u00ff]/
 
+function isValidContentLengthHeaderValue (val) {
+  if (typeof val !== 'string' || val.length === 0) {
+    return false
+  }
+
+  for (let i = 0; i < val.length; i++) {
+    const charCode = val.charCodeAt(i)
+    if (charCode < 48 || charCode > 57) {
+      return false
+    }
+  }
+
+  return true
+}
+
 const kHandler = Symbol('handler')
 
 class Request {
@@ -402,10 +417,10 @@ function processHeader (request, key, val) {
     if (request.contentLength !== null) {
       throw new InvalidArgumentError('duplicate content-length header')
     }
-    request.contentLength = parseInt(val, 10)
-    if (!Number.isFinite(request.contentLength)) {
+    if (!isValidContentLengthHeaderValue(val)) {
       throw new InvalidArgumentError('invalid content-length header')
     }
+    request.contentLength = parseInt(val, 10)
   } else if (request.contentType === null && headerName === 'content-type') {
     request.contentType = val
     request.headers.push(key, val)
diff --git a/lib/web/fetch/index.js b/lib/web/fetch/index.js
@@ -1433,7 +1433,10 @@ async function httpNetworkOrCacheFetch (
   //    8. If contentLengthHeaderValue is non-null, then append
   //    `Content-Length`/contentLengthHeaderValue to httpRequest’s header
   //    list.
-  if (contentLengthHeaderValue != null) {
+  if (
+    contentLengthHeaderValue != null &&
+    !httpRequest.headersList.contains('content-length', true)
+  ) {
     httpRequest.headersList.append('content-length', contentLengthHeaderValue, true)
   }
 
diff --git a/test/fetch/content-length.js b/test/fetch/content-length.js
@@ -27,3 +27,23 @@ test('Content-Length is set when using a FormData body with fetch', async (t) =>
     body: fd
   })
 })
+
+test('Content-Length is not duplicated when provided explicitly', async (t) => {
+  const body = 'a+b+c'
+
+  const server = createServer({ joinDuplicateHeaders: true }, (req, res) => {
+    t.assert.strictEqual(req.headers['content-length'], `${Buffer.byteLength(body)}`)
+    res.end()
+  }).listen(0)
+
+  await once(server, 'listening')
+  t.after(closeServerAsPromise(server))
+
+  await fetch(`http://localhost:${server.address().port}`, {
+    method: 'POST',
+    body,
+    headers: {
+      'content-length': Buffer.byteLength(body)
+    }
+  })
+})
diff --git a/test/invalid-headers.js b/test/invalid-headers.js
@@ -5,7 +5,7 @@ const { test, after } = require('node:test')
 const { Client, errors } = require('..')
 
 test('invalid headers', (t) => {
-  t = tspl(t, { plan: 10 })
+  t = tspl(t, { plan: 13 })
 
   const client = new Client('http://localhost:3000')
   after(() => client.close())
@@ -19,6 +19,36 @@ test('invalid headers', (t) => {
     t.ok(err instanceof errors.InvalidArgumentError)
   })
 
+  client.request({
+    path: '/',
+    method: 'GET',
+    headers: {
+      'content-length': '1.1'
+    }
+  }, (err, data) => {
+    t.ok(err instanceof errors.InvalidArgumentError)
+  })
+
+  client.request({
+    path: '/',
+    method: 'GET',
+    headers: {
+      'content-length': '10abc'
+    }
+  }, (err, data) => {
+    t.ok(err instanceof errors.InvalidArgumentError)
+  })
+
+  client.request({
+    path: '/',
+    method: 'GET',
+    headers: {
+      'content-length': '-1'
+    }
+  }, (err, data) => {
+    t.ok(err instanceof errors.InvalidArgumentError)
+  })
+
   client.request({
     path: '/',
     method: 'GET',
