Skip to content

Comments

fix: validate that limit option is non-negative#706

Open
abhu85 wants to merge 1 commit intoexpressjs:masterfrom
abhu85:fix/validate-negative-limit
Open

fix: validate that limit option is non-negative#706
abhu85 wants to merge 1 commit intoexpressjs:masterfrom
abhu85:fix/validate-negative-limit

Conversation

@abhu85
Copy link

@abhu85 abhu85 commented Feb 23, 2026

Summary

This PR adds validation to reject negative limit values like '-100kb' that were previously silently accepted.

Problem

Currently, body-parser accepts negative limit values without validation:

app.use(bodyParser.json({ limit: '-100kb' }));
// No error, middleware added successfully

This is problematic because:

  • Invalid configuration is silently accepted
  • The behavior of a negative limit is undefined
  • Bugs in consuming applications may go unnoticed

Solution

Added validation in normalizeOptions() to throw a TypeError when a negative limit is provided:

if (limit !== null && limit < 0) {
  throw new TypeError('option limit must be a non-negative number')
}

This applies to all parsers (json, urlencoded, raw, text) since they all use normalizeOptions().

Test Plan

  • Added test for negative string limit ('-100kb')
  • Added test for negative number limit (-1024)
  • Added tests to verify zero limit is still accepted (0 and '0kb')
  • All existing 262 tests pass
  • 4 new tests added (266 total)

Fixes #705

@abhu85
fix: validate that limit option is non-negative
f9c7082 
Add validation to reject negative limit values like '-100kb' that were
previously silently accepted. This prevents configuration errors from
going unnoticed.

Fixes expressjs#705
@Phillip9587
Copy link
Member

Phillip9587 commented Feb 23, 2026

Related to #698. I think we should also throw an error/warn the user when using a zero limit because the middleware would return a HTTP 413 "request entity too large" (from raw-body) on every request.

@Phillip9587 Phillip9587 mentioned this pull request Feb 23, 2026
Open
@abhu85
Copy link
Author

abhu85 commented Feb 23, 2026

Thanks for the feedback @Phillip9587!

You make a good point about zero limits - they would effectively make the middleware unusable since every request with a body would get HTTP 413.

I see you have a more comprehensive fix in #698. Would you prefer:

  1. I update this PR to also reject zero limits (making limit > 0 required)
  2. Keep this PR focused on negative limits (per [BUG] body-parser Accepts Negative Limit Values #705) and let fix: improve limit option validation #698 handle the zero case
  3. Close this PR if fix: improve limit option validation #698 already covers negative limit validation

Happy to go whichever direction works best for the project!

@Phillip9587
Copy link
Member

Phillip9587 commented Feb 23, 2026

Hey @abhu85, let's keep this PR open for now and wait for other maintainer feedback. We can merge #698 and than follow-up with your PR. Throwing on a zero limit and on negative limits may be considered a major as it changes how the module behaves.

UlisesGascon
UlisesGascon approved these changes Feb 23, 2026
View reviewed changes
Copy link
Member

@UlisesGascon UlisesGascon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think is a good addition, but semver-major at this stage probably someone is relaying on this bug. I agree with the @Phillip9587 concerns 👍

@Phillip9587 Phillip9587 added this to the 3.0 milestone Feb 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@UlisesGascon UlisesGascon UlisesGascon approved these changes

Assignees

No one assigned

Labels

semver-major

Projects

None yet

Milestone

3.0

Development

Successfully merging this pull request may close these issues.

[BUG] body-parser Accepts Negative Limit Values

3 participants

@abhu85 @Phillip9587 @UlisesGascon