fix: validate that limit option is non-negative#706
Open
abhu85 wants to merge 1 commit intoexpressjs:masterfrom
Open
fix: validate that limit option is non-negative#706abhu85 wants to merge 1 commit intoexpressjs:masterfrom
abhu85 wants to merge 1 commit intoexpressjs:masterfrom
Conversation
Add validation to reject negative limit values like '-100kb' that were previously silently accepted. This prevents configuration errors from going unnoticed. Fixes expressjs#705
Member
|
Related to #698. I think we should also throw an error/warn the user when using a zero limit because the middleware would return a |
Author
|
Thanks for the feedback @Phillip9587! You make a good point about zero limits - they would effectively make the middleware unusable since every request with a body would get HTTP 413. I see you have a more comprehensive fix in #698. Would you prefer:
Happy to go whichever direction works best for the project! |
Member
UlisesGascon
approved these changes
Feb 23, 2026
Member
UlisesGascon
left a comment
There was a problem hiding this comment.
I think is a good addition, but semver-major at this stage probably someone is relaying on this bug. I agree with the @Phillip9587 concerns 👍
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds validation to reject negative
limitvalues like'-100kb'that were previously silently accepted.Problem
Currently,
body-parseraccepts negative limit values without validation:This is problematic because:
Solution
Added validation in
normalizeOptions()to throw aTypeErrorwhen a negative limit is provided:This applies to all parsers (
json,urlencoded,raw,text) since they all usenormalizeOptions().Test Plan
'-100kb')-1024)0and'0kb')Fixes #705