fix: incorrect assumption on test

[jasonsaayman]

Summary by cubic

Enforces maxBodyLength and maxContentLength in the fetch adapter to match the http adapter, including data: URLs and streamed responses. Closes the bypass reported in GHSA-777c-7fjr-54vf and addresses Linear AXI-201.

• Description

  • Enforce maxBodyLength before dispatch by measuring outbound body size.
  • Enforce maxContentLength via Content-Length pre-check, during streaming, and as a fallback when no stream is available.
  • Pre-check data: URLs with estimateDataURLDecodedBytes to avoid materializing oversized payloads.
  • Guard streaming path with response.body so checks run only when a stream exists.
  • Harden estimateDataURLDecodedBytes: use Buffer.byteLength in Node; otherwise compute UTF‑8 byte length manually without allocating large buffers.
  • Docs: update /docs/ to state the fetch adapter enforces these limits (including data: URLs and streams) with parity to the http adapter and the errors raised on exceed.
  • Semantic version: Patch; stricter enforcement of existing, documented limits in axios v1.x.

• Testing

  • Added unit tests to reject oversized request bodies and responses (via Content-Length and during streaming).
  • Added tests for oversized data: URLs (base64 and non-base64).
  • Confirmed payloads at or below limits are allowed.

^{Written for commit ca87246. Summary will update on new commits.}

[cubic-dev-ai]

1 issue found across 3 files

Confidence score: 3/5

• There is a concrete medium-risk issue in lib/helpers/estimateDataURLDecodedBytes.js: TextEncoder().encode(body) creates a full byte array, which defeats the intended non-allocating estimation path.
• This can increase memory usage for large data URLs and weaken the guard’s protective behavior under heavy inputs, so there is some regression risk despite being limited to one area.
• Pay close attention to lib/helpers/estimateDataURLDecodedBytes.js - ensure size estimation stays non-allocating for large payloads.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="lib/helpers/estimateDataURLDecodedBytes.js">

<violation number="1" location="lib/helpers/estimateDataURLDecodedBytes.js:77">
P2: Using `TextEncoder().encode(body)` allocates a full byte array, which undermines this guard’s non-allocating size-estimation path for large data URLs.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[jasonsaayman]

@cubic-dev-ai, please check this again. Since it is high-value, please be as thorough as possible

[cubic-dev-ai]

@cubic-dev-ai, please check this again. Since it is high-value, please be as thorough as possible

@jasonsaayman I have started the AI code review. It will take a few minutes to complete.

[cubic-dev-ai]

No issues found across 2 files

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.