fix: enforce maxMessageSize in readRequestBody

The maxMessageSize configuration value was defined in
DEFAULT_HTTP_STREAM_CONFIG (4MB) but never checked in
readRequestBody(). This allowed unbounded request body
accumulation, enabling remote denial of service via a
single large HTTP POST request.

This commit adds size tracking in readRequestBody() and
destroys the request if the configured limit is exceeded.

Fixes GHSA-353c-v8x9-v7c3

Author: Raza Sharif

src/transports/http/server.ts

@@ -222,9 +222,17 @@ export class HttpStreamTransport extends AbstractTransport {
   }
 
   private async readRequestBody(req: IncomingMessage): Promise<any> {
+    const maxSize = this._config.maxMessageSize ?? 4 * 1024 * 1024;
     return new Promise((resolve, reject) => {
       let body = '';
+      let size = 0;
       req.on('data', (chunk) => {
+        size += chunk.length;
+        if (size > maxSize) {
+          req.destroy();
+          reject(new Error(`Request body exceeds maximum size of ${maxSize} bytes`));
+          return;
+        }
         body += chunk.toString();
       });
       req.on('end', () => {