Reject oversized proxy responses up front via Content-Length

The streaming cap in readBoundedBody catches oversized bodies, but
only after we've started reading.  When the upstream is already
telling us the body is 50 MiB before we read a byte, there's no
reason to spend that bandwidth: we'll bail anyway once the cap
trips.

Check Content-Length right after the Content-Type allowlist and
short-circuit to 404 when it exceeds MAX_BYTES.  A missing or
malformed header still falls through to the streaming cap, which
keeps enforcing the limit byte by byte.

New test confirms a 64 MiB advertised body is dropped before the
body read happens.

#483 (comment)

Assisted-by: Claude Code:claude-opus-4-7

Author: dahlia

src/proxy.test.ts

@@ -192,6 +192,30 @@ describe.sequential("proxy route", () => {
     expect(response.status).toBe(404);
   });
 
+  it("rejects oversized bodies advertised via Content-Length up front", async () => {
+    expect.assertions(1);
+
+    // 64 MiB declared, which is well past the 32 MiB cap.  We never read
+    // the body in this path, so the actual payload size doesn't matter
+    // for the assertion.
+    fetchMock.mockResolvedValue(
+      new Response(new Uint8Array([0, 0, 0, 0]).buffer as ArrayBuffer, {
+        status: 200,
+        headers: {
+          "Content-Type": "image/png",
+          "Content-Length": String(64 * 1024 * 1024),
+        },
+      }),
+    );
+
+    const app = createProxyApp("proxy");
+    const { sig, b64url } = signProxyUrl("https://remote.example/huge.png");
+
+    const response = await app.request(`/${sig}/${b64url}`);
+
+    expect(response.status).toBe(404);
+  });
+
   it("writes the cache on first hit and reuses it on the second in cache mode", async () => {
     expect.assertions(4);
 

src/proxy.ts

@@ -264,6 +264,20 @@ export function createProxyApp(mode: MediaProxyMode = MEDIA_PROXY): Hono {
         return c.notFound();
       }
 
+      // When the upstream tells us the body length up front we can
+      // short-circuit oversized responses without spending bandwidth on
+      // the read.  A missing or malformed header just falls through to
+      // the streaming cap inside readBoundedBody, which still enforces
+      // the limit.
+      const contentLengthHeader = upstream.headers.get("Content-Length");
+      if (contentLengthHeader != null) {
+        const declaredLength = Number.parseInt(contentLengthHeader, 10);
+        if (Number.isFinite(declaredLength) && declaredLength > MAX_BYTES) {
+          await discardBody(upstream);
+          return c.notFound();
+        }
+      }
+
       const body = await readBoundedBody(upstream, MAX_BYTES);
       if (body == null) return c.notFound();