fix(middleware): clear request metadata after decompressing gzip body

Author: shblue21

middleware/body_limit_test.go

@@ -68,6 +68,31 @@ func TestBodyLimitConfig_ToMiddleware(t *testing.T) {
 	assert.Equal(t, http.StatusRequestEntityTooLarge, he.StatusCode())
 }
 
+func TestBodyLimitAfterDecompressUsesDecompressedSize(t *testing.T) {
+	e := echo.New()
+	body := "ok"
+	gz, err := gzipString(body)
+	assert.NoError(t, err)
+	assert.Greater(t, len(gz), len(body))
+
+	req := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(gz))
+	req.Header.Set(echo.HeaderContentEncoding, GZIPEncoding)
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	err = Decompress()(BodyLimit(int64(len(body)))(func(c *echo.Context) error {
+		body, readErr := io.ReadAll(c.Request().Body)
+		if readErr != nil {
+			return readErr
+		}
+		return c.String(http.StatusOK, string(body))
+	}))(c)
+
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Equal(t, body, rec.Body.String())
+}
+
 func TestBodyLimitReader(t *testing.T) {
 	hw := []byte("Hello, World!")
 

middleware/decompress.go

@@ -7,6 +7,7 @@ import (
 	"compress/gzip"
 	"io"
 	"net/http"
+	"strings"
 	"sync"
 
 	"github.com/labstack/echo/v5"
@@ -82,7 +83,9 @@ func (config DecompressConfig) ToMiddleware() (echo.MiddlewareFunc, error) {
 				return next(c)
 			}
 
-			if c.Request().Header.Get(echo.HeaderContentEncoding) != GZIPEncoding {
+			req := c.Request()
+			contentEncoding := req.Header.Values(echo.HeaderContentEncoding)
+			if len(contentEncoding) != 1 || strings.TrimSpace(contentEncoding[0]) != GZIPEncoding {
 				return next(c)
 			}
 
@@ -96,7 +99,7 @@ func (config DecompressConfig) ToMiddleware() (echo.MiddlewareFunc, error) {
 			}
 			defer pool.Put(gr)
 
-			b := c.Request().Body
+			b := req.Body
 			defer b.Close()
 
 			if err := gr.Reset(b); err != nil {
@@ -111,15 +114,19 @@ func (config DecompressConfig) ToMiddleware() (echo.MiddlewareFunc, error) {
 
 			// Apply decompression size limit to prevent zip bombs
 			if config.MaxDecompressedSize > 0 {
-				c.Request().Body = &limitedGzipReader{
+				req.Body = &limitedGzipReader{
 					Reader:    gr,
 					remaining: config.MaxDecompressedSize,
 					limit:     config.MaxDecompressedSize,
 				}
 			} else {
 				// -1 means explicitly unlimited (not recommended)
-				c.Request().Body = gr
+				req.Body = gr
 			}
+			req.Header.Del(echo.HeaderContentEncoding)
+			req.Header.Del(echo.HeaderContentLength)
+			req.ContentLength = -1
+			req.GetBody = nil
 
 			return next(c)
 		}

middleware/decompress_test.go

@@ -10,6 +10,7 @@ import (
 	"io"
 	"net/http"
 	"net/http/httptest"
+	"strconv"
 	"strings"
 	"sync"
 	"testing"
@@ -31,18 +32,80 @@ func TestDecompress(t *testing.T) {
 	gz, _ := gzipString(body)
 	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(string(gz)))
 	req.Header.Set(echo.HeaderContentEncoding, GZIPEncoding)
+	req.Header.Set(echo.HeaderContentLength, strconv.Itoa(len(gz)))
+	req.GetBody = func() (io.ReadCloser, error) {
+		return io.NopCloser(bytes.NewReader(gz)), nil
+	}
 	rec := httptest.NewRecorder()
 	c := e.NewContext(req, rec)
 
 	err := h(c)
 	assert.NoError(t, err)
 
-	assert.Equal(t, GZIPEncoding, req.Header.Get(echo.HeaderContentEncoding))
+	assert.Empty(t, req.Header.Get(echo.HeaderContentEncoding))
+	assert.Empty(t, req.Header.Get(echo.HeaderContentLength))
+	assert.Equal(t, int64(-1), req.ContentLength)
+	assert.Nil(t, req.GetBody)
 	b, err := io.ReadAll(req.Body)
 	assert.NoError(t, err)
 	assert.Equal(t, body, string(b))
 }
 
+func TestDecompress_SkipsRepeatedContentEncodingValues(t *testing.T) {
+	e := echo.New()
+
+	body := `{"name": "echo"}`
+	gz, _ := gzipString(body)
+	req := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(gz))
+	req.Header.Add(echo.HeaderContentEncoding, GZIPEncoding)
+	req.Header.Add(echo.HeaderContentEncoding, "br")
+	req.Header.Set(echo.HeaderContentLength, strconv.Itoa(len(gz)))
+	req.GetBody = func() (io.ReadCloser, error) {
+		return io.NopCloser(bytes.NewReader(gz)), nil
+	}
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	var got []byte
+	err := Decompress()(func(c *echo.Context) error {
+		var readErr error
+		got, readErr = io.ReadAll(c.Request().Body)
+		return readErr
+	})(c)
+
+	assert.NoError(t, err)
+	assert.Equal(t, gz, got)
+	assert.Equal(t, []string{GZIPEncoding, "br"}, req.Header.Values(echo.HeaderContentEncoding))
+	assert.Equal(t, strconv.Itoa(len(gz)), req.Header.Get(echo.HeaderContentLength))
+	assert.Equal(t, int64(len(gz)), req.ContentLength)
+	assert.NotNil(t, req.GetBody)
+}
+
+func TestDecompress_SkipsCommaSeparatedContentEncodingValues(t *testing.T) {
+	e := echo.New()
+
+	body := `{"name": "echo"}`
+	gz, _ := gzipString(body)
+	req := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(gz))
+	req.Header.Set(echo.HeaderContentEncoding, GZIPEncoding+", br")
+	req.Header.Set(echo.HeaderContentLength, strconv.Itoa(len(gz)))
+	rec := httptest.NewRecorder()
+	c := e.NewContext(req, rec)
+
+	var got []byte
+	err := Decompress()(func(c *echo.Context) error {
+		var readErr error
+		got, readErr = io.ReadAll(c.Request().Body)
+		return readErr
+	})(c)
+
+	assert.NoError(t, err)
+	assert.Equal(t, gz, got)
+	assert.Equal(t, GZIPEncoding+", br", req.Header.Get(echo.HeaderContentEncoding))
+	assert.Equal(t, strconv.Itoa(len(gz)), req.Header.Get(echo.HeaderContentLength))
+	assert.Equal(t, int64(len(gz)), req.ContentLength)
+}
+
 func TestDecompress_skippedIfNoHeader(t *testing.T) {
 	e := echo.New()
 	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader("test"))
@@ -99,7 +162,7 @@ func TestDecompressWithConfig_DefaultConfig(t *testing.T) {
 	err := h(c)
 	assert.NoError(t, err)
 
-	assert.Equal(t, GZIPEncoding, req.Header.Get(echo.HeaderContentEncoding))
+	assert.Empty(t, req.Header.Get(echo.HeaderContentEncoding))
 	b, err := io.ReadAll(req.Body)
 	assert.NoError(t, err)
 	assert.Equal(t, body, string(b))
@@ -215,8 +278,6 @@ func BenchmarkDecompress(b *testing.B) {
 	e := echo.New()
 	body := `{"name": "echo"}`
 	gz, _ := gzipString(body)
-	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(string(gz)))
-	req.Header.Set(echo.HeaderContentEncoding, GZIPEncoding)
 
 	h := Decompress()(func(c *echo.Context) error {
 		c.Response().Write([]byte(body)) // For Content-Type sniffing
@@ -228,6 +289,8 @@ func BenchmarkDecompress(b *testing.B) {
 
 	for i := 0; i < b.N; i++ {
 		// Decompress
+		req := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(gz))
+		req.Header.Set(echo.HeaderContentEncoding, GZIPEncoding)
 		rec := httptest.NewRecorder()
 		c := e.NewContext(req, rec)
 		h(c)

middleware/proxy_test.go

@@ -128,6 +128,59 @@ func TestProxy(t *testing.T) {
 	e.ServeHTTP(rec, req)
 }
 
+func TestProxyAfterDecompressForwardsDecodedBody(t *testing.T) {
+	body := "proxied body"
+	gz, err := gzipString(body)
+	assert.NoError(t, err)
+
+	type upstreamObservation struct {
+		body            string
+		contentEncoding string
+		contentLength   int64
+		readErr         error
+	}
+	observations := make(chan upstreamObservation, 1)
+	upstream := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		b, readErr := io.ReadAll(r.Body)
+		observations <- upstreamObservation{
+			body:            string(b),
+			contentEncoding: r.Header.Get(echo.HeaderContentEncoding),
+			contentLength:   r.ContentLength,
+			readErr:         readErr,
+		}
+		_, _ = w.Write(b)
+	}))
+	defer upstream.Close()
+
+	targetURL, err := url.Parse(upstream.URL)
+	assert.NoError(t, err)
+
+	e := echo.New()
+	e.Use(Decompress())
+	e.Use(ProxyWithConfig(ProxyConfig{
+		Balancer: NewRoundRobinBalancer([]*ProxyTarget{{URL: targetURL}}),
+	}))
+
+	req := httptest.NewRequest(http.MethodPost, "/", bytes.NewReader(gz))
+	req.Header.Set(echo.HeaderContentEncoding, GZIPEncoding)
+	rec := httptest.NewRecorder()
+
+	e.ServeHTTP(rec, req)
+
+	var observed upstreamObservation
+	select {
+	case observed = <-observations:
+	default:
+		t.Fatal("upstream was not called")
+	}
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Equal(t, body, rec.Body.String())
+	assert.NoError(t, observed.readErr)
+	assert.Equal(t, body, observed.body)
+	assert.Empty(t, observed.contentEncoding)
+	assert.Equal(t, int64(-1), observed.contentLength)
+}
+
 func TestMustProxyWithConfig_emptyBalancerPanics(t *testing.T) {
 	assert.Panics(t, func() {
 		ProxyWithConfig(ProxyConfig{Balancer: nil})