From 284d6e0f71751ca701648d844a68939ea96b7167 Mon Sep 17 00:00:00 2001
From: Abhishek Chauhan <60182103+abhu85@users.noreply.github.com>
Date: Mon, 23 Feb 2026 06:43:03 +0000
Subject: [PATCH] fix: validate that limit option is non-negative

Add validation to reject negative limit values like '-100kb' that were
previously silently accepted. This prevents configuration errors from
going unnoticed.

Fixes #705
---
 lib/utils.js  |  5 +++++
 test/utils.js | 22 ++++++++++++++++++++++
 2 files changed, 27 insertions(+)

diff --git a/lib/utils.js b/lib/utils.js
index 232e2e25..22f9ae73 100644
--- a/lib/utils.js
+++ b/lib/utils.js
@@ -63,6 +63,11 @@ function normalizeOptions (options, defaultType) {
   var limit = typeof options?.limit === 'undefined' || options?.limit === null
     ? 102400 // 100kb default
     : bytes.parse(options.limit)
+
+  if (limit !== null && limit < 0) {
+    throw new TypeError('option limit must be a non-negative number')
+  }
+
   var type = options?.type || defaultType
   var verify = options?.verify || false
   var defaultCharset = options?.defaultCharset || 'utf-8'
diff --git a/test/utils.js b/test/utils.js
index 62b9b1e6..b016614e 100644
--- a/test/utils.js
+++ b/test/utils.js
@@ -130,6 +130,28 @@ describe('normalizeOptions(options, defaultType)', () => {
           normalizeOptions({ limit: { foo: 'bar' } }, 'application/json')
         }, /option limit "\[object Object\]" is invalid/)
       })
+
+      it('should throw an error for negative string limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: '-100kb' }, 'application/json')
+        }, /option limit must be a non-negative number/)
+      })
+
+      it('should throw an error for negative number limit', () => {
+        assert.throws(() => {
+          normalizeOptions({ limit: -1024 }, 'application/json')
+        }, /option limit must be a non-negative number/)
+      })
+
+      it('should accept zero limit', () => {
+        const result = normalizeOptions({ limit: 0 }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
+
+      it('should accept zero string limit', () => {
+        const result = normalizeOptions({ limit: '0kb' }, 'application/json')
+        assert.strictEqual(result.limit, 0)
+      })
     })
 
     describe('type', () => {