fix(middleware): reset ContentLength after gzip decompression

[shblue21]

Summary

Fix Decompress so middleware after it does not keep using the compressed request size after the body has been replaced with the decoded gzip stream.

For example:

e.Use(middleware.Decompress())
e.Use(middleware.BodyLimit(4))

A gzipped request whose decoded body is ok should pass:

printf "ok" | gzip | curl -X POST \
  -H "Content-Type: text/plain" \
  -H "Content-Encoding: gzip" \
  --data-binary @- \
  http://localhost:8080/

Before this change, Decompress replaced req.Body but left req.ContentLength set to the compressed size, so BodyLimit could reject the request before reading it:

{"message":"Request Entity Too Large"}

With this change, Decompress sets req.ContentLength = -1 after gzip decompression is set up, so downstream middleware enforces limits while reading the decoded body:

ok

This intentionally does not change Content-Encoding, GetBody, or multiple content-coding behavior.

Test plan

• go test -count=1 ./...
• go test -race -count=1 ./...
• go vet ./...
• staticcheck ./...
• Manual curl check with the same handler returned ok and HTTP 200

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.18%. Comparing base (01b45be) to head (918b1a5).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3000   +/-   ##
=======================================
  Coverage   93.17%   93.18%           
=======================================
  Files          43       43           
  Lines        4501     4504    +3     
=======================================
+ Hits         4194     4197    +3     
  Misses        189      189           
  Partials      118      118           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[aldas]

GetBody doc comments says that For server requests, it is unused.

[aldas]

The description is little bit cryptic on first clance. It would be better if the situation/use-case would be explained in a "caveman manner"

I am using Decompress middleware along with the body limit middleware. This snippet

func main() {
	e := echo.New()

	e.Use(middleware.Decompress())
	e.Use(middleware.BodyLimit(4))

	e.POST("/", func(c *echo.Context) error {
		body, readErr := io.ReadAll(c.Request().Body)
		if readErr != nil {
			return readErr
		}
		return c.String(http.StatusOK, string(body))
	})

	if err := e.Start(":8080"); err != nil {
		slog.Error("Failed to start server", "error", err)
	}
}

does not work because the Decompress middleware leaves req.ContentLength unchanged after decompressing and this will trigger BodyLimit middleware to deny the request, although the compressed body is actually smaller than ContentLength reports.

At the moment and tested also with

printf "ok" | gzip | curl   -X POST   -H "Content-Type: text/plain"   -H "Content-Encoding: gzip"   --data-binary @-   http://localhost:8080/

Currently the result is incorrect:

{"message":"Request Entity Too Large"}

Expected would be:

ok

[aldas]

just nitpicking here as it is not easy sometimes to understand what the actual use-case is, and fixing (accepting PRs) something that you do not understand can break things on some other place.

[aldas]

is this change necessary? It does not help if the request has been compressed multiple times. For example:

Content-Encoding: gzip, br

or

Content-Encoding: gzip
Content-Encoding: br

meaning that decompression is in reverse order:

1. decode br
2. decode gzip
3. obtain the original content

[aldas]

same as above - if are to fix headers then the plain "deletion" is wrong approach as there could be multiple Content-Encoding values and we are deleting all of them now - not only gzip part.

Is this complexity necessary and valuable for any realworld use-case?

[aldas]

Please not to take this as me being mean. I am trying keep things simple and avoid unessesary complexity if possible.