fix: incorrect assumption on test (#10796)

* fix: fetch adaptor is not enforcing max body or content length

* fix: incomplete fix

* fix: improve helper

lib/adapters/fetch.js

@@ -312,6 +312,7 @@ const factory = (env) => {
 
       if (
         supportsResponseStream &&
+        response.body &&
         (onDownloadProgress || hasMaxContentLength || (isStreamResponse && unsubscribe))
       ) {
         const options = {};

lib/helpers/estimateDataURLDecodedBytes.js

@@ -73,12 +73,28 @@ export default function estimateDataURLDecodedBytes(url) {
     return Buffer.byteLength(body, 'utf8');
   }
 
-  // Browser/worker fallback: use TextEncoder when available, else fall back to
+  // Compute UTF-8 byte length directly from UTF-16 code units without allocating
-  // raw string length as an upper-bound heuristic. Both are safe for a DoS
+  // a byte buffer (TextEncoder.encode would defeat the DoS guard on large bodies).
-  // guard (over-counting only makes the check stricter for non-ASCII content).
+  // Using body.length here would undercount non-ASCII (e.g. '€' is 1 code unit
-  if (typeof TextEncoder === 'function') {
+  // but 3 UTF-8 bytes).
-    return new TextEncoder().encode(body).byteLength;
+  let bytes = 0;
+  for (let i = 0, len = body.length; i < len; i++) {
+    const c = body.charCodeAt(i);
+    if (c < 0x80) {
+      bytes += 1;
+    } else if (c < 0x800) {
+      bytes += 2;
+    } else if (c >= 0xd800 && c <= 0xdbff && i + 1 < len) {
+      const next = body.charCodeAt(i + 1);
+      if (next >= 0xdc00 && next <= 0xdfff) {
+        bytes += 4;
+        i++;
+      } else {
+        bytes += 3;
+      }
+    } else {
+      bytes += 3;
+    }
   }
-
+  return bytes;
-  return body.length;
 }